User:CSteipp (WMF)/Security properties

This page it to document the security properties of MediaWiki, which are not always obvious to users and site admins.

This document attempts to describe what is protected by MediaWiki. If there is discrepancy between what MediaWiki protects, and what it should protect, please file a bugzilla bug, or comment on the talk page.

What do we protect?
Ripped from Security_for_developers/Architecture for a start, but needs updates.


 * Confidentiality of Deleted & Suppressed content
 * Content in an article, edit summary, username of editor, specific log entries
 * Confidentiality of data protected by the WMF privacy policy
 * e.g., IP and UserAgent of editors
 * Integrity of content, attribution and logs
 * Prevention of site DoS
 * Prevention of content DoS. E.g., vandalism and spam
 * Prevent accounts from elevating their privileges without authorization
 * Account non-repudiation. A user should not be able to deny that they made an edit attributed to their user, nor should an admin be able to deny taking an administrative action that the logs report they took.

What have we made the decision not to protect?

 * For a default wiki install, we do not attempt to protect the user names of site users. The list of all username is available at Special:ListUsers, and the edit history and Special:Log show the usernames of users who edited or created accounts. Private wikis can restrict access to all but a few pages to prevent usernames from being displayed, and when possible MediaWiki will attempt to support wikis that wish to keep these private. However, this is not guaranteed, and shouldn't be counted on by private wikis.