On 08/23/2013 02:36 PM, Tyler Romeo wrote: +1 -- Marc

On 08/23/2013 04:35 PM, Risker wrote: Pretty much by definition the accounts holding those bits are the one we /least/ want to have their password snooped, and the ones most likely to be targeted by malicious eavesdroppers. If we could only support some accounts to use HTTPS, those are the ones we would need to force. Yes, it does mean that there could not be checkusers in mainland China, for instance as long as they are unable to log in through HTTPS. That would be a /good/ thing. -- Marc

On Fri, Aug 23, 2013 at 5:33 PM, Risker <risker.wp(a)gmail.com> wrote: It's statements like these that make me question whether the WMF actually cares about its users' privacy in the first place. There's some big talk on this list about "subverting the NSA" and making sure that users are secure within their accounts when using Wikipedia. But if you're not willing to actually do something about privacy, then it's just talk. It is completely unacceptable for checkusers in China to be logging in over an insecure connection. The Chinese government directly monitors these connections and can easily harvest these passwords en masse. I truly sympathize with Chinese Wikipedians who aspire to hold checkuser positions, but putting at risk the IP address information of every user on Wikipedia just for the sake of one person who wants to volunteer in a certain capacity is completely unacceptable. If a technical solution can be found that facilitates affected users being There is no technical solution, as has been discussed previously. The China firewall blocks all HTTPS connections. There is no legal method of getting around this. The only solution that would preserve both accessibility and security would be if Wikipedia implemented its own application level TLS protocol, which would be an absurd undertaking, and would probably just result in the Chinese government blocking Wikipedia completely anyway. You're going to have to choose: risk everybody's privacy or deny checkuser opportunities to people in China. *-- * *Tyler Romeo* Stevens Institute of Technology, Class of 2016 Major in Computer Science www.whizkidztech.com | tylerromeo(a)gmail.com

On Fri, Aug 23, 2013 at 6:16 PM, Ryan Lane <rlane32(a)gmail.com> wrote: True, but to be honest, if we come up with a clever enough idea, from China's perspective that's just us getting around their security, which they wouldn't exactly take kindly towards... *-- * *Tyler Romeo* Stevens Institute of Technology, Class of 2016 Major in Computer Science www.whizkidztech.com | tylerromeo(a)gmail.com

On 23 August 2013 23:31, Risker <risker.wp(a)gmail.com> wrote: That doesn't change the security consideration. And until then, it actually needs to be HTTPS-only. I'm horrified it isn't already. - d.

On 23 August 2013 18:35, David Gerard <dgerard(a)gmail.com> wrote: No it doesn't change the security consideration. What changes is the recognition that the problem may actually be bigger than initially thought. Everyone knew about China and Iran. Probably nobody knew about Pakistan, Indonesia, Philippines, India, etc - all of which have multiple language projects. Even just HTTPS logins may be a challenge for some of these countries, and it gives the WMF reason to consider how to better support them just so everyone is protected and isn't left with the choice of editing by IP or not editing at all. Well, I'm not terribly technical, but I don't think there's ever been consideration of linking login requirements to user permissions. Perhaps that needs to change. I'm concerned too. Risker/Anne

Le Sat, 24 Aug 2013 00:45:05 +0200, Tyler Romeo <tylerromeo(a)gmail.com> a écrit: An other solution is the use of one-time passwords [1] for high-security or https-unfriendly users (e.g. logging in) or actions (e.g. checkuser action). Such one-time passwords can be generated entirely on the client side (e.g. a program) or on an external device (e.g. SecurID [2]). This transfers the problem "unsecure password" to a problem "protection of the password generator" (e.g. with an offline password) and introduces the key distribution problem (e.g. the physical device). If used on HTTP the server response must be encrypted and processed by the client with JavaScript; there exists such JavaScript cryptographic libraries [3][4] (I didn’t test them). Le Sat, 24 Aug 2013 00:13:03 +0200, Tyler Romeo <tylerromeo(a)gmail.com> a écrit: Just for the sake of documention there exists a JavaScript TLS library [5] (I didn’t test it). This could also be used for high-security or https-unfriendly users or actions. Anyway I guess that if any encryption (HTTPS, JavaScript TLS, etc.) is used on the whole encyclopedia the Chinese government will also likely block also the HTTP version because it could no more filter it, just like the HTTPS now. [1] https://en.wikipedia.org/wiki/One-time_password [2] https://en.wikipedia.org/wiki/SecurID [3] http://code.google.com/p/crypto-js/ [4] http://crypto.stanford.edu/sjcl/ [5] http://digitalbazaar.com/2010/07/20/javascript-tls-1/ ~ Seb35

Le Sat, 24 Aug 2013 19:05:38 +0200, Tyler Romeo <tylerromeo(a)gmail.com> a écrit: Oh yes, this type of extension would be great for checkusers/oversights; probably the documentation should be improved if deployed on the Wikimedia wikis -- I didn’t know myself how this was functionning exactly when I played with it. Thanks, ~ Seb35

On Mon, Aug 26, 2013 at 11:50 AM, Chris Steipp <csteipp(a)wikimedia.org>wrote;wrote: Yeah...that's a little bit of my fault. Once the merger between Extension:OATHAuth and Extension:TwoFactorAuthentication is complete, that feature will exist. See bug 53195. *-- * *Tyler Romeo* Stevens Institute of Technology, Class of 2016 Major in Computer Science www.whizkidztech.com | tylerromeo(a)gmail.com

On 23 August 2013 19:55, Rob Lanphier <robla(a)wikimedia.org> wrote: Thanks for the clarification, Rob. Risker

So, some ideas: As for the idea that we need to fix internet that's so bad it can't handle HTTPS for "technical reasons"; anything that's that broken is pretty hopeless to "fix" from the web server's end. Instead, consider: * provide support to groups working for improving internet access in areas with poor connectivity And for the "some countries block our HTTPS" issue: * *actually support* use of Tor etc for editing, allowing folks "in the know" to work around the government blocks and use the site over HTTPS * provide support to groups working against government censorship of the internet * sponsor an official hosted-and-run-in-PRC censor-friendly mirror, and devise some way to migrate edits back This last would probably be controversial, but if we're serious about 'providing access to knowledge' in PRC, I suspect that's our best bet. Good news is, we're an open-source open-content project, and so this service could be launched *by anyone at any time*. Arguably, Baidupedia already beat us to this. -- brion On Fri, Aug 23, 2013 at 3:31 PM, Risker <risker.wp(a)gmail.com> wrote:

On Fri, Aug 23, 2013 at 3:47 PM, Risker <risker.wp(a)gmail.com> wrote: Well, we don't allow "unbridled" anything; our administrators litter the IP address universe and logged-in users alike with blocks constantly. :) I would strongly recommend a saner signup/account moderation system for "less trusted" network origins such as Tor nodes, though. The key is that you have to actually allow creating an account from a Tor node in the first place, or you're limited to people who live in "free internet" countries or have the money or clout to go abroad to create their accounts... -- brion

On Fri, Aug 23, 2013 at 4:38 PM, Tilman Bayer <tbayer(a)wikimedia.org> wrote: I would make the argument that Checkuser is a) ineffective and b) dangerous to privacy: it's incapable of actually identifying people in the first place if they make any effort to work around it, and it exposes network locations of people who aren't explicitly hiding to a fairly large group of people. That we've built a bureaucracy around checking to see what IP addresses people came from and banning them if they appear to be the same as a previously-banned person is pretty freaky at best and at worst **doesn't actually help** against anyone with the slightest incentive to game the system. I'd recommend some out-of-the-box thinking instead, perhaps: * stop exposing IP addresses of any users at all (whether logged-in or anonymous) * replace "IP editing" with a simple solution for creating a consistent anonymous identity with a minimum of effort (for example, automatically create an ID cookie which links to an anonymous 'account' which you can optionally turn into a registered, named, emailable user account in the future, or discard and replace every time if you're super-anonymous!) * have much, much better inter-user communication and moderation tools that can prioritize attention on activity of new users, low-reputation users, at-risk network origins or user-agents, etc without exposing individual IP addresses to actual users on the site No, making a good system is not going to be easy. It's going to be hard, and require a lot of thinking. But I really hope we get to it. At best, that's not very user friendly (and the page strongly discourages anybody to use it by reminding that it's only for trusted people under 'exceptional circumstances'). At worst, it exposes your shiny new login over plaintext email, so negative actors can sniff the data and associate your account with your person. -- brion

On Friday, August 23, 2013, Brion Vibber wrote: This kind of proto-account for anonymous editors is something we've discussed among a shadowy cabal (i kid) of product managers in the past. I've also heard that the Ombudsmen have suggest similar things as well. I think there's probably pretty wide support for some or all of what you're suggesting Brion, but as you say, it's a ton of work. :-) My team is strongly considering experiments this year to try and give more anonymous editors incentives to sign up. Some of what you described, particularly giving them a persistent unique identity that makes viewing an IP a progressive disclosure action or otherwise masks it to most users on-wiki, is something we might be able to tackle. This would be a good transition step toward removing use of IPs as public identifiers altogether. We don't really have the bandwidth to take up actually replacing IPs though. If anyone is interested in working on this during the Dev Days pre-all staff in September, I'll put it in the list of topics and would be game to participate from a product/UX perspective. As for better communication and moderation tools, I think Maryana and Brandon would agree that if we are going to ever roll out new user-user discussion pages, we are going to have to figure out how IP talk pages fit in to that. Steven

On 08/23/2013 07:35 PM, Marc A. Pelletier wrote: ... and, more importantly, /why/ is that discussion taking place offline in the first place? -- Marc

On 23 August 2013 21:28, Marc A. Pelletier <marc(a)uberbox.org> wrote: +1 There can't really be a geoIP exemption for this. - d.