In response to reports of people posting misleading links to
Special:Blockme, or otherwise tricking users' browsers into requesting
the relevant URL, I've implemented a basic keyed hash authentication
algorithm.
Still to do: initialising the key from a higher quality random number
source in the installer program. Currently it just draws 124 bits from a
Mersenne Twister, which is probably seeded from the system time. In the
short term, users may wish to replace $wgProxyKey with their own random
string. Wikipedia is using a 160 bit key drawn from /dev/random.
-- Tim Starling