We should probably update the documentation for $wgSecretKey however I'm not sure the best way to write it.
https://www.mediawiki.org/wiki/Manual:%24wgSecretKey
Right now $wgSecretKey is 99% worthless. We aren't using it directly anymore. We now generate all tokens with proper cryptographic random sources. So we don't base security off keeping a string secret anymore. ((That %1 is from the fact that if you have no access to urandom or are on old php, no mcrypt random, and no openssl random we do use $wgSecretKey as a very small source of entropy, but it's of barely any value most of our entropy comes from clock drift in that case.))
At the same time it's worth noting the warning about user_token. It does not apply to any new user_token but old user_tokens for users who have not updated their passwords resulting in the reset of user_token on wikis that have not done a full reset will still be somewhat vulnerable to $wgSecretKey leaks.
On 10/14/2012 01:11 AM, Daniel Friesen wrote:
((That %1 is from the fact that if you have no access to urandom or are on old php, no mcrypt random, and no openssl random we do use $wgSecretKey as a very small source of entropy, but it's of barely any value most of our entropy comes from clock drift in that case.))
Looks like 0.001% to me.
Except extensions use $wgSecretKey too.
—Victor.
On Sat, Oct 13, 2012 at 10:11 PM, Daniel Friesen <daniel@nadir-seen-fire.com
wrote:
We should probably update the documentation for $wgSecretKey however I'm not sure the best way to write it.
Leucosticte pasted your message into [1], which is a start.
At the same time it's worth noting the warning about user_token. It does not apply to any new user_token but old user_tokens for users who have not updated their passwords resulting in the reset of user_token on wikis that have not done a full reset will still be somewhat vulnerable to $wgSecretKey leaks.
Your last sentence is hard to understand.
I updated the explanation of user_token in the User_table page[2]. I removed the link to an explanation of Edit_token[1], since that seems nothing to do with the user_token. I think MW only uses user_token as the cookie "{$wgCookiePrefix}Token" when you click "Remember my login on this browser", and maybe for CentralAuth.
[1] https://www.mediawiki.org/wiki/Manual:%24wgSecretKey [2] https://www.mediawiki.org/wiki/Manual:User_table#user_token [3] https://www.mediawiki.org/wiki/Manual:Edit_token
On Sun, 14 Oct 2012 17:31:03 -0700, S Page spage@wikimedia.org wrote:
On Sat, Oct 13, 2012 at 10:11 PM, Daniel Friesen <daniel@nadir-seen-fire.com
wrote:
We should probably update the documentation for $wgSecretKey however I'm not sure the best way to write it.
Leucosticte pasted your message into [1], which is a start.
At the same time it's worth noting the warning about user_token. It does not apply to any new user_token but old user_tokens for users who have not updated their passwords resulting in the reset of user_token on wikis that have not done a full reset will still be somewhat vulnerable to $wgSecretKey leaks.
Your last sentence is hard to understand.
- changing a password or resetting the entire user_token column will reset user_tokens. So if those are done after you upgrade to a version with MWCryptRand then the user_tokens affected will be ok. - But any user_token that has not been reset yet will still be based on $wgSecretKey and will still be somewhat vulnerable to attacks if $wgSecretKey is leaked.
I updated the explanation of user_token in the User_table page[2]. I removed the link to an explanation of Edit_token[1], since that seems nothing to do with the user_token. I think MW only uses user_token as the cookie "{$wgCookiePrefix}Token" when you click "Remember my login on this browser", and maybe for CentralAuth.
[1] https://www.mediawiki.org/wiki/Manual:%24wgSecretKey [2] https://www.mediawiki.org/wiki/Manual:User_table#user_token [3] https://www.mediawiki.org/wiki/Manual:Edit_token
wikitech-l@lists.wikimedia.org