The lack of secure login on WMF wikis is a *major security issue*, and AFAIK is the biggest publicly known security issue in the site. All you need is some random checkuser to be using Wikipedia at a Starbucks, and all of a sudden the privacy policy of every single registered user is violated. There's big talk all around about "evading the NSA" and attempting to protect the privacy of our users, but it is literally impossible to protect users' privacy if we can't even protect their security in the first place. To re-iterate, privacy depends on security, and right now we have neither of them.
Furthermore, secure login is not a new idea. I've been fighting to get this feature enabled since October 2012 when the secure login functionality in MW core was finally fixed. Since then, HTTPS login has been deployed *twice*, but reverted once due to a bug with CentralAuth and once due the design team concerned about the login form. This will be the third attempt at deploying this in the past six months, so I don't know why this discussion had to start right now.
In the end, what we're doing is allowing the Chinese government to manipulate the WMF into degrading the security of its entire userbase, and I don't think that's acceptable. There are 100 times as many active users on enwiki than there are zhwiki, and that's assuming *all* active users on zhwiki also edit enwiki, which is probably not true.
*-- * *Tyler Romeo* Stevens Institute of Technology, Class of 2016 Major in Computer Science www.whizkidztech.com | tylerromeo@gmail.com
On Tue, Aug 20, 2013 at 6:10 PM, Derk-Jan Hartman < d.j.hartman+wmf_ml@gmail.com> wrote:
On 20 aug. 2013, at 23:21, Bartosz DziewoĆski matma.rex@gmail.com wrote:
On Tue, 20 Aug 2013 23:19:22 +0200, MZMcBride z@mzmcbride.com wrote:
If we change all sites to require HTTPS for logged-in users, we'll certainly increase site security and enhance the user experience for most users, but is that worth losing every zh.wikipedia.org contributor who lives in China? Or do we expect anyone blocked from HTTPS to simply edit without an account? I think the concern here is that some projects may be decimated (in
terms
of number of contributors) if HTTPS is forced for all users.
I think that zh and fa wikis are "exempt". The concernseems to be about
contributors from affected countries editing other wikis, such as Commons or Wikidata.
Can I just say that IF there is still this much discussion and confusion going on even at the level of the developers, that I feel really uncomfortable with this being deployed in the next 24hours.
This all just feels way too rough. And it smells like this is gonna create yet another deploy shitstorm within the communities. I wouldn't like to be in the shoes of the liaisons and ambassadors tomorrow....
DJ _______________________________________________ Wikitech-l mailing list Wikitech-l@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/wikitech-l