Lee Daniel Crocker wrote:
> > (Tim Starling <ts4294967296(a)hotmail.com>):
> >
> > If we really want to be serious about security we'll have to use
> > ssl for login, but I don't know how to do that.
>
>That's entirely too paranoid. Frankly, I don't see much need
>for high security of Wikipedia logins. It's not like we're
>storing medical records. (Oh my God! My neighbor might find
>out that I like the "Nostalgia" skin!) The only real risk is
>that someone might log in as me and make edits in my name, but
>then I'd just disavow them and change my password.
There are two reasons to have good security:
1) To prevent hijacking of an administrator/developer account.
2) To prevent password theft. Many users use the same password for a number
of sites.
Of course, users who know anything about Internet security should expect
websites to handle their passwords insecurely -- everyone does it. Wikipedia
is certainly not alone.
>The present saltless-md5 was an improvement over the original
>code which had passwords in plain text in the database where
>any sysop could see them all with a select; /that/ was probably
>a bit too loose :-), so I md5'd them. If making a slightly
>better encrypted version improves things with no hassle, that's
>fine too. But let's not get worked up over nothing.
SSL is indeed a big hassle for a relatively small gain. I once read an
article on what someone can do if they have physical access to the network
-- say in a campus network using old thin-wire ethernet. It was pretty
scary, actually -- they can basically intercept and modify all
communications at will. But this kind of attack does require physical
access, and hence is reasonably rare. Remember that even SSL won't fix
another common kind of attack -- a user system compromised by a worm or
trojan. There's not much we can do about that one, but it happens all the
time.
-- Tim Starling.
_________________________________________________________________