On 2007.09.20 20:15:12 -0400, Ben McIlwain
<cydeweys(a)gmail.com> scribbled 39 lines:
...
And by the way, remember that all unencrypted web
traffic ends up
unencrypted at the Tor exit node, and can be (and sometimes is) sniffed
by unscrupulous folks. If you are using Tor you *must* make sure to use
only the secure Wikimedia https proxy. Even that is difficult though,
because you'll end up clicking a link that takes you to unsecure http
pages (such as a diff links), and before you can blink, your admin
cookie has gone across the web unencrypted.
...
Is this actually true, though? As I've said before, I edit through
secure.wikimedia.org, and I've done so for the past few months. In that time, I've
clicked on external links to
en.wikipedia.org/wiki/whatever - not internal links to
https://secure.wikimedia.org/wikipedia/en/wiki/whatever - and not once have I found myself
to be logged in on En.
No, it's absolutely untrue. I just verified it. The cookies are
properly sent as "secure" cookies, "secure" being a flag which when
set means not only will cookies not be sent to