Lee Daniel Crocker wrote:

...

(Tim Starling ts4294967296@hotmail.com):

If we really want to be serious about security we'll have to use ssl for login, but I don't know how to do that.

That's entirely too paranoid. Frankly, I don't see much need for high security of Wikipedia logins. It's not like we're storing medical records. (Oh my God! My neighbor might find out that I like the "Nostalgia" skin!) The only real risk is that someone might log in as me and make edits in my name, but then I'd just disavow them and change my password.

There are two reasons to have good security:

1) To prevent hijacking of an administrator/developer account. 2) To prevent password theft. Many users use the same password for a number of sites.

Of course, users who know anything about Internet security should expect websites to handle their passwords insecurely -- everyone does it. Wikipedia is certainly not alone.

The present saltless-md5 was an improvement over the original code which had passwords in plain text in the database where any sysop could see them all with a select; /that/ was probably a bit too loose :-), so I md5'd them. If making a slightly better encrypted version improves things with no hassle, that's fine too. But let's not get worked up over nothing.

SSL is indeed a big hassle for a relatively small gain. I once read an article on what someone can do if they have physical access to the network -- say in a campus network using old thin-wire ethernet. It was pretty scary, actually -- they can basically intercept and modify all communications at will. But this kind of attack does require physical access, and hence is reasonably rare. Remember that even SSL won't fix another common kind of attack -- a user system compromised by a worm or trojan. There's not much we can do about that one, but it happens all the time.

-- Tim Starling.

_________________________________________________________________