Security vs usability; Digest auth?
FWIW I am kind of an "AJAX guy" around here and I also have experience working on Google's Accounts system (GAIA). So I might have the requisite combination of security knowledge & willingness to improve the interface. I can help advise here, at least.
Generally we have to be *very* careful when improving login. Most things that make it more usable also make it insecure.
However, unlike the other big sites, our primary worry is vandalism, not leakage of a user's personal info. So we might be able to risk a bit more and innovate a bit more. I'm thinking of things like digest authentication, which theoretically could provide a reasonably secure login even over AJAX. It has its vulnerabilities too, but arguably it's not much worse than the other kinds of MITM or spoofing that could happen.
I'm not saying that this will work, I'm saying it's something we could maybe explore, or maybe add to MediaWiki even if we don't use it on WMF sites.
NeilK 19:17, 25 March 2011 (UTC)
Re: Security vs usability; Digest auth?
I will study Digest Authentication. For the security issues, I will follow the decision taken by the community.
- Akshay Agarwal
How's it going?
Akshay, it looks like your next step as of 7 April was "I would now be moving forward to incorporate the necessary UX improvements & then put it up for review". How is that going? Sumana Harihareswara, Wikimedia Foundation Volunteer Development Coordinator (talk) 17:58, 18 April 2012 (UTC)