We get the urgency. We just have to prioritize this among the many other issues we are responsible for. But I've taken these issues to heart, thanks for the education.
Original Message From: James Salsman Sent: Thursday, January 19, 2017 19:53 To: [email protected] Reply To: A mailing list for the Analytics Team at WMF and everybody who has an interest in Wikipedia and analytics. Subject: Re: [Analytics] stats.grok.se used in study about Snowden and internet traffic Here is a commercial malware-scanning proxy all but claiming outright that they can MITM-scan any browser protocol not using QUIC: http://www.bitdefender.com/support/how-to-disable-quic-protocol-in-google-chrome-1669.html Security is such a mess these days that I hope you all understand why I keep saying you shouldn't be storing readers' article names associated with any of their IP, proxy, or geolocation, separating them as soon as they hit RAM on the ingress proxies. On Thu, Jan 19, 2017 at 4:16 PM, James Salsman <[email protected]> wrote: >> But we are https-only now, am I missing something? > > These authors say that TLS 1.2/ECDHE_RSA/P-256 as used by enwiki > currently is still within the capability of hobbyists to crack in a > few days on less than $10,000 of hardware, if I'm reading it right: > https://hal.inria.fr/hal-01244855/document > > QUIC would be a lot better, with X25519 at least. That's what Google > moved to after that paper was published. > >> how do you have that screenshot? > > It's linked from the footnote on page 33 of this lawsuit by the > Foundation and ACLU asking the government to stop monitoring Wikipedia > traffic: > > https://www.aclu.org/sites/default/files/field_document/23._aclu_appeal_brief_2.17.2016.pdf _______________________________________________ Analytics mailing list [email protected] https://lists.wikimedia.org/mailman/listinfo/analytics _______________________________________________ Analytics mailing list [email protected] https://lists.wikimedia.org/mailman/listinfo/analytics
