We get the urgency. We just have to prioritize this among the many other issues we are
responsible for. But I've taken these issues to heart, thanks for the education.
Original Message
From: James Salsman
Sent: Thursday, January 19, 2017 19:53
To: analytics(a)lists.wikimedia.org
Reply To: A mailing list for the Analytics Team at WMF and everybody who has an interest
in Wikipedia and analytics.
Subject: Re: [Analytics] stats.grok.se used in study about Snowden and internet traffic
Here is a commercial malware-scanning proxy all but claiming outright
that they can MITM-scan any browser protocol not using QUIC:
http://www.bitdefender.com/support/how-to-disable-quic-protocol-in-google-c…
Security is such a mess these days that I hope you all understand why
I keep saying you shouldn't be storing readers' article names
associated with any of their IP, proxy, or geolocation, separating
them as soon as they hit RAM on the ingress proxies.
On Thu, Jan 19, 2017 at 4:16 PM, James Salsman <jsalsman(a)gmail.com> wrote:
But we are
https-only now, am I missing something?
These authors say that TLS 1.2/ECDHE_RSA/P-256 as used by enwiki
currently is still within the capability of hobbyists to crack in a
few days on less than $10,000 of hardware, if I'm reading it right:
https://hal.inria.fr/hal-01244855/document
QUIC would be a lot better, with X25519 at least. That's what Google
moved to after that paper was published.
how do you have that screenshot?
It's linked from the footnote on page 33 of this lawsuit by the
Foundation and ACLU asking the government to stop monitoring Wikipedia
traffic:
https://www.aclu.org/sites/default/files/field_document/23._aclu_appeal_bri…
_______________________________________________
Analytics mailing list
Analytics(a)lists.wikimedia.org
https://lists.wikimedia.org/mailman/listinfo/analytics
