Antoine Musso hashar+...@free.fr wrote:
(ensuring the NSA never gets your private keys)
Which they might already have =)
Or they might get anytime. If I understand it correctly,
the NSA didn't steal the root passwords for Google, Facebook
and the like, but properly served subpoenas. They
Le 31/07/13 23:59, George Herbert a écrit :
(ensuring the NSA never gets your private keys)
Which they might already have =)
--
Antoine hashar Musso
___
Wikitech-l mailing list
Wikitech-l@lists.wikimedia.org
Le 01/08/13 06:52, Jeremy Baron a écrit :
We (society, standards making bodies, etc.) need to do more to reform
the current SSL mafia system. (i.e. it should be easier for a vendor
to remove a CA from a root store and we shouldn't have a situation
where many dozens of orgs all have the ability
On Thu, Aug 1, 2013 at 9:04 AM, Antoine Musso hashar+...@free.fr wrote:
Le 01/08/13 06:52, Jeremy Baron a écrit :
We (society, standards making bodies, etc.) need to do more to reform
the current SSL mafia system. (i.e. it should be easier for a vendor
to remove a CA from a root store and we
On Thu, Aug 1, 2013 at 12:52 AM, Jeremy Baron jer...@tuxmachine.com wrote:
On Thu, Aug 1, 2013 at 4:28 AM, Anthony wikim...@inbox.org wrote:
Does rapid key rotation in any way make a MITM attack less detectable?
Presumably the NSA would have no problem getting a fraudulent certificate
Jimmy just tweeted this:
https://twitter.com/jimmy_wales/status/362626509648834560
I think that's the first time I've seen him say fuck in a public
communication ...
Anyway, I expect people will ask us how the move to all-SSL is
progressing. So, how is it going?
(I've been telling people it's
Good question.
There are two steps to this:
1) Move all logins to TLS
2) Move all logged in users to TLS
The former was dependent on a bug with E:CentralAuth that was causing
$wgSecureLogin to malfunction. I am not sure whether this bug was ever
fixed (I remember seeing Chris submit a patch for
It was so obvious that int. agencies were doing that. It was discussed in
past threads in the mailing list too.
Also, I have read that SSL is not secure neither. So, bleh...
2013/7/31 David Gerard dger...@gmail.com
Jimmy just tweeted this:
On 31 July 2013 19:36, David Gerard dger...@gmail.com wrote:
Jimmy just tweeted this:
https://twitter.com/jimmy_wales/status/362626509648834560
I think that's the first time I've seen him say fuck in a public
communication ...
And wow, this is the NSA slide that triggered it:
On 31 July 2013 19:46, Emilio J. Rodríguez-Posada emi...@gmail.com wrote:
Also, I have read that SSL is not secure neither. So, bleh...
PFS.
http://news.netcraft.com/archives/2013/06/25/ssl-intercepted-today-decrypted-tomorrow.html
Also, https://en.wikipedia.org/wiki/Nirvana_fallacy - this
On Wed, Jul 31, 2013 at 11:40 AM, Tyler Romeo tylerro...@gmail.com wrote:
Good question.
There are two steps to this:
1) Move all logins to TLS
2) Move all logged in users to TLS
3) Serve all traffic via HTTPS
4) With PFS and long HSTS timeouts
The former was dependent on a bug with
Which kind of ignores the issue that encrypting with ssl doesn't do a
lot against traffic analysis, when its publicly known how big the
pages you're downloading are, and how many images/other assets they
have on them. NSA certainly has the resources to do this if they want.
If you can do this
On Wed, Jul 31, 2013 at 2:50 PM, Chris Steipp cste...@wikimedia.org wrote:
3) Serve all traffic via HTTPS
4) With PFS and long HSTS timeouts
Indeed. I need to be more optimistic. :)
The bug has been fixes as part of the new SUL code. Yay!
Nice!
*-- *
*Tyler Romeo*
Stevens Institute of
On Wed, Jul 31, 2013 at 11:55 AM, Brian Wolff bawo...@gmail.com wrote:
Which kind of ignores the issue that encrypting with ssl doesn't do a
lot against traffic analysis, when its publicly known how big the
pages you're downloading are, and how many images/other assets they
have on them. NSA
On Jul 31, 2013, at 3:01 PM, James Alexander jalexan...@wikimedia.org wrote:
Time to start adding a random amount of extra packets with each request? :)
This is what freenet does, but I think supporting SPDY/HTTP 2.0 [1] will help
in this regard as well, as it essentially pipelines requests
Time to start adding a random amount of extra packets with each request? :)
We would need to be very careful to not cause detectable entropy changes
which is not trivial!
Perhaps we promote the deployment of SPDY/QUIC which interleaves requests?
~Matt Walker
Wikimedia Foundation
Fundraising
Like dgerald said, let's not let the perfect distract us from the
better. It will be impossible to 100% secure our visitors' traffic
against an adversary with as many resources as the NSA. But we can
secure our users against adversaries with fewer resources, and we can
increase the cost of a
There was the lofty notion of including all images, CSS/JS/whatnot as CDATA
elements in the page itself, for browsers that support it. That would get
around the one issue, but still allow size-based fingerprinting, especially
since most users will follow links within the site, so the search space
Just one question from a relatively non-technical person: What falls off
the map if everything is done using SSL? Is this the protocol that would
make it essentially impossible to read/edit Wikipedia using a normal
internet connection from China?
Risker
On 31 July 2013 15:12, Magnus Manske
On Jul 31, 2013, at 3:12 PM, Magnus Manske magnusman...@googlemail.com wrote:
There was the lofty notion of including all images, CSS/JS/whatnot as CDATA
elements in the page itself, for browsers that support it. That would get
around the one issue, but still allow size-based fingerprinting,
On 31 July 2013 19:48, David Gerard dger...@gmail.com wrote:
PFS.
http://news.netcraft.com/archives/2013/06/25/ssl-intercepted-today-decrypted-tomorrow.html
Keeping in mind that PFS is not actually perfect either:
http://tonyarcieri.com/imperfect-forward-secrecy-the-coming-cryptocalypse
-
Oh - if anyone can authoritatively compose a WMF blog post on the
state of the move to SSL (the move to logins and what happened there,
the NSA slide, ongoing issues like browsers in China, etc), that would
probably be a useful thing :-)
- d.
___
On Wed, Jul 31, 2013 at 1:06 PM, David Gerard dger...@gmail.com wrote:
Oh - if anyone can authoritatively compose a WMF blog post on the
state of the move to SSL (the move to logins and what happened there,
the NSA slide, ongoing issues like browsers in China, etc), that would
probably be a
Oh - if anyone can authoritatively compose a WMF blog post on the
state of the move to SSL (the move to logins and what happened there,
the NSA slide, ongoing issues like browsers in China, etc), that would
probably be a useful thing :-)
I'll be posting blog posts each step of the way as we move
On 07/31/2013 03:23 PM, Risker wrote:
Just one question from a relatively non-technical person: What falls off
the map if everything is done using SSL? Is this the protocol that would
make it essentially impossible to read/edit Wikipedia using a normal
internet connection from China?
Risker
Like I've said before, the NSA spying on what users are reading is still
the least of our concerns. We should focus on making sure passwords aren't
sent over plaintext before attempting to evade a government-run
international spy network.
*-- *
*Tyler Romeo*
Stevens Institute of Technology, Class
Can we enable full security mode (as an optional feature) geographically
based on the most concerned governments, if the whole thing isn't going
fast due to lack of resources?
On Wed, Jul 31, 2013 at 11:35 PM, Tyler Romeo tylerro...@gmail.com wrote:
Like I've said before, the NSA spying on
On Wed, Jul 31, 2013 at 1:39 PM, Paul Selitskas p.selits...@gmail.comwrote:
Can we enable full security mode (as an optional feature) geographically
based on the most concerned governments, if the whole thing isn't going
fast due to lack of resources?
No. That's in fact much, much harder.
Yes, that is exactly what I do. But Google, for instance, redirects me to
HTTP, and if I've logged via HTTPS recently, I would have to log in once
again via HTTP. It's very frustrating. Are there public statistics on HTTPS
v. HTTP processed requests share for Wikimedia? Rough numbers?
For
@Paul - Some links that might interest you.
On Wed, Jul 31, 2013 at 4:56 PM, Paul Selitskas p.selits...@gmail.comwrote:
But Google, for instance, redirects me to
HTTP
https://bugzilla.wikimedia.org/show_bug.cgi?id=51002
For inexperienced users yet concerned about privacy, there should be an
On Wed, Jul 31, 2013 at 8:56 PM, Paul Selitskas p.selits...@gmail.com wrote:
Yes, that is exactly what I do. But Google, for instance, redirects me to
HTTP, and if I've logged via HTTPS recently, I would have to log in once
again via HTTP. It's very frustrating.
I think you've misinterpreted.
On 07/31/2013 04:35 PM, Tyler Romeo wrote:
Like I've said before, the NSA spying on what users are reading is still
the least of our concerns. We should focus on making sure passwords aren't
sent over plaintext before attempting to evade a government-run
international spy network.
I'm not
On Wed, Jul 31, 2013 at 5:29 PM, Matthew Flaschen
mflasc...@wikimedia.orgwrote:
I'm not sure what that has to do with the the message you replied to. I
completely support rolling out HTTPS where possible (I'm using HTTPS
Everywhere already).
Sorry I might have highlighted the wrong message
On Wednesday, July 31, 2013, Ryan Lane wrote:
On Wed, Jul 31, 2013 at 1:06 PM, David Gerard
dger...@gmail.comjavascript:_e({}, 'cvml', 'dger...@gmail.com');
wrote:
Oh - if anyone can authoritatively compose a WMF blog post on the
state of the move to SSL (the move to logins and what
It would be useful to focus on the short term problem and solution; the coming
quantum computer factoring factory issue which will render large-prime crypto
less useful is still on the horizon.
The big threat is lack of basic HTTPS everywhere. The second is site key
security (ensuring the NSA
Also, on a side note, Facebook *just* made HTTPS the default:
https://www.facebook.com/notes/facebook-engineering/secure-browsing-by-default/10151590414803920
*-- *
*Tyler Romeo*
Stevens Institute of Technology, Class of 2016
Major in Computer Science
www.whizkidztech.com | tylerro...@gmail.com
On Wed, Jul 31, 2013 at 5:22 PM, Tyler Romeo tylerro...@gmail.com wrote:
Also, on a side note, Facebook *just* made HTTPS the default:
https://www.facebook.com/notes/facebook-engineering/secure-browsing-by-default/10151590414803920
As an FYI - facebook, a site where every person is logged in
On Wed, Jul 31, 2013 at 5:59 PM, George Herbert george.herb...@gmail.comwrote:
The second is site key security (ensuring the NSA never gets your private
keys).
Who theoretically has access to the private keys (and/or the signing key)
right now?
The third is perfect forward security with
On Wed, Jul 31, 2013 at 9:28 PM, Anthony wikim...@inbox.org wrote:
On Wed, Jul 31, 2013 at 5:59 PM, George Herbert george.herb...@gmail.com
wrote:
The second is site key security (ensuring the NSA never gets your private
keys).
Who theoretically has access to the private keys (and/or
On Thu, Aug 1, 2013 at 4:28 AM, Anthony wikim...@inbox.org wrote:
On Wed, Jul 31, 2013 at 5:59 PM, George Herbert
george.herb...@gmail.comwrote:
The second is site key security (ensuring the NSA never gets your private
keys).
Who theoretically has access to the private keys (and/or the
40 matches
Mail list logo