Bawolff worked on T11838: Send notification to account owner on multiple unsuccessful login attempts, which started in March and stopped in April.
What can we do to move this forward? Are there blockers we can clear?
• DannyH | |
Dec 15 2016, 5:36 PM |
F5143080: Screen Shot 2016-12-23 at 8.13.52 PM.png | |
Dec 23 2016, 3:36 PM |
Bawolff worked on T11838: Send notification to account owner on multiple unsuccessful login attempts, which started in March and stopped in April.
What can we do to move this forward? Are there blockers we can clear?
Status | Subtype | Assigned | Task | ||
---|---|---|---|---|---|
Resolved | None | T14884 Login and account creation should be by secure http. | |||
Invalid | None | T11816 Improve security for Special:Userlogin (tracking) | |||
Invalid | Wikinaut | T3932 [DO NOT USE] ENotif/EConfirm & further enhancements (tracking) [superseded by #MediaWiki-Email] | |||
Open | None | T125653 Create new types of notifications | |||
Resolved | • demon | T11838 Send notification to account owner on multiple unsuccessful login attempts | |||
Resolved | Niharika | T153335 Investigation: Notify on multiple unsuccessful login attempts |
@Bawolff does the above seem accurate?
Yes that's accurate. Fixing up the code for AuthManager and echo changes (and other TODOs) is on my todo list, my todo list is just a little long right now :)
Feature wise, I'm also planning to add looking at rc_ip to see if user has previously logged in for wikis without checkuser.
CentralAuth wise - this is somewhat mitigated by global notifications and using email notifications - assuming it is enabled on all wikis - so if it was enabled by default, this would address it, but I'm not sure if we want to enable by default. Perhaps we do, I don't know.
I will note, that if CentralAuth is enabled, the extension looks at the checkuser table from up to 10 other wikis, not just the current wiki, when determining if the user has previously used the IP.
The extension currently works on per-wiki basis. It would be a good idea to think about making it work with CentralAuth to detect login attempts on any of the wikis the user is attached to. Though the wishlist proposal doesn't mention it, it seems like an implicit given.
This seems like it isn't really much of an issue due to global notifications (as Brian mentioned).
Actually I just realized. If an attacker decided to use login.wikimedia.org to login, they could get around this extension since there is no echo installed on that wiki, so no global echo notice would be generated.
Actually I just realized. If an attacker decided to use login.wikimedia.org to login, they could get around this extension since there is no echo installed on that wiki, so no global echo notice would be generated.
@Bawolff: Any ideas for how to address that? If someone tries to log in as me on loginwiki I don't want to get separate notifications on hundreds of different wikis.
The first thing that comes to mind is either enable echo on all sul wikis or use the job queue to send the notice on some fallback wiki.