Le Sat, 24 Aug 2013 00:45:05 +0200, Tyler Romeo tylerromeo@gmail.com a écrit:
Unfortunately it's very difficult to do this. On our login forms you enter your username and password simultaneously, which means the server can't possibly know if the user has to be using HTTPS until they've already submitted their password, thus defeating the purpose. That's why $wgSecureLogin is made to *always* put logins over HTTPS, no matter what, and then direct the user to the appropriate protocol afterwards.
An other solution is the use of one-time passwords [1] for high-security or https-unfriendly users (e.g. logging in) or actions (e.g. checkuser action). Such one-time passwords can be generated entirely on the client side (e.g. a program) or on an external device (e.g. SecurID [2]). This transfers the problem "unsecure password" to a problem "protection of the password generator" (e.g. with an offline password) and introduces the key distribution problem (e.g. the physical device).
If used on HTTP the server response must be encrypted and processed by the client with JavaScript; there exists such JavaScript cryptographic libraries [3][4] (I didn’t test them).
Le Sat, 24 Aug 2013 00:13:03 +0200, Tyler Romeo tylerromeo@gmail.com a écrit:
There is no technical solution, as has been discussed previously. The China firewall blocks all HTTPS connections. There is no legal method of getting around this. The only solution that would preserve both accessibility and security would be if Wikipedia implemented its own application level TLS protocol, which would be an absurd undertaking, and would probably just result in the Chinese government blocking Wikipedia completely anyway.
Just for the sake of documention there exists a JavaScript TLS library [5] (I didn’t test it). This could also be used for high-security or https-unfriendly users or actions.
Anyway I guess that if any encryption (HTTPS, JavaScript TLS, etc.) is used on the whole encyclopedia the Chinese government will also likely block also the HTTP version because it could no more filter it, just like the HTTPS now.
[1] https://en.wikipedia.org/wiki/One-time_password [2] https://en.wikipedia.org/wiki/SecurID [3] http://code.google.com/p/crypto-js/ [4] http://crypto.stanford.edu/sjcl/ [5] http://digitalbazaar.com/2010/07/20/javascript-tls-1/
~ Seb35