I personally find one of the suggestions in the report worrying: "Eliminate custom CSS/JavaScript. iSEC found multiple issues with the custom JavaScript system. This system appears to pose significant risk for relatively small benefit. As such, iSEC recommends that Wikimedia Foundation deprecate this functionality and allow users instead to customize their experience on the client side using browser extensions such as Greasemonkey or Tampermonkey."
This is related to one of the problems identified by the team: "Users can inspect each other's personal JavaScript" While the custom JS is used by a relatively small number of users, the ability to learn and copy another user's scripts has played an important part in the development(and maintenance) of scripts that are now considered essential by many Wikimedians (twinkle and wikied come to mind). Furthermore, replacing those script with Greasemonkey scripts would lead to a "black market" of Wiki-scripts shared through channels external to our sites. Those scripts would be even more prone to social engineering attacks and could endanger our user's security. I would like to know if the WMF is indeed considering completely dropping the custom JS feature and if so, what is the timeline for this change? Thanks, Strainu 2015-04-21 4:41 GMT+03:00 Pine W <[email protected]>: > Thanks for your work on this, Chris. > > Forwarding to Wikitech-l. > > Pine > On Apr 20, 2015 4:58 PM, "Chris Steipp" <[email protected]> wrote: > >> >> On Apr 20, 2015 4:13 PM, "Andrew Sherman" <[email protected]> wrote: >> > >> > Hello Everyone, >> > >> > We just published "Improving the security of our users on Wikimedia >> sites" to the blog. URL: >> > >> > https://blog.wikimedia.org/2015/04/20/improving-security-for-our-users/ >> > >> > Thanks to Chris for writing and helping us edit this post. >> > >> > Below are some proposed social media messages. Tweak as needed. >> > >> > Twitter >> > >> > We teamed up with @iSECPartners and @OpenTechFund to assess the security >> of our sites. Check out the report here [link] >> > >> > FB/G+ >> > >> > We teamed up with iSEC Partners to assess the security of our sites and >> protect the privacy of our users. Their engineers developed attacks against >> the current version of MediaWiki to identify security flaws, in a new >> report sponsored by the Open Technology Fund. [link] >> >> Maybe just "MediaWiki" instead of "the current version of MediaWiki", >> since we did a release to specifically fix issues that they found. Might >> confuse some people as is. >> >> > >> > Thanks, >> > -- >> > Andrew Sherman >> > Digital Communications | Wikimedia Foundation >> > >> > E: [email protected] >> > WMF: ASherman (WMF) >> >> _______________________________________________ >> Social-media mailing list >> [email protected] >> https://lists.wikimedia.org/mailman/listinfo/social-media >> >> > _______________________________________________ > Wikitech-l mailing list > [email protected] > https://lists.wikimedia.org/mailman/listinfo/wikitech-l _______________________________________________ Wikitech-l mailing list [email protected] https://lists.wikimedia.org/mailman/listinfo/wikitech-l
