Page MenuHomePhabricator
Create Task
Maniphest T260016

Request Security check of allowing editing from mirror/fork site
Open, Needs TriagePublic
Actions

Description

Recently the Village Pump (technical) section has raised an issue that links books.google.com is changed to gg.sxbb.me (See here for the discussion). The editor who performed the edits claimed that the edits are changed due to VisualEditor, but is in fact changed by the mirror/fork website.

One sysop has raised a concern, as such an incident is potentially dangerous as the mirror site can gain the user credential, which can be used to perform harmful edits that are not done by the users themselves, breaking the intention of HSTS.

This also decreases the trust of some first-time users about Wikimedia as they think the edits are changed by Wikimedia's tools/extensions, which appears in this case.

We are glad that. this time, the edits from the mirror site are not intentionally harmful, but maybe not next time. I hope the security team can evaluate such a situation.

Event Timeline

VulpesVulpes825 created this task.Aug 10 2020, 7:45 AM
Restricted Application added subscribers: Stang, Aklapper. · View Herald TranscriptAug 10 2020, 7:45 AM
VulpesVulpes825 renamed this task from Request Security check of allowing editing from mirror site to Request Security check of allowing editing from mirror/fork site.Aug 10 2020, 7:52 AM
VulpesVulpes825 updated the task description. (Show Details)
VulpesVulpes825 updated the task description. (Show Details)
Aklapper added a comment.Aug 10 2020, 7:54 AM

Hi @VulpesVulpes825.
It looks like this is about edits which changed some URLs from https://books.google.com to https://gg.sxbb.me/extdomains/books.google.com.
What exactly is requested in this task?
Something related to AbuseFilters to avoid such edits? Having WMF maintain a trusted proxy list? Something else?

Ciencia_Al_Poder subscribed.Aug 10 2020, 8:19 AM

The edit was done by a logged-in user.

If the edit wasn't done by the normal editor interface of Wikipedia, but from a mirror site, this means the user provided their user credentials to the mirror site, and the mirror site made the edit on behalf of the user.

This is not a security problem, but a social problem. Users should not enter their user credentials from one website into a different website. This applies to Wikipedia, your gmail account and your online banking.

This kind of indirect edit through an intermediate application/website is no different than the use of bots like pywikibot or Auto Wiki Browser, where a program is making edits on behalf of a user (being that user account a bot or a normal user account). Adding a security check would potentially break bots.

AnYiLin subscribed.Aug 10 2020, 8:56 AM
RuiyuShen subscribed.Aug 10 2020, 9:06 AM
StevenSun subscribed.Aug 10 2020, 9:33 AM
AnYiLin added a comment.EditedAug 10 2020, 3:15 PM

For users in mainland China intercepted by the GFW, accessing Wikimedia through a third-party reverse proxy servers (websites) is the best choice. Although a small number of them may have hidden security issues, there are always special cases that are worthy of trust . We should always have a trade-off between security and usability.

In mainland China, almost all reverse proxy websites are non-profit and established with personal enthusiasm, so we should not hold excessive presumptions against them. We should believe that morality restrains most people, including reverse proxy server maintainers, and they know what to see and what not to see. Most importantly, Wikimedia is not an online bank, its account and data are meaningless to most people.

By the way, Wikimedia prohibit the use of open proxy, so we have IPBE. So maybe we can be more flexible. We may be able to set up a whitelist of trust for reverse proxy servers. For servers on the whitelist, trust the X -Forwarded-For header passed to the Wikimedia servers, which is more convenient for users in mainland China. Don't worry that the X-Forwarded-For header is forged by the user, because users will use the real IP to connect to the reverse proxy servers, just like the Wikimedia servers now.

sbassett edited projects, added Privacy Engineering; removed Security-Team.Aug 10 2020, 3:18 PM
Bawolff subscribed.Aug 11 2020, 1:47 AM

This is not a security problem, but a social problem. Users should not enter their user credentials from one website into a different website. This applies to Wikipedia, your gmail account and your online banking.

Or more specifically, such sites in principle should use OAuth, although i guess that's hard if the point is to evade censorship and wikipedia is blocked.

AnYiLin added a comment.EditedAug 11 2020, 1:55 AM

Or more specifically, such sites in principle should use OAuth, although i guess that's hard if the point is to evade censorship and wikipedia is blocked.

Right, OAuth API (based on mediawiki.org & wikimedia.org) has been blocked by GFW.

Cwek subscribed.Aug 13 2020, 4:50 AM

Reverse proxy mirror sites are inherently dangerous, which will endanger the privacy of users and the data security of wiki sites. Reverse proxy means that the proxy site terminates the connection to the Foundation website, decrypts and re-encrypts the data, and then interacts with the end user. The reverse proxy will know the user name of the end user and can modify the content of the communication with the Foundation site without being discovered, not just change the end user's access source address. "X-Forwarded-For" is not a mandatory requirement for the proxy itself even if the reverse proxy is capable of doing it, and I doubt that most of these proxys do not meet this requirement.

On the contrary, the forward proxy only forwards the encrypted data stream of the end user to the foundation and is unable to easily lie to the TLS communication system, which means that the user name and editing data of the end user are relatively safe, as opposed to Reverse proxy. The only effect is to change the source address of the end user, but in view of the situation in mainland China, this is actually acquiesced.

Since there have forward proxy, reverse proxy is dangerous and inappropriate. Therefore, I suggest that it still try to take some countermeasures against the reverse proxy site, such as discovery of the reverse proxy by comparing the access address domain name in the end user's browser.

It is necessary to continue to advance restrictions on editing operations in public computer data centers such as VPS. These operations are carried out in both Meta Wiki and English Wikipedia. Chinese Wikipedia used to carry out this kind of automatic blockade, but it was forced to cancel it because it did not restrict IP user editing. I know that a local administrator will additionally cancel the global blockade of some addresses based on their frequent use as proxys.

JFishback_WMF moved this task from Incoming to Backlog on the Privacy Engineering board.Aug 17 2020, 2:55 PM
JFishback_WMF moved this task from Backlog to Waiting on the Privacy Engineering board.Sep 9 2020, 4:52 PM
IN subscribed.Dec 12 2020, 12:16 PM
Winston_Sung moved this task from Backlog to Research on the Chinese-Sites board.Mar 10 2023, 7:09 AM
Restricted Application added a subscriber: Ericliu1912. · View Herald TranscriptMar 10 2023, 7:09 AM
aranyap moved this task from Waiting to Completed on the Privacy Engineering board.Oct 16 2023, 6:57 AM
aranyap moved this task from Completed to Waiting on the Privacy Engineering board.
Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL