[HacktionLab] late homework - anyone speak Mediawiki?

Alan Dawson aland at burngreave.net
Fri Oct 5 11:06:47 UTC 2012 

On Fri, Oct 05, 2012 at 11:53:00AM +0100, Tom Lord wrote:
> On 05/10/12 11:49, Alan Dawson wrote:
> >On Fri, Oct 05, 2012 at 11:41:16AM +0100, Tom Lord wrote:
> >>>Do you have a domain name ?
> >>>
> >>>we should get a domain name, and set up a https certificate today
> >>>
> >>>how about
> >>>
> >>>msg2012.org ? then the site could be at wiki.msg2012.org ?
> >>
> >>Good point, thanks - I forgot to say I have
> >>http://movementsupport.net - with the intention of meaning 'network'
> >>rather than 'internet thing' maybe this is a confusing name, so we
> >>can change it later if anyone wants to take an active interest!
> >
> >OK you've registered that with gandi..
> >
> >you can get a free 1 year x509 cert from them that will secure the site.
> >
> >We should not expect people to enter data into the site if there is no data security.
> >Can you manage that, or do you need help there also.
> 
> Hi Alan, not sure what you mean - feel free to elaborate!
> 
> Just for info in case it's helpful - the site is intended for
> publicly available info, not for storing trade secrets. I'm
> currently quite happy for organisations I'm involved in to have
> their publicly available details listed on it. Should I not be?
> Obviously if people think there are security issues even with
> publicly available data than that would mean they wouldn't want to
> use this, so I'd be really up for understanding this.

If I enter data on the site, the data is available in plain text across the network as I enter it.

It could be useful for an attacker to note who is able to maintain the contact data for the 
(say ) EvilArmsDealer blockade, as they would see that editing session in plain text.

As a consumer of data from that site, it could be useful for an attacker to note that I'm interested in viewing EvilArmsDealer blockade data, then I hop over to hardwarestore.co.uk and look at D locks

Without end2end encryption an attacker could interfere and alter that data in transit.

Just because the data is public we still need to maintain confidentiality of access to it, and authenticity of content.


Regards,

Alan Dawson
-- 
"The introduction of a coordinate system to geometry is an act of violence"
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 836 bytes
Desc: Digital signature
URL: <https://lists.aktivix.org/mailman/private/hacktionlab/attachments/20121005/4d0a4465/attachment.pgp>

More information about the HacktionLab mailing list