Just one question from a relatively non-technical person: What falls off the map if everything is done using SSL? Is this the protocol that would make it essentially impossible to read/edit Wikipedia using a normal internet connection from China?
Risker
On 31 July 2013 15:12, Magnus Manske magnusmanske@googlemail.com wrote:
There was the lofty notion of including all images, CSS/JS/whatnot as CDATA elements in the page itself, for browsers that support it. That would get around the one issue, but still allow size-based fingerprinting, especially since most users will follow links within the site, so the search space gets much smaller. Random package size increase, as mentioned, might help there.
Magnus
On Wed, Jul 31, 2013 at 7:55 PM, Brian Wolff bawolff@gmail.com wrote:
Which kind of ignores the issue that encrypting with ssl doesn't do a lot against traffic analysis, when its publicly known how big the pages you're downloading are, and how many images/other assets they have on them. NSA certainly has the resources to do this if they want.
If you can do this sort of thing:
http://blog.ioactive.com/2012/02/ssl-traffic-analysis-on-google-maps.html
against google maps, I imagine it should be much simpler to do something like that for Wikipedia. (Our data has more variation in it, and the data is all publicly available)
--bawolff
On 7/31/13, Tyler Romeo tylerromeo@gmail.com wrote:
Good question.
There are two steps to this:
- Move all logins to TLS
- Move all logged in users to TLS
The former was dependent on a bug with E:CentralAuth that was causing $wgSecureLogin to malfunction. I am not sure whether this bug was ever fixed (I remember seeing Chris submit a patch for it, but I think it
was
abandoned).
Also, the discussion on
https://bugzilla.wikimedia.org/show_bug.cgi?id=52283
is probably a blocker for enabled $wgSecureLogin (which would be a pre-requisite for either of the two above steps).
*-- * *Tyler Romeo* Stevens Institute of Technology, Class of 2016 Major in Computer Science www.whizkidztech.com | tylerromeo@gmail.com
On Wed, Jul 31, 2013 at 2:36 PM, David Gerard dgerard@gmail.com
wrote:
Jimmy just tweeted this:
https://twitter.com/jimmy_wales/status/362626509648834560
I think that's the first time I've seen him say "fuck" in a public communication ...
Anyway, I expect people will ask us how the move to all-SSL is progressing. So, how is it going?
(I've been telling people it's slowly moving along, we totally want this, it's just technical resources. But more details would be most useful!)
- d.
Wikitech-l mailing list Wikitech-l@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/wikitech-l
Wikitech-l mailing list Wikitech-l@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/wikitech-l
Wikitech-l mailing list Wikitech-l@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/wikitech-l
-- undefined _______________________________________________ Wikitech-l mailing list Wikitech-l@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/wikitech-l