User:CSteipp (WMF)/Security properties

This page it to document the security properties of MediaWiki, which are not always obvious to users and site admins.

This document attempts to describe what is protected by MediaWiki. If there is discrepancy between what MediaWiki protects, and what it should protect, please file a bugzilla bug, or comment on the talk page.

What do we protect?
Ripped from Security_for_developers/Architecture for a start, but needs updates.


 * Protect the confidentiality of deleted & suppressed content
 * Any user contributed content can be deleted / suppressed, including articles, edit summaries, and usernames of editors
 * In some cases, specific log entries can be deleted / suppressed
 * Protect the confidentiality of data protected by the WMF Privacy Policy (Current, proposed)
 * e.g., IP, UserAgent, email, GeoLocation of editors
 * Protect the integrity of content, attribution and logs
 * As part of this, there shouldn't be substantial grounds for a user to deny that they made an edit attributed to their user, nor should an admin be able to deny taking an administrative action that the logs report. (i.e., non-repudiation)
 * Protect the site from DoS
 * Protect the site's content from DoS attacks (vandalism and spam)
 * Prevent accounts from elevating their privileges without authorization

What have we made the decision not to protect?

 * For a default wiki install, we do not attempt to protect the user names of site users. The list of all username is available at Special:ListUsers, and the edit history and Special:Log show the usernames of users who edited or created accounts. Private wikis can restrict access to all but a few pages to prevent usernames from being displayed, and when possible MediaWiki will attempt to support wikis that wish to keep these private. However, this is not guaranteed, and shouldn't be counted on by private wikis.
 * Except on private wikis, all content is assumed to be publicly accessible. See also Security_issues_with_authorization_extensions.