Re: Lack of SSL for Debian Wiki login (was: Re: wiki.debian.org password reset)
On Sun, Jan 06, 2013 at 07:08:08PM -0500, Jeremy L. Gaddis wrote:
> * Luca Filipozzi <lfilipoz@debian.org> wrote:
> > Please recall our recent email regarding the moinmoin [1] vulnerability [2] and
> > the penetration of Debian's wiki [3]. We have reset all password hashes and
> > sent individual notification to all Debian wiki account holders with
> > instructions on how to recover (and thereby reset) their passwords [4]. More
> > technical details about the attack are available [5].
>
> [snip]
>
> Thanks, I just reset the password on my account only to realize that
> SSL is not being used by default on wiki.d.o.
Yes. :/
> Surely this will be fixed in the very near future?
DSA and DWA are in discussion about enforcing encryption at all authentication
points. We're currently debating the pros/cons of using a commercial SSL cert
vs a Debian SSL cert. Given the dubious value of commercial certificates, I'm
in favour of the latter but I appreciate that some users will find the browser
warnings to be confusing.
OTOH, I'd argue that if one wishes to maintain content at wiki.debian.org, then
one should understand the basics of PKI. What do you think?
Thanks,
Luca
DSA = Debian System Administration Team
DWA = Debian Wiki/Web Administration Team (my coinage)
--
Luca Filipozzi
Member, Debian System Administration Team
Reply to: