Sooo... we're on the way to HTTPS... what's next?
YubiKey/Google Authenticator/etc... 2-factor auth? Or signed client side
user certificates (<keygen>, etc...)?
--
~Daniel Friesen (Dantman, Nadir-Seen-Fire) [
http://daniel.friesen.name]
On Wed, 04 Apr 2012 04:31:02 -0700, Petr Bena
benapetr@gmail.com wrote:
> Ok, your reply makes a lot of sense. However problem is that how users
> get more "hats" they are usually more afraid of loosing them :-) and
> would probably like to have an option to protect from attackers (I
> don't really know but I hope that people with some extra flags are
> trying to have a secure password at least). The account is getting
> more valuable and for example account of some stewards might be a good
> target for hackers. The question is how these people can defend
> themselves when the philosophy is "we don't need strong security
> because user accounts aren't valuable / can't do much damange to site"
> - when their account is compromised, they will surely have the flags
> revoked permanently, that's likely not what they want. So at some
> point, having more security measures which could be opt-in for people
> who do care about their account, in opposite of people whom account
> isn't interesting for hackers would make some point too. Given that
> there are thousands of sysops on big projects, I guess they would
> welcome to have this feature. (Not that I care, personally, I was just
> interested in implementing that to mediawiki)
>
> On Wed, Apr 4, 2012 at 11:48 AM, Thomas Morton
>
morton.thomas@googlemail.com wrote:
>>>
>>> The current process needs to be done by hand, which isn't just
>>
>> annoying, but also not fail safe, some accounts might be overlooked,
>>> etc. Bureaucrats can mislick or forget.
>>
>>
>> Certainly automatic de-sysoping after a certain inactivity would be
>> useful;
>> an extension that does the notifications and ultimately the de-sysoping
>> would be useful to automate the community approved process, don't get me
>> wrong on that front, I like the idea!
>>
>>
>>> The email account is likely
>>> much more safe than wikimedia account,
>>
>>
>> Not a good premise to take; email accounts are high value targets (as
>> opposed to a Wikipedia account, which has relatively low general value).
>> So although they are harder to crack (to a point) they are also more
>> worthwhile targets.
>>
>> So an email account is a significant risk.
>>
>> And an account without an email address added could be argued to be
>> *more*secure.
>>
>> the google for example offers a
>>> lot of security measures we don't, because they don't follow "hacking
>>> user wouldn't do much damage" philosophy.
>>
>>
>> It's largely security theatre; except the two factor authentication
>> (which
>> is actually useful). Our accounts simple aren't that valuable, which is
>> why
>> actual security of that form isn't really a good option. What you
>> proposed
>> is only really a stopgap.
>>
>>
>>> And I guess many other
>>> providers do the same. Hacking to two accounts would be much harder
>>> than hacking one, given to that once the first account is hacked, the
>>> user would be immediately notified in email (hacker would have very
>>> limited time to hack to email box as well).
>>>
>>
>> Realistically, and in my experience, this is not the case. You're
>> relying
>> on the user to respond, or being in a position to respond - which is the
>> critical failing of the proposal.
>>
>> When we do pen tests often we will make notifications of some sort
>> appear
>> in front of users to see how they respond to them - and often the
>> response
>> is confusion, not concern. Remember; the large part of the WM community
>> is *
>> not* technical.
>>
>> Tom