Le Sat, 24 Aug 2013 00:45:05 +0200, Tyler Romeo <tylerromeo(a)gmail.com> a
écrit:
Unfortunately it's very difficult to do this. On
our login forms you
enter
your username and password simultaneously, which means the server can't
possibly know if the user has to be using HTTPS until they've already
submitted their password, thus defeating the purpose. That's why
$wgSecureLogin is made to *always* put logins over HTTPS, no matter what,
and then direct the user to the appropriate protocol afterwards.
An other solution is the use of one-time passwords [1] for high-security
or https-unfriendly users (e.g. logging in) or actions (e.g. checkuser
action). Such one-time passwords can be generated entirely on the client
side (e.g. a program) or on an external device (e.g. SecurID [2]). This
transfers the problem "unsecure password" to a problem "protection of the
password generator" (e.g. with an offline password) and introduces the key
distribution problem (e.g. the physical device).
If used on HTTP the server response must be encrypted and processed by the
client with JavaScript; there exists such JavaScript cryptographic
libraries [3][4] (I didn’t test them).
Le Sat, 24 Aug 2013 00:13:03 +0200, Tyler Romeo <tylerromeo(a)gmail.com> a
écrit:
There is no technical solution, as has been discussed
previously. The
China
firewall blocks all HTTPS connections. There is no legal method of
getting
around this. The only solution that would preserve both accessibility and
security would be if Wikipedia implemented its own application level TLS
protocol, which would be an absurd undertaking, and would probably just
result in the Chinese government blocking Wikipedia completely anyway.
Just for the sake of documention there exists a JavaScript TLS library [5]
(I didn’t test it). This could also be used for high-security or
https-unfriendly users or actions.
Anyway I guess that if any encryption (HTTPS, JavaScript TLS, etc.) is
used on the whole encyclopedia the Chinese government will also likely
block also the HTTP version because it could no more filter it, just like
the HTTPS now.
[1]
https://en.wikipedia.org/wiki/One-time_password
[2]
https://en.wikipedia.org/wiki/SecurID
[3]
http://code.google.com/p/crypto-js/
[4]
http://crypto.stanford.edu/sjcl/
[5]
http://digitalbazaar.com/2010/07/20/javascript-tls-1/
~ Seb35