On 23 August 2013 18:35, David Gerard dgerard@gmail.com wrote:
On 23 August 2013 23:31, Risker risker.wp@gmail.com wrote:
There are other options. The question is whether or not they can be made
to
work in the MediaWiki/WMF circumstances. If you looked at the data collected to see where HTTPS attempts were unsuccessful, you'd see that there are editors in a lot of countries with issues (i.e., greater than
5%
failure rates), and most of them are technical issues. Suddenly you're
not
just talking about a few projects, you're talking about dozens who may
have
difficulty getting CU/OS support internally.
That doesn't change the security consideration.
No it doesn't change the security consideration. What changes is the recognition that the problem may actually be bigger than initially thought. Everyone knew about China and Iran. Probably nobody knew about Pakistan, Indonesia, Philippines, India, etc - all of which have multiple language projects. Even just HTTPS logins may be a challenge for some of these countries, and it gives the WMF reason to consider how to better support them just so everyone is protected and isn't left with the choice of editing by IP or not editing at all.
The people in our many overlapping MediaWiki and Wikimedia communities
have
come up with a lot of very creative solutions to problems that other
sites
haven't figured out or don't care enough to bother with. I have a lot of faith that some out of the box thinking might very well resolve this specific issue, and possibly open a gateway to solving the security issue for even larger groups.
And until then, it actually needs to be HTTPS-only. I'm horrified it isn't already.
Well, I'm not terribly technical, but I don't think there's ever been consideration of linking login requirements to user permissions. Perhaps that needs to change. I'm concerned too.
Risker/Anne