[Bug 16822] New: Provide SSL/HTTPS interface to upload.wikimedia. org and use it for SSL-served pages

Sun, 28 Dec 2008 12:35:17 -0800 

https://bugzilla.wikimedia.org/show_bug.cgi?id=16822

           Summary: Provide SSL/HTTPS interface to upload.wikimedia.org and
                    use it for SSL-served pages
           Product: Wikimedia
           Version: unspecified
          Platform: All
               URL: https://secure.wikimedia.org/wikipedia/en/wiki/Main_Page
        OS/Version: All
            Status: NEW
          Severity: enhancement
          Priority: Normal
         Component: General/Unknown
        AssignedTo: [email protected]
        ReportedBy: [email protected]


Currently we pull images (and CentralNotice JS) from
http://upload.wikimedia.org even for pages accessed over SSL on
https://secure.wikimedia.org/

This has a few problems:

1) An attacker on an open network or MITM can see which images you're loading.
Creepy!

2) A MITM attacker could replace your images with something malicious/nasty
(moderately annoying)

3) A MITM attacker could replace JS files with something malicious (JavaScript
injection -> could take over your session)

We didn't pay too much attention to the image issues originally since existing
browsers don't seem to care much about images being loaded from an insecure
URL; but Firefox 3.1b2 now complains about this and considers your page to be
"mixed" secure/insecure, throwing up a dialog box (at least the first time) and
giving you a broken lock icon which indicates an insecure page view, which is
worrying.

Ideally we could provide an HTTPS proxy on https://upload.wikimedia.org for
maximum convenience; alternately a proxy via
https://secure.wikimedia.org/upload or such might be easier to set up in the
short term.

The CentralNotice JS issue, which affects existing browsers and is more
worrying, could be dealt with by providing an alternate location to access the
files or a temporary proxy, or via direct hits to Special:NoticeText.


-- 
Configure bugmail: https://bugzilla.wikimedia.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.
You are on the CC list for the bug.

_______________________________________________
Wikibugs-l mailing list
[email protected]
https://lists.wikimedia.org/mailman/listinfo/wikibugs-l

Reply via email to