Re: [Wikitech-l] Is assert() allowed?

On Wed, Jul 31, 2013 at 10:47 PM, Tim Starling wrote: > If the error is serious > and unexpected, and likely to cause undesirable behaviour > If this is the case, then you don't use assertions. You would use assertions for things that don't have major side effects on the program, but generally ar

Re: [Wikitech-l] How's the SSL thing going?

On Thu, Aug 1, 2013 at 4:28 AM, Anthony wrote: > On Wed, Jul 31, 2013 at 5:59 PM, George Herbert > wrote: >> The second is site key security (ensuring the NSA never gets your private >> keys). > > Who theoretically has access to the private keys (and/or the signing key) > right now? The roots. h

Re: [Wikitech-l] How's the SSL thing going?

On Wed, Jul 31, 2013 at 9:28 PM, Anthony wrote: > On Wed, Jul 31, 2013 at 5:59 PM, George Herbert >wrote: > > > The second is site key security (ensuring the NSA never gets your private > > keys). > > > Who theoretically has access to the private keys (and/or the signing key) > right now? > > Pe

Re: [Wikitech-l] How's the SSL thing going?

On Wed, Jul 31, 2013 at 5:59 PM, George Herbert wrote: > The second is site key security (ensuring the NSA never gets your private > keys). Who theoretically has access to the private keys (and/or the signing key) right now? The third is perfect forward security with rapid key rotation. > Does

[Wikitech-l] unexpected error info in HTML

Hi, I noticed some pages we crawled containing error message like this; Failed to render property P373: Wikibase\LanguageWithConversion::factory: given languages do not have the same parent language But when I open the url in browser, there is no such message. And using index.php can also get n

Re: [Wikitech-l] Is assert() allowed?

On 01/08/13 10:05, Tyler Romeo wrote: > On Wed, Jul 31, 2013 at 7:28 PM, Tim Starling wrote: > >> The php.ini option assert.bail is 0 by default. > > > So? It's the same way in Java. You have to turn on assertions. It's kind of > natural to assume that if assertions are off the won't cause fatal

Re: [Wikitech-l] How's the SSL thing going?

On Wed, Jul 31, 2013 at 5:22 PM, Tyler Romeo wrote: > Also, on a side note, Facebook *just* made HTTPS the default: > > https://www.facebook.com/notes/facebook-engineering/secure-browsing-by-default/10151590414803920 > As an FYI - facebook, a site where every person is logged in and possibly seei

Re: [Wikitech-l] How's the SSL thing going?

Also, on a side note, Facebook *just* made HTTPS the default: https://www.facebook.com/notes/facebook-engineering/secure-browsing-by-default/10151590414803920 *-- * *Tyler Romeo* Stevens Institute of Technology, Class of 2016 Major in Computer Science www.whizkidztech.com | tylerro...@gmail.com

Re: [Wikitech-l] Is assert() allowed?

On Wed, Jul 31, 2013 at 7:28 PM, Tim Starling wrote: > The php.ini option assert.bail is 0 by default. So? It's the same way in Java. You have to turn on assertions. It's kind of natural to assume that if assertions are off the won't cause fatal errors. *-- * *Tyler Romeo* Stevens Institute of

Re: [Wikitech-l] Is assert() allowed?

On 31/07/13 22:19, Tyler Romeo wrote: > On Wed, Jul 31, 2013 at 7:42 AM, Tim Starling wrote: > >> Indeed. In C, assert() will abort the program if it is enabled, which >> is hard to miss. It is not comparable to the PHP assert() function. > > > ...except PHP's assert() *also* aborts the program

Re: [Wikitech-l] How's the SSL thing going?

> As for government-run spy networks, we don't know what their full > capabilities are. But there are plenty of benefits to rolling out SSL > regardless, even just for privacy from the person at the other end of > the coffee shop. Firesheep, anyone? > > Matt Flaschen I agree that there's lots of

Re: [Wikitech-l] How's the SSL thing going?

It would be useful to focus on the short term problem and solution; the coming quantum computer factoring factory issue which will render large-prime crypto less useful is still on the horizon. The big threat is lack of basic HTTPS everywhere. The second is site key security (ensuring the NSA

Re: [Wikitech-l] How's the SSL thing going?

On Wednesday, July 31, 2013, Ryan Lane wrote: > On Wed, Jul 31, 2013 at 1:06 PM, David Gerard > > > wrote: > >> Oh - if anyone can authoritatively compose a WMF blog post on the >> state of the move to SSL (the move to logins and what happened there, >> the NSA slide, ongoing issues like browser

Re: [Wikitech-l] How's the SSL thing going?

On Wed, Jul 31, 2013 at 5:29 PM, Matthew Flaschen wrote: > I'm not sure what that has to do with the the message you replied to. I > completely support rolling out HTTPS where possible (I'm using HTTPS > Everywhere already). > Sorry I might have highlighted the wrong message when replying. I was

Re: [Wikitech-l] How's the SSL thing going?

On 07/31/2013 04:35 PM, Tyler Romeo wrote: > Like I've said before, the NSA spying on what users are reading is still > the least of our concerns. We should focus on making sure passwords aren't > sent over plaintext before attempting to evade a government-run > international spy network. I'm not

Re: [Wikitech-l] (no subject)

On Wed, Jul 31, 2013 at 5:00 PM, Greg Grossmeier wrote: > Tyler: mind reporting this as an enhancement bug in deployment-prep? > Include things like what is needed to get it working etc. > > Might be something we could get running against the beta cluster, > perhaps. > Sure thing: https://bugzil

Re: [Wikitech-l] How's the SSL thing going?

On Wed, Jul 31, 2013 at 8:56 PM, Paul Selitskas wrote: > Yes, that is exactly what I do. But Google, for instance, redirects me to > HTTP, and if I've logged via HTTPS recently, I would have to log in once > again via HTTP. It's very frustrating. I think you've misinterpreted. "HTTPS Everywhere"

Re: [Wikitech-l] How's the SSL thing going?

@Paul - Some links that might interest you. On Wed, Jul 31, 2013 at 4:56 PM, Paul Selitskas wrote: > But Google, for instance, redirects me to > HTTP > https://bugzilla.wikimedia.org/show_bug.cgi?id=51002 For inexperienced users yet concerned about privacy, there should be an > HTTP/HTTPS switc

Re: [Wikitech-l] (no subject)

> What might be useful is to have a security instance running MediaWiki with > a similar setup to the actual en-wiki, and then have Minion running on an > instance and have it run the tests that way. Unfortunately, I don't know > how we would manage users (since it doesn't have LDAP integration) o

Re: [Wikitech-l] How's the SSL thing going?

Yes, that is exactly what I do. But Google, for instance, redirects me to HTTP, and if I've logged via HTTPS recently, I would have to log in once again via HTTP. It's very frustrating. Are there public statistics on HTTPS v. HTTP processed requests share for Wikimedia? Rough numbers? For inexperi

Re: [Wikitech-l] How's the SSL thing going?

On Wed, Jul 31, 2013 at 1:39 PM, Paul Selitskas wrote: > Can we enable full security mode (as an optional feature) geographically > based on the most concerned governments, if the whole thing isn't going > fast due to lack of resources? > > No. That's in fact much, much harder. There's nothing st

Re: [Wikitech-l] How's the SSL thing going?

Can we enable full security mode (as an optional feature) geographically based on the most concerned governments, if the whole thing isn't going fast due to lack of resources? On Wed, Jul 31, 2013 at 11:35 PM, Tyler Romeo wrote: > Like I've said before, the NSA spying on what users are reading

Re: [Wikitech-l] How's the SSL thing going?

Like I've said before, the NSA spying on what users are reading is still the least of our concerns. We should focus on making sure passwords aren't sent over plaintext before attempting to evade a government-run international spy network. *-- * *Tyler Romeo* Stevens Institute of Technology, Class

Re: [Wikitech-l] How's the SSL thing going?

On 07/31/2013 03:23 PM, Risker wrote: > Just one question from a relatively non-technical person: What falls off > the map if everything is done using SSL? Is this the protocol that would > make it essentially impossible to read/edit Wikipedia using a normal > internet connection from China? > > R

Re: [Wikitech-l] How's the SSL thing going?

>>Oh - if anyone can authoritatively compose a WMF blog post on the >>state of the move to SSL (the move to logins and what happened there, >>the NSA slide, ongoing issues like browsers in China, etc), that would >>probably be a useful thing :-) >> >> >I'll be posting blog posts each step of the wa

Re: [Wikitech-l] (no subject)

OK, so after a bit of trouble I managed to get it working on my Vagrant instance. Here's a brief summary of what I learned: * It uses a MongoDB backend with Python and Flask as a front-end * There are plugins that implement certain tests (e.g., nmap, skipfish) * Plans are combinations of plugins,

Re: [Wikitech-l] How's the SSL thing going?

On Wed, Jul 31, 2013 at 1:06 PM, David Gerard wrote: > Oh - if anyone can authoritatively compose a WMF blog post on the > state of the move to SSL (the move to logins and what happened there, > the NSA slide, ongoing issues like browsers in China, etc), that would > probably be a useful thing :-

Re: [Wikitech-l] How's the SSL thing going?

Oh - if anyone can authoritatively compose a WMF blog post on the state of the move to SSL (the move to logins and what happened there, the NSA slide, ongoing issues like browsers in China, etc), that would probably be a useful thing :-) - d. ___ Wikit

Re: [Wikitech-l] How's the SSL thing going?

On 31 July 2013 19:48, David Gerard wrote: > PFS. > http://news.netcraft.com/archives/2013/06/25/ssl-intercepted-today-decrypted-tomorrow.html Keeping in mind that PFS is not actually perfect either: http://tonyarcieri.com/imperfect-forward-secrecy-the-coming-cryptocalypse - d.

Re: [Wikitech-l] How's the SSL thing going?

On Jul 31, 2013, at 3:12 PM, Magnus Manske wrote: > There was the lofty notion of including all images, CSS/JS/whatnot as CDATA > elements in the page itself, for browsers that support it. That would get > around the one issue, but still allow size-based fingerprinting, especially > since most u

Re: [Wikitech-l] How's the SSL thing going?

Just one question from a relatively non-technical person: What falls off the map if everything is done using SSL? Is this the protocol that would make it essentially impossible to read/edit Wikipedia using a normal internet connection from China? Risker On 31 July 2013 15:12, Magnus Manske wrot

Re: [Wikitech-l] How's the SSL thing going?

There was the lofty notion of including all images, CSS/JS/whatnot as CDATA elements in the page itself, for browsers that support it. That would get around the one issue, but still allow size-based fingerprinting, especially since most users will follow links within the site, so the search space g

Re: [Wikitech-l] How's the SSL thing going?

Like dgerald said, let's not let the perfect distract us from the better. It will be impossible to 100% secure our visitors' traffic against an adversary with as many resources as the NSA. But we can secure our users against adversaries with fewer resources, and we can increase the cost of a succ

Re: [Wikitech-l] How's the SSL thing going?

> > Time to start adding a random amount of extra packets with each request? :) We would need to be very careful to not cause detectable entropy changes which is not trivial! Perhaps we promote the deployment of SPDY/QUIC which interleaves requests? ~Matt Walker Wikimedia Foundation Fundraising

Re: [Wikitech-l] How's the SSL thing going?

On Jul 31, 2013, at 3:01 PM, James Alexander wrote: > Time to start adding a random amount of extra packets with each request? :) This is what freenet does, but I think supporting SPDY/HTTP 2.0 [1] will help in this regard as well, as it essentially pipelines requests (so you wouldn't be able

Re: [Wikitech-l] How's the SSL thing going?

On Wed, Jul 31, 2013 at 11:55 AM, Brian Wolff wrote: > Which kind of ignores the issue that encrypting with ssl doesn't do a > lot against traffic analysis, when its publicly known how big the > pages you're downloading are, and how many images/other assets they > have on them. NSA certainly has

Re: [Wikitech-l] How's the SSL thing going?

On Wed, Jul 31, 2013 at 2:50 PM, Chris Steipp wrote: > 3) Serve all traffic via HTTPS > 4) With PFS and long HSTS timeouts > Indeed. I need to be more optimistic. :) The bug has been fixes as part of the new SUL code. Yay! Nice! *-- * *Tyler Romeo* Stevens Institute of Technology, Class of 2

Re: [Wikitech-l] How's the SSL thing going?

Which kind of ignores the issue that encrypting with ssl doesn't do a lot against traffic analysis, when its publicly known how big the pages you're downloading are, and how many images/other assets they have on them. NSA certainly has the resources to do this if they want. If you can do this sor

Re: [Wikitech-l] How's the SSL thing going?

On Wed, Jul 31, 2013 at 11:40 AM, Tyler Romeo wrote: > Good question. > > There are two steps to this: > 1) Move all logins to TLS > 2) Move all logged in users to TLS 3) Serve all traffic via HTTPS 4) With PFS and long HSTS timeouts > > The former was dependent on a bug with E:CentralAuth that

Re: [Wikitech-l] How's the SSL thing going?

On 31 July 2013 19:46, Emilio J. Rodríguez-Posada wrote: > Also, I have read that SSL is not secure neither. So, bleh... PFS. http://news.netcraft.com/archives/2013/06/25/ssl-intercepted-today-decrypted-tomorrow.html Also, https://en.wikipedia.org/wiki/Nirvana_fallacy - this is somewhere we c

Re: [Wikitech-l] How's the SSL thing going?

On 31 July 2013 19:36, David Gerard wrote: > Jimmy just tweeted this: > https://twitter.com/jimmy_wales/status/362626509648834560 > I think that's the first time I've seen him say "fuck" in a public > communication ... And wow, this is the NSA slide that triggered it: https://image.guim.co.uk/

Re: [Wikitech-l] How's the SSL thing going?

It was so obvious that int. agencies were doing that. It was discussed in past threads in the mailing list too. Also, I have read that SSL is not secure neither. So, bleh... 2013/7/31 David Gerard > Jimmy just tweeted this: > > https://twitter.com/jimmy_wales/status/362626509648834560 > > I th

[Wikitech-l] MediaWiki Language Extension Bundle 2013.07 release‏‏‏

Hallo, I would like to announce the release of MediaWiki language extension bundle 2013.07 * https://translatewiki.net/mleb/MediaWikiLanguageExtensionBundle-2013.07.tar.bz2 * sha256sum: ca381ea1bc1f10c56df28353f91a25129c604ff11938b424833925e8716e2ff3 Quick links: * Installation instructions are

Re: [Wikitech-l] How's the SSL thing going?

Good question. There are two steps to this: 1) Move all logins to TLS 2) Move all logged in users to TLS The former was dependent on a bug with E:CentralAuth that was causing $wgSecureLogin to malfunction. I am not sure whether this bug was ever fixed (I remember seeing Chris submit a patch for i

Re: [Wikitech-l] (no subject)

On Wed, Jul 31, 2013 at 11:23 AM, Tyler Romeo wrote: > Hey all, > > Mozilla made an announcement yesterday about a new framework called Minion: > > http://blog.mozilla.org/security/2013/07/30/introducing-minion/ > https://github.com/mozilla/minion > > It's an automated security testing framework f

Re: [Wikitech-l] (no subject)

On Wed, Jul 31, 2013 at 11:23 AM, Tyler Romeo wrote: > Hey all, > > Mozilla made an announcement yesterday about a new framework called Minion: > > http://blog.mozilla.org/security/2013/07/30/introducing-minion/ > https://github.com/mozilla/minion > > It's an automated security testing framework

[Wikitech-l] How's the SSL thing going?

Jimmy just tweeted this: https://twitter.com/jimmy_wales/status/362626509648834560 I think that's the first time I've seen him say "fuck" in a public communication ... Anyway, I expect people will ask us how the move to all-SSL is progressing. So, how is it going? (I've been telling people it's

[Wikitech-l] (no subject)

Hey all, Mozilla made an announcement yesterday about a new framework called Minion: http://blog.mozilla.org/security/2013/07/30/introducing-minion/ https://github.com/mozilla/minion It's an automated security testing framework for use in testing web applications. I'm currently looking into how

Re: [Wikitech-l] gwtoolset : architecture design help

> > Metadata Set Repo > - > one of the goals of the project is to store Metadata Sets, such as XML > under some type of version control. those Metadata Sets need to be > accessible so that the extension can grab the content from it and process > it. processing involves iterating ove

Re: [Wikitech-l] Is assert() allowed?

On Wed, Jul 31, 2013 at 10:24 AM, Happy Melon wrote: > Yes, IMO, it should be abstracted away with a carefully-written wrapper > function that bridges the semantic gap between "I want to do some character > conversions" and "I want to make this text safe to echo to the browser", > but that's just

Re: [Wikitech-l] Is assert() allowed?

On 31 July 2013 15:01, Tyler Romeo wrote: > On Wed, Jul 31, 2013 at 8:38 AM, Happy Melon >wrote: > > > Deliberately using a function which reduces the security of your > > application to relying on everyone choosing the correct type of quotes is > > definitely asking for trouble. > > > > I don't

Re: [Wikitech-l] Is assert() allowed?

On Wed, Jul 31, 2013 at 8:38 AM, Happy Melon wrote: > Deliberately using a function which reduces the security of your > application to relying on everyone choosing the correct type of quotes is > definitely asking for trouble. > I don't see how this is an issue. htmlspecialchars() can cause an X

Re: [Wikitech-l] Is assert() allowed?

$_GET["foo"] = 'include( "evil_file.php" )'; assert( '$_GET["foo"] == "fluffy bunny rabbit"' ); // This is fine assert( "$_GET['foo'] == 'fluffy bunny rabbit'" ); // But this is not Deliberately using a function which reduces the security of your application to relying on everyone choosing the cor

Re: [Wikitech-l] Is assert() allowed?

On Wed, Jul 31, 2013 at 7:42 AM, Tim Starling wrote: > Indeed. In C, assert() will abort the program if it is enabled, which > is hard to miss. It is not comparable to the PHP assert() function. ...except PHP's assert() *also* aborts the program if enabled. What am I missing here? > The reason

Re: [Wikitech-l] [Xmldatadumps-l] Suggested file format of new incremental dumps

> > For storing updateable indexes, Berkeley DB 4-5, GDBM, and higher-level > options like SQLite are widely used. > LevelDB is > pretty cool too. > I think that with the amount of data we're dealing with, it makes sense to have the file format under tight cont

[Wikitech-l] First preview version of incremental dumps

Hi, after a month of work on my GSoC project Incremental Dumps [1], I think I have now something worth sharing and talking about, though it's still far from complete. What the code can do now is to read a pages-history XML dump and create the various kinds of dumps (pages/stub, current/history) i

Re: [Wikitech-l] Is assert() allowed?

On 31/07/13 18:36, Daniel Kinzler wrote: > Assertions are things that should *always* be true. > In my mind, assertions should just throw an (usually unhandled) > exception, like Java's AssertionError. Indeed. In C, assert() will abort the program if it is enabled, which is hard to miss. It is no

Re: [Wikitech-l] Is assert() allowed?

Hi, On Wed, Jul 31, 2013 at 10:36:56AM +0200, Daniel Kinzler wrote: > * Use boolean expressions in assertions, not strings. I do not agree that this is best practice in PHP. Execution time being only part of argument here. Among other arguments are readability of the error message. When using st

Re: [Wikitech-l] Is assert() allowed?

Hi Tyler, good to see that since the last discussion of this topic, more people are in favor of allowing asserts :-) On Tue, Jul 30, 2013 at 06:45:37PM -0400, Tyler Romeo wrote: > I think the real issue here is just that assertions sometimes aren't used > correctly. I wholeheartedly agree. Best

Re: [Wikitech-l] Is assert() allowed?

My take on assertions, which I also tried to stick to in Wikibase, is as follows: * A failing assertion indicates a "local" error in the code or a bug in PHP; They should not be used to check preconditions or validate input. That's what InvalidArgumentException is for (and I wish type hints wo