On Thu, Aug 1, 2013 at 6:44 AM, Tim Starling <tstarling(a)wikimedia.org> wrote:
On 01/08/13 14:15, Anthony wrote:
On Wed, Jul 31, 2013 at 9:27 PM, Ryan Lane
<rlane(a)wikimedia.org> wrote:
I would be fired and jailed before I knowingly
let that occur. If this was
the case I'd very surely not be working for Wikimedia Foundation.
Key word there being "knowingly".
I don't know why the NSA would sneak around in our data centres
mirroring our ethernet ports if they already have almost all of our
access logs by capturing unencrypted traffic as it passes through
XKeyscore nodes.
I think you should save the conspiracy theories until after we switch
anons to HTTPS, that's when they will have an incentive.
tim, and ryan, that is not 100% true. since at least 2010 we know from
articles like these:
*
http://www.wired.com/threatlevel/2010/03/packet-forensics/
*
https://www.eff.org/deeplinks/2010/03/researchers-reveal-likelihood-governm…
that man-in-the middle attacks are possible with and without HTTPS at
XKeyscore nodes. the basic problem is, that wikipedia contents is
stored in the U.S., and the site is using certificates issued in the
U.S. the same country and legislation the NSA is located. this means
the certificates can be compromised and users would not (easily)
notice it.
the best sign against snooping internet traffic would be if wikipedia
will change the hosting to a different country, and use a different
countries ssl certificate. you can bet, that the perceived impact on
the U.S. business will be so huge that this intolerable practice will
stop, at source, at NSA.
btw, ryan, you talked about firing and jailing - if you did not know
that or if you knew it and ignored it, you should be fired or not work
at WMF ;) it is _you_ who need to warn about the location beeing
vulnerable, and it is _you_ who decide to use vulnerable digicert
certificates. but you of course will not be jailed - this seems to
happen to people revealing that xkeyscore exists ...
rupert.