Page MenuHomePhabricator

Obscure generator meta for improved security
Closed, DeclinedPublicBUG REPORT

Description

Steps to Reproduce: View source of a mediawiki installation

Refer to: https://www.mediawiki.org/w/index.php?title=Topic:Vzur7g62k9hsxymp&topic_showPostId=vzwfufs9a7ek3jak&fromnotif=1#flow-post-vzwfufs9a7ek3jak

Actual Results: Shows MW version

Expected Results: Do not show version or provide an easy way not to have it displayed.

Event Timeline

Majavah added a subscriber: Majavah.

This would be useless unless [[Special:Version]] would also be changed

I don't think it would be useless. It would remove it from the source of millions of pages and require from anyone who wants to know the version an extra step and knowledge of the software, rather than simply viewing source.

I don't think it would be useless. It would remove it from the source of millions of pages and require from anyone who wants to know the version an extra step and knowledge of the software, rather than simply viewing source.

If they want to know, they would be able to find out trivially. It's not going to stop them if they're determined enough.

The point of security is making things harder to people (or bots) with malicious intent. That said, I am not against changing Special:Version. At the very least, it should not be accessible (or some of its critical information) to non-logged in users.

Security is hardly a trivial matter. Wikimedia may have professionals in charge of this, but there are thousands of outdated installations out there (with known vulnerabilities), and giving anyone access to the exact version just by examining the source is handing them valuable information on a platter.

If they're running old outdated, unpatched installations, fixing it in newer versions doesn't help if they're never going to upgrade anyway

https://en.wikipedia.org/wiki/Security_through_obscurity

Security through obscurity (or security by obscurity) is the reliance in security engineering on design or implementation secrecy as the main method of providing security to a system or component. Security experts have rejected this view as far back as 1851, and advise that obscurity should never be the only security mechanism.

The point of security is making things harder to people (or bots) with malicious intent. That said, I am not against changing Special:Version. At the very least, it should not be accessible (or some of its critical information) to non-logged in users.

Most wikis allow free and open signup. So you're adding a minor hurdle that, again, is not going to stop them if they're determined enough.

I use Special:Version as an active mediawiki developer all the time. Just sayin'.

Oh, and Special:Version also gives credit to all of our active developers, which has a social importance which shouldn't be underestimated.

DannyS712 added a subscriber: DannyS712.

If the version wasn't available directly, one could just as easily try to use a feature that was introduced in version x, and based on whether the feature exists or not will know whether the version is before x or not. If sites are using outdated and unsupported version of mediawiki with known vulnerabilities, obscuring the version info doesn't address the underlying vulnerabilities. Per above, it is useful to be able to find the version.