security risk: http instead of https in pages
An editor has recently warned me of the danger of using http instead of https in wiki links.
This has been done on a lot of pages in order to avoid the "locked" icon.
He says that some sites are constructed in such a way that if you have a secure (https) link to the website open, and then open an insecure link (http) to the same website, an attacker can hijack your login session on the secure link, and take control of the session or the account.
So whenever we put http links on the wiki where an https should be used, we put the readers at risk. Which is not good for the editing community.
For this reason, he says we should always use https whenever it is possible to use https.
To back this up, he cited several references online.
A better approach, then, would be to change the skin on the wiki page to use a different character than the lock, or none at all, for links to https sites.
This is also a better approach for another reason -- it is less hacky and just plain makes more sense.
Would anyone with internet security knowledge like to weigh in on this?
This has been done on a lot of pages in order to avoid the "locked" icon.
He says that some sites are constructed in such a way that if you have a secure (https) link to the website open, and then open an insecure link (http) to the same website, an attacker can hijack your login session on the secure link, and take control of the session or the account.
So whenever we put http links on the wiki where an https should be used, we put the readers at risk. Which is not good for the editing community.
For this reason, he says we should always use https whenever it is possible to use https.
To back this up, he cited several references online.
A better approach, then, would be to change the skin on the wiki page to use a different character than the lock, or none at all, for links to https sites.
This is also a better approach for another reason -- it is less hacky and just plain makes more sense.
Would anyone with internet security knowledge like to weigh in on this?
Re: security risk: http instead of https in pages