[Foundation-l] Release of squid log data

Anthony wikimail at inbox.org
Fri Sep 21 01:20:37 UTC 2007


On 9/20/07, Gwern Branwen <gwern0 at gmail.com> wrote:
> On 2007.09.20 20:15:12 -0400, Ben McIlwain <cydeweys at gmail.com> scribbled 39 lines:
> ...
> > And by the way, remember that all unencrypted web traffic ends up
> > unencrypted at the Tor exit node, and can be (and sometimes is) sniffed
> > by unscrupulous folks.  If you are using Tor you *must* make sure to use
> > only the secure Wikimedia https proxy.  Even that is difficult though,
> > because you'll end up clicking a link that takes you to unsecure http
> > pages (such as a diff links), and before you can blink, your admin
> > cookie has gone across the web unencrypted.
> ...
>
> Is this actually true, though? As I've said before, I edit through secure.wikimedia.org, and I've done so for the past few months. In that time, I've clicked on external links to en.wikipedia.org/wiki/whatever - not internal links to https://secure.wikimedia.org/wikipedia/en/wiki/whatever - and not once have I found myself to be logged in on En.
>
No, it's absolutely untrue.  I just verified it.  The cookies are
properly sent as "secure" cookies, "secure" being a flag which when
set means not only will cookies not be sent to en.wikipedia.org, they
won't even be sent to http://secure.wikimedia.org/.



More information about the foundation-l mailing list