Page MenuHomePhabricator

CheckUser should require elevated security
Open, Needs TriagePublic

Description

As one of the most sensitive interfaces, with access to private data, CheckUser should require elevated security (reauthentication).

Event Timeline

Tgr created this task.Jun 13 2018, 5:21 PM
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptJun 13 2018, 5:21 PM

My opinion about this is similar to what I wrote in T197150#4280429. Please note that often CheckUser queries are performed in a row (ie: CheckUser gets IPs of User:Vandal; CheckUser checks the IPs to investigate further). A simple checkuser request can take from one to dozens of queries. If we're forced to re-enter our password each and every time we perform a CU query that'll slow our job big time. On the other hand CheckUser queries are --obviously-- not publicly logged so spotting abuse of the feature is not that trivial unless someone is watching the logs. I'd approve a 'enter your password and get 30 minutes without having to enter it again' feature, but if possible I'd avoid having to enter my password for each and every CU query. Regards.

That's "I'd approve a 'enter your password and get 30 minutes without having to enter it again' feature" somewhat so I think I'm fine with that.

Huji added a subscriber: Huji.Jun 13 2018, 10:44 PM

As long as that X is really in the order of 30 or 60 minutes, I think it should be okay. Complex CU requests do really take half an hour or so to do.

Vvjjkkii renamed this task from CheckUser should require elevated security to p2aaaaaaaa.Jul 1 2018, 1:04 AM
Vvjjkkii triaged this task as High priority.
Vvjjkkii updated the task description. (Show Details)
Vvjjkkii removed subscribers: Huji, MarcoAurelio, Aklapper.
Ankry renamed this task from p2aaaaaaaa to CheckUser should require elevated security.Jul 1 2018, 4:01 PM
Ankry updated the task description. (Show Details)
Ankry added subscribers: Huji, MarcoAurelio, Aklapper.
Ankry raised the priority of this task from High to Needs Triage.Jul 1 2018, 4:15 PM

This would be a severe security overreaction to a problem that doesn't exist. For stewards, use of the CU tool is routine and happens multiple times during the day. Adding the requirement to authenticate, even every 30 to 60 minutes, would be horrible from a user experience perspective. And all of this in response to, if I remember correctly, one time in the past year when an attacker gained CU access.

2FA is not a silver bullet. It can be compromised as well, through phishing sites and the like. Don't ruin the ability of everyone with advanced permissions to do their thing as you flail around trying to fix the vulnerabilities in the MediaWiki software.

And all of this in response to, if I remember correctly, one time in the past year when an attacker gained CU access.

You make it sound like that's not a big deal.

2FA is not a silver bullet. It can be compromised as well, through phishing sites and the like.

That's something that can be worked on (e.g. U2F instead of TOTP), but just because it doesn't protect against everything doesn't mean it's not going to become required.

And all of this in response to, if I remember correctly, one time in the past year when an attacker gained CU access.

You make it sound like that's not a big deal.

2FA is not a silver bullet. It can be compromised as well, through phishing sites and the like.

That's something that can be worked on (e.g. U2F instead of TOTP), but just because it doesn't protect against everything doesn't mean it's not going to become required.

It is not as big of a deal as the security people are making it out to be, and it would not have been prevented by further authentication requirements.

I've activated 2FA on phabricator and I already find that annoying. Let alone when I need to use that for user right changes (T197150) and, even worse, for checkuser actions.

Tgr added a comment.Nov 6 2018, 1:08 AM

T197160#4723216 has some ideas on how to make this less annoying.

TonyBallioni added a subscriber: TonyBallioni.EditedNov 23 2018, 5:28 AM

I agree with @Ajraddatz, this is not nearly as large a concern as the tech people make this out to be and it would likely cause some of the most active CUs to quit if 2FA for using Special:CheckUser were required. I’m not joking when I say this would be a disaster for some large wikis.

This, along with some of the recent suggestions on how to improve CheckUser security literally would make Wikipedia more difficult to edit than it was to wire money from my bank to buy a house. There is no world where that should be the case.

Passwords every 30-60 minutes would still be overkill but is doable.

The actual ideal would be for the WMF to do a password audit on users with advanced permissions.

revi added a subscriber: revi.Nov 23 2018, 5:29 AM
Risker added a subscriber: Risker.Nov 23 2018, 5:37 AM

T121186 is the task where password audits are discussed so far.

Meno25 added a subscriber: Meno25.Dec 9 2018, 3:44 AM
revi awarded a token.Feb 14 2019, 1:07 PM