To really fix the problem we would have to go HTTPS by default. I don't know what that means to our resource usage, as well as how it affects people who cannot use HTTPS for whatever reason.
By the way, there is a plugin for Firefox called HTTPS Everywhere, which will attempt to switch to HTTPS whenever possible for many sites. Wikipedia is among the supported sites.
https://www.eff.org/https-everywhere
The author of that plugin reached out to the foundation some months ago complaining that upload.wikimedia.org and commons.wikimedia.org had no HTTPS equivalents. I honestly don't know all of the security implications there -- upload.wikimedia.org seems okay (from a login hijacking perspective), since we never transmit any login credentials there, but we do with commons.wikimedia.org, and there's no HTTPS equivalent.
On 10/25/10 10:26 AM, Marco Schuster wrote:
On Mon, Oct 25, 2010 at 7:15 PM, Hay (Husky)huskyr@gmail.com wrote:
Has anyone seen this?
http://codebutler.com/firesheep
A new Firefox plugin that makes it trivially easy to hijack cookies from a website that's using HTTP for login over an unencrypted wireless network. Wikipedia isn't in the standard installation as a site (lots of other sites, such as Facebook, Twitter, etc. are). We are using HTTP login by default, so i guess we're vulnerable as well (please say so if we're using some other kind of defensive mechanism i'm not aware of). Might it be a good idea to se HTTPS as the standard login? Gmail has been doing this since april this year.
Firesheep works by snooping cookies, not login processes, and it's even without software like this incredibly easy to own someone. All it needs to own a Wikipedia admin or user is being in the same network as him. The admin in question doesn't even have to visit Wikipedia directly, there are enough pages hotlinking to upload.wikimedia.org, which should cause the browser to transmit session data.
If you're in need of using secure login, then you can use the secure webserver, but in the past it had some load issues.
Marco