On Mon, Jul 6, 2009 at 9:47 PM, Remember the dot<[email protected]> wrote: > Theoretically, a man-in-the-middle attack could allow a malicious > person to hijack your session cookies and take over your account.
. . . but even if it mattered a little (like if you had an admin account), nobody would bother. If you're going to go to the trouble of setting up a malicious wireless access point or something, you're probably going to be doing something profitable like spoofing Amazon and stealing credit card numbers. It would be pretty stupid to take that much risk and then blow your cover to mess with someone's Wikipedia account. But really -- have there been *any* confirmed incidents of MITMing an Internet connection in, say, the past decade? Real malicious attacks in the wild, not proof-of-concepts or white-hat experimentation? I'd imagine so, but for all people emphasize SSL, I can't think of any specific case I've heard of, ever. It's not something normal people need to worry much about, least of all for Wikipedia. (Not to mention, of course, that even with HTTP over SSL you're using DNS unencrypted. Depending on how you access the site, it might be possible for the attacker to simply stay on HTTP instead of switching to HTTPS. The only indication you'd get is if you happen to notice your URL bar is the normal color -- which you'd probably ignore as a fluke misconfiguration, if you did notice.) _______________________________________________ Wikitech-l mailing list [email protected] https://lists.wikimedia.org/mailman/listinfo/wikitech-l
