Foundation office switches to closed source, secure browsing, brief news

Concerns were raised on the Foundation-l mailing list this week by several Wikipedians when it became known that the Office IT team of the Wikimedia Foundation had decided to start using Google Apps. Google Apps is a web-based office suite that includes Gmail, Google Calendar, Docs and other productivity tools.

User MZMcBride pointed out the software was closed source (in contrast to the open source nature of the MediaWiki software) and wondered if there was any connection to the $2 million grant that Google had given to Wikimedia. The privacy track record of Google was also under question, with Risker noting that "Google's greatest weakness is in the privacy sector. Anyone remember when they turned on Buzz and suddenly there was all kinds of personal information made available because they linked people's multiple accounts? Well, the same thing holds for all their other applications."

Jon Davis, the office IT employee who is running the migration, pointed out the benefits of online office tools for a group of people often on the road, the quality of the software and its usage of open standards. He added that the Foundation is a commercial user of the software and does not receive any benefits for its usage from Google. Responding to privacy concerns, he replied that:

The Foundation's Deputy Director Erik Möller emphasized that its "general policy is to be as open on internal tools as reasonably possible", but that unfortunately the open source Mozilla Thunderbird email client didn't meet all its needs. "We're reluctantly switching to GMail as the standard email solution, but we'd love to switch to an open solution in future".

Last week's release of the Firefox extension Firesheep prompted discussion on the wikitech-l mailing list about the lack of default secure browsing for Wikimedia websites. Firesheep is a utility that simplifies hijacking the Twitter and Facebook accounts of other users when they use insecure Wi-Fi networks. Although not included in Firesheep, Wikipedia is vulnerable to the same problem unless people make use of the secure server when logging in to Foundation sites. Questions were raised regarding switching all login requests to such secure connections, but Foundation contractor Roan Kattouw quickly pointed out that to protect connections against this problem, all traffic (and not just all login requests) would have to make use of secure connections. On this point, there were many concerns about the hardware cost of switching all traffic to secure connections, but Conrad Irwin pointed out:

Developer Ashar Voultoiz subsequently added an option to the interface of the MediaWiki software to simplify use of a secure server for logging in. The option will benefit other users of the software who do have the resources to provide a secure browsing environment. In the meantime, editors and especially administrators of the Foundation's websites are encouraged to make use of the secure server whenever they are logging in from open Wi-Fi networks and other shared internet connections, such as in libraries.

In August, The Signpost covered a study of the security of large websites, in which Wikipedia received a 4 out of 10 score on their current password practices.

Not all fixes may have gone live to WMF sites at the time of writing; some may not be scheduled to go live for many weeks.

• JeLuF has more than doubled the number of servers which work on the job queue (low priority tasks handled during off-peak times, such as category listing updates). It previously stood at about a million "jobs" on the English Wikipedia and is now zero on most wikis and under 200,000 on the English Wikipedia.
• MediaWiki will now use the RSD protocol to announce its API capabilities in a more machine-understandable format (bug #25648).
• It was announced that the speed of Pending Changes has improved and that work is ongoing regarding user interface improvement (wikitech-l mailing list).
• Developer Chad Horohoe announced the official release of a new installer for the MediaWiki software, making it a lot easier for third parties to install and configure their own wiki (wikitech-l mailing list). It had been in the pipeline for a number of months, and a key target feature for the next release of the software.

← Previous "Technology report"

Next "Technology report" →

In this issue

1 November 2010 (all comments)

News and notes

In the news

WikiProject report

Features and admins

Arbitration report

Technology report

+ Add a comment

Discuss this story

These comments are automatically transcluded from this article's talk page. To follow comments, add the page to your watchlist. If your comment has not appeared here, you can try purging the cache.

Secure browsing: it is possible to use a combination of server side scripting and JavaScript to create signed URLs: using encryption on the content of WP pages and the edits thereto,which are public knowledge, would be a waste of resource indeed. Rich Farmbrough, 09:51, 2 November 2010 (UTC).[reply]

It's already planned that 'Wikipedia' will be added to FireSheep. Your Wikipedia account can be taken over completely. My advice is don't use public Wifi without WPA encryption enabled. Regards, SunCreator ^(talk) 12:45, 2 November 2010 (UTC)[reply]

Signed urls ? Isn't that for content only ? Wouldn't protect you from cookie hijacking, which is the problem with firesheep, right ? —TheDJ (talk • contribs) 23:43, 2 November 2010 (UTC)[reply]

Firesheep is a session-stealing attack utilizing packet sniffing on a shared medium. Signing URLs does exactly nothing to prevent this. --Carnildo (talk) 01:47, 3 November 2010 (UTC)[reply]

An OpenSearch search bar plugin has been added: Wikipedia (SSL) search, which can replace the default Wikipedia search-bar in browsers like Firefox. You can review the source code for the plugin as well. Nimur (talk) 02:00, 3 November 2010 (UTC)[reply]

The Electronic Frontier Foundation's HTTPS Everywhere add-on makes Firefox use the secure server for every page viewed on Wikipedia (and various other sites). Regards, HaeB (talk) 10:58, 4 November 2010 (UTC)[reply]

Keep in mind that the number of active editors is much, much smaller than the number of anonymous readers. I don't know whether the secure server would support us editing securely all at once, since WMF has not yet dedicated any special resources to scaling SSL, but you should always use it when editing from a network that you don't control such as an open wifi network, particularly if you have a privileged account. A hybrid solution that encrypts session data and not page content might be useful, but I know of no way to implement it and it still presents privacy risks (which articles you read says something about you). Dcoetzee 18:49, 3 November 2010 (UTC)[reply]

Note, that well the secure site does protect your session, it doesn't really (overly) protect your privacy. Images are still loaded from the non-secure site. If you notice person A downloads 10 images in about 5 seconds, and there is only one page on wikipedia that uses precisely these ten images, it is a pretty sure bet that person A is looking at that page. (Of course, if someone is watching you that closely, you probably have bigger problems...). Bawolff (talk) 05:33, 4 November 2010 (UTC)[reply]

Interesting, I didn't know that. I hope WMF will consider also protecting inline images by SSL, eventually - although I realise the cost of doing so would be somewhat greater than pages alone. This would be particularly important for people who are interested in learning more about topics related to sex and pornography and may not want this to be known. Dcoetzee 05:36, 4 November 2010 (UTC)[reply]

Well there is a long standing bug - bugzilla:16822. But If you're really that concerned about your privacy, you can always use something like TOR. (which has the added bonus that even if the foundation was evil, they still wouldn't know who you are ;) Bawolff (talk) 00:24, 5 November 2010 (UTC)[reply]

But we block TOR, remember? :P - Jarry1250 ^{[Who? Discuss.]} 17:46, 5 November 2010 (UTC)[reply]

No comments on the Wikimedia / Gmail story? Doesn't that concern some poeple? 128.59.179.238 (talk) 18:37, 18 November 2010 (UTC)[reply]