Wiki & SSL

[Clint Byrum]

On Oct 8, 2010, at 4:31 PM, Lucian Adrian Grijincu wrote:

> On Fri, Oct 8, 2010 at 10:09 PM, Clint Byrum <clint at ubuntu.com> wrote:
>> Right, though if that site is *delivered via ssl* and the cert is from
>> a trusted organization, you can trust the source of that information..
>> if you click "history" you know you're getting the real history.
>> 
>> So if the attacker did not redirect to SSL, then you are not on an
>> SSL site, and you should be *suspicious*.
> 
> 
> I AM a person that has a very high regard towards security (I don't
> have the same password on two different sites, I notice when a HTTP
> site asks me for my password, I always check the URL of the website
> before entering my passwords, etc.) but I have not noticed until now
> that the wiki.ubuntu.com is always on HTTPS and I don't think I would
> have noticed when it would have loaded as HTTP.
> 

Whether or not you noticed, the point is that you have zero way to
trust the HTTP sites, and at least some level of trust for HTTPS.

> 
> I don't think anyone goes around poking every bit of info they can
> find about the authors that changed something in the history of a
> document. I'm sure I can go register the wiki user JomoBacon or
> IonoBacon and make some edits as him on a number of pages and all this
> always-HTTPS snake-oil won't save most users from anything.
> 

No, people don't do that. But its important that the capability is
there.

I see it more as a daily vitamin C supplement, not a cure-all. There
are lots of things one can do to avoid problems, but one thing you
can't do, is verify the source of an HTTP downloaded web page from
the internet without some help. HTTPS, is just one way we can give
you that help.