[Bug 24239] New: SSL interface to Wikipedia not secure!

Fri, 02 Jul 2010 19:08:46 -0700 

https://bugzilla.wikimedia.org/show_bug.cgi?id=24239

           Summary: SSL interface to Wikipedia not secure!
           Product: Wikimedia
           Version: unspecified
          Platform: All
        OS/Version: All
            Status: NEW
          Severity: critical
          Priority: Normal
         Component: Site requests
        AssignedTo: [email protected]
        ReportedBy: [email protected]


Greetings.

The HTTPS interface at
[https://secure.wikimedia.org/wikipedia/en/wiki/Main_Page] is not fulfilling
its purpose.
Content of Wikipedia is free to the general public, and is obviously not the
reason for the encryption. The reason is, of course, user privacy. Wikipedia
user is (or should be) protected against any possible eavesdroppers who might
be trying to find out what pages he is looking at. Reasons may range from
personal to political, but the secure access is obviously a necessity -
otherwise it wouldn't be an option.
Therefore, I need to point out that accessing images in articles is bypassing
the secure server. In other words, if the user's browser(s) are not manually
set up so as to not request these images, an eavesdropper listening to his
requests would know exactly which ones those are. It is then only a matter of
cross-matching the "File links" info from the images' description pages to find
out which article the user has been viewing.

For the sake of those who really need this feature, I marked it "critical".
To solve this, the image references should be rewritten - for example, a
header-modifying PHP script on an HTTPS server could be used. Also, none of the
internal links should lead to non-secure pages (eg. image description pages are
still delivered via an ordinary HTTP server - clicking to enlarge can also leak
info). If this is not feasible for some reason (increase in traffic over
HTTP?), images should then be delivered only on request, and they should be
disabled by default. I urge the developers to keep an extra eye to other things
that may leak information (such as AJAX).

Thanks for hearing me out.

--Luka Marčetić

-- 
Configure bugmail: https://bugzilla.wikimedia.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.
You are on the CC list for the bug.
_______________________________________________
Wikibugs-l mailing list
[email protected]
https://lists.wikimedia.org/mailman/listinfo/wikibugs-l

Reply via email to