Re: [Wikitech-l] secure.wikimedia.org is no more
On 16/11/12 22:04, Brion Vibber wrote: Awesome! Another old hack swept away. :D Do we have a timetable for migrating all login sessions to HTTPS yet? I love that we've got a clean HTTPS option available, but it really skeezes me out that we still allow logins and passwords over plain HTTP. We have self-signed certificates, too... (bug 27291). ___ Wikitech-l mailing list Wikitech-l@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/wikitech-l
Re: [Wikitech-l] secure.wikimedia.org is no more
Le 16/11/12 22:04, Brion Vibber a écrit : snip Do we have a timetable for migrating all login sessions to HTTPS yet? I love that we've got a clean HTTPS option available, but it really skeezes me out that we still allow logins and passwords over plain HTTP. -- brion I guess it is all about enabling $wgSecureLogin [1] which would force the login form to use HTTPS for its POST. I speedy hacked it two years ago and Chris Steipp has fixed it a few weeks ago. Maybe we could enable it on test first and see how it goes? [1] http://www.mediawiki.org/wiki/Manual:$wgSecureLogin -- Antoine hashar Musso ___ Wikitech-l mailing list Wikitech-l@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/wikitech-l
Re: [Wikitech-l] secure.wikimedia.org is no more
wgSecureLogin works. I patched the broken version of it not too long ago. Now I'm just waiting on my patch in Gerrit to turn on wgSecureLogin on WMF wikis. On Nov 17, 2012 1:03 PM, Antoine Musso hashar+...@free.fr wrote: Le 16/11/12 22:04, Brion Vibber a écrit : snip Do we have a timetable for migrating all login sessions to HTTPS yet? I love that we've got a clean HTTPS option available, but it really skeezes me out that we still allow logins and passwords over plain HTTP. -- brion I guess it is all about enabling $wgSecureLogin [1] which would force the login form to use HTTPS for its POST. I speedy hacked it two years ago and Chris Steipp has fixed it a few weeks ago. Maybe we could enable it on test first and see how it goes? [1] http://www.mediawiki.org/wiki/Manual:$wgSecureLogin -- Antoine hashar Musso ___ Wikitech-l mailing list Wikitech-l@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/wikitech-l ___ Wikitech-l mailing list Wikitech-l@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/wikitech-l
Re: [Wikitech-l] secure.wikimedia.org is no more
There is one more bug I'd like to fix before turning wgSecurelogin on.. I'm going to get it into wmf5, and then we can turn it on. On Nov 17, 2012 10:03 AM, Antoine Musso hashar+...@free.fr wrote: Le 16/11/12 22:04, Brion Vibber a écrit : snip Do we have a timetable for migrating all login sessions to HTTPS yet? I love that we've got a clean HTTPS option available, but it really skeezes me out that we still allow logins and passwords over plain HTTP. -- brion I guess it is all about enabling $wgSecureLogin [1] which would force the login form to use HTTPS for its POST. I speedy hacked it two years ago and Chris Steipp has fixed it a few weeks ago. Maybe we could enable it on test first and see how it goes? [1] http://www.mediawiki.org/wiki/Manual:$wgSecureLogin -- Antoine hashar Musso ___ Wikitech-l mailing list Wikitech-l@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/wikitech-l ___ Wikitech-l mailing list Wikitech-l@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/wikitech-l
Re: [Wikitech-l] secure.wikimedia.org is no more
Which bug is that? If there's not a patch I'll work on it ASAP. ;) *--* *Tyler Romeo* Stevens Institute of Technology, Class of 2015 Major in Computer Science www.whizkidztech.com | tylerro...@gmail.com On Sat, Nov 17, 2012 at 2:57 PM, Chris Steipp cste...@wikimedia.org wrote: There is one more bug I'd like to fix before turning wgSecurelogin on.. I'm going to get it into wmf5, and then we can turn it on. On Nov 17, 2012 10:03 AM, Antoine Musso hashar+...@free.fr wrote: Le 16/11/12 22:04, Brion Vibber a écrit : snip Do we have a timetable for migrating all login sessions to HTTPS yet? I love that we've got a clean HTTPS option available, but it really skeezes me out that we still allow logins and passwords over plain HTTP. -- brion I guess it is all about enabling $wgSecureLogin [1] which would force the login form to use HTTPS for its POST. I speedy hacked it two years ago and Chris Steipp has fixed it a few weeks ago. Maybe we could enable it on test first and see how it goes? [1] http://www.mediawiki.org/wiki/Manual:$wgSecureLogin -- Antoine hashar Musso ___ Wikitech-l mailing list Wikitech-l@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/wikitech-l ___ Wikitech-l mailing list Wikitech-l@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/wikitech-l ___ Wikitech-l mailing list Wikitech-l@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/wikitech-l
Re: [Wikitech-l] secure.wikimedia.org is no more
On Sat, Nov 17, 2012 at 9:32 AM, Platonides platoni...@gmail.com wrote: On 16/11/12 22:04, Brion Vibber wrote: Awesome! Another old hack swept away. :D Do we have a timetable for migrating all login sessions to HTTPS yet? I love that we've got a clean HTTPS option available, but it really skeezes me out that we still allow logins and passwords over plain HTTP. We have self-signed certificates, too... (bug 27291). Correction: a self-signed certificate on a portion of our infrastructure we don't want as part of the cluster, where we don't trust our star certificates to live, and where we plan on completely changing how this works, possibly with a different hostname. All of this is mentioned in the bug and none of it has changed. That bug has nothing to do with this discussion. - Ryan ___ Wikitech-l mailing list Wikitech-l@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/wikitech-l
Re: [Wikitech-l] secure.wikimedia.org is no more
On Wed, Nov 14, 2012 at 8:25 AM, Faidon Liambotis fai...@wikimedia.orgwrote: Following last year's Native HTTPS efforts¹, I've pushed a change² today that redirects all the old secure.wikimedia.org URLs to the respective native HTTPS ones, e.g. https://secure.wikimedia.org/wikipedia/en/wiki/Main_Page gets redirected to https://en.wikipedia.org/wiki/Main_Page Awesome! Another old hack swept away. :D Do we have a timetable for migrating all login sessions to HTTPS yet? I love that we've got a clean HTTPS option available, but it really skeezes me out that we still allow logins and passwords over plain HTTP. -- brion ___ Wikitech-l mailing list Wikitech-l@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/wikitech-l
Re: [Wikitech-l] secure.wikimedia.org is no more
On 11/14/12 5:56 PM, MZMcBride wrote: Faidon Liambotis wrote: Following last year's Native HTTPS efforts¹, I've pushed a change² today that redirects all the old secure.wikimedia.org URLs to the respective native HTTPS ones, e.g. https://secure.wikimedia.org/wikipedia/en/wiki/Main_Page gets redirected to https://en.wikipedia.org/wiki/Main_Page This is great. Thank you for your work on this. :-) Cool. Tested and works fine with HTTPS Everywhere. And thanks for all the helpful https work in the past few years! ___ Wikitech-l mailing list Wikitech-l@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/wikitech-l
[Wikitech-l] secure.wikimedia.org is no more
Hi, Following last year's Native HTTPS efforts¹, I've pushed a change² today that redirects all the old secure.wikimedia.org URLs to the respective native HTTPS ones, e.g. https://secure.wikimedia.org/wikipedia/en/wiki/Main_Page gets redirected to https://en.wikipedia.org/wiki/Main_Page The redirects are HTTP temporary redirects (302) for now. I'll soon switch them to permanent (301), please do let me know if you see any breakage in the meantime. Regards, Faidon ¹: http://blog.wikimedia.org/2011/10/03/native-https-support-enabled-for-all-wikimedia-foundation-wikis/ ²: https://gerrit.wikimedia.org/r/#/c/13429/ ___ Wikitech-l mailing list Wikitech-l@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/wikitech-l
Re: [Wikitech-l] secure.wikimedia.org is no more
Following last year's Native HTTPS efforts¹, I've pushed a change² today that redirects all the old secure.wikimedia.org URLs to the respective native HTTPS ones, e.g. https://secure.wikimedia.org/wikipedia/en/wiki/Main_Page gets redirected to https://en.wikipedia.org/wiki/Main_Page Does anyone know if EFF's HTTPS Everywhere extension is set up to redirect to secure.wikimedia.org? If so, someone might want to let them know that we've made this change. I'll volunteer to do so if no one else wishes to. The redirects are HTTP temporary redirects (302) for now. I'll soon switch them to permanent (301), please do let me know if you see any breakage in the meantime. ___ Wikitech-l mailing list Wikitech-l@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/wikitech-l
Re: [Wikitech-l] secure.wikimedia.org is no more
On Wed, Nov 14, 2012 at 10:48 AM, Derric Atzrott datzr...@alizeepathology.com wrote: Following last year's Native HTTPS efforts¹, I've pushed a change² today that redirects all the old secure.wikimedia.org URLs to the respective native HTTPS ones, e.g. https://secure.wikimedia.org/wikipedia/en/wiki/Main_Page gets redirected to https://en.wikipedia.org/wiki/Main_Page Does anyone know if EFF's HTTPS Everywhere extension is set up to redirect to secure.wikimedia.org? If so, someone might want to let them know that we've made this change. I'll volunteer to do so if no one else wishes to. HTTPS Everywhere should've been updated some time ago to use the native https urls. -Chad ___ Wikitech-l mailing list Wikitech-l@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/wikitech-l
Re: [Wikitech-l] secure.wikimedia.org is no more
On Wed, Nov 14, 2012 at 01:48:27PM -0500, Derric Atzrott wrote: Following last year's Native HTTPS efforts¹, I've pushed a change² today that redirects all the old secure.wikimedia.org URLs to the respective native HTTPS ones, e.g. https://secure.wikimedia.org/wikipedia/en/wiki/Main_Page gets redirected to https://en.wikipedia.org/wiki/Main_Page Does anyone know if EFF's HTTPS Everywhere extension is set up to redirect to secure.wikimedia.org? If so, someone might want to let them know that we've made this change. I'll volunteer to do so if no one else wishes to. HTTPS Everywhere is currently set up to redirect using the native HTTPS support (http://en.wp - https://en.wp); it used to support redirects to secure.wikimedia.org, but Roan Kattouw and Sam Reed updated it quite a while ago. secure.wm.org never supported HTTP and secure.wm.org HTTPS gets redirected by our redirects without any privacy loss, so there's nothing to add to HTTPS Everywhere that I can see. Thanks for the offer though. Regards, Faidon PS. Fun fact: HTTPS Everywhere's git master already has rules for Wikidata Wikivoyage, thanks to the always awesome Reedy. ___ Wikitech-l mailing list Wikitech-l@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/wikitech-l
Re: [Wikitech-l] secure.wikimedia.org is no more
Faidon Liambotis wrote: Following last year's Native HTTPS efforts¹, I've pushed a change² today that redirects all the old secure.wikimedia.org URLs to the respective native HTTPS ones, e.g. https://secure.wikimedia.org/wikipedia/en/wiki/Main_Page gets redirected to https://en.wikipedia.org/wiki/Main_Page This is great. Thank you for your work on this. :-) MZMcBride ___ Wikitech-l mailing list Wikitech-l@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/wikitech-l
