In response to reports of people posting misleading links to Special:Blockme, or otherwise tricking users' browsers into requesting the relevant URL, I've implemented a basic keyed hash authentication algorithm.
Still to do: initialising the key from a higher quality random number source in the installer program. Currently it just draws 124 bits from a Mersenne Twister, which is probably seeded from the system time. In the short term, users may wish to replace $wgProxyKey with their own random string. Wikipedia is using a 160 bit key drawn from /dev/random.
-- Tim Starling
Tim Starling wrote:
In response to reports of people posting misleading links to Special:Blockme, or otherwise tricking users' browsers into requesting the relevant URL, I've implemented a basic keyed hash authentication algorithm.
You might also want to make it a POST request.
wikitech-l@lists.wikimedia.org