On Fri, Jul 24, 2009 at 2:24 AM, Tim Starling<tstarling(a)wikimedia.org> wrote:
There's plenty of ways to attack watchlistr
without fully compromising
the server.
The point is that a system that allowed stealing the logins of
hundreds of Wikipedia users if you managed to compromise a third-party
website run to unknown security standards is unacceptable. *Even* if
it's set up so you really do have to be able to run arbitrary code as
the web user to get the data -- and in this case security appeared to
be even lower. Malice is also a concern in the general case, although
it might not be a concern here.
So any solution that allows either of the following is unacceptable:
1) The compromise of a(n additional) third-party party run to unknown
security standards could result in many Wikipedia user accounts being
taken over.
2) A third party becoming malicious could result in many Wikipedia
user accounts being taken over.
Hopefully my watchlist-reading code will be deemed acceptable. I'm
reminded (by Domas, of course) that watchlists are actually a very
expensive operation, so I wouldn't be entirely surprised if this gets
$wgMiserModed away before or shortly after deployment, when users
start requesting 400 wikis' watchlists every fifteen minutes. I wish
there were some good solution to this. How do other sites handle
giant numbers of users watching changes to zillions of pages?
Throwing hardware at it?