Last modified: 2007-08-05 04:32:42 UTC
On the signin page for Wikipedia (traditionaly): http://en.wikipedia.org/w/index.php?title=Special:Userlogin&returnto=Main_Page Is a warning near the bottom regarding Phishing: To avoid becoming a victim of phishing, always verify that you are viewing Wikipedia's login page when logging in. The URL must start with http://en.wikipedia.org/. This is a good warning message, and good advice. The problem is that the URL it gives in an example is bad. If you view this webpage using a proxying service (such as Sixxs's IPv6 to v4 gateway service), the URL given is actually the URL provided by the client. Eg when I use the Sixxs service, the URL it suggests I should always use is: http://en.wikipedia.org.sixxs.org/. This is incorrect, as the sixxs.org service could, in theory, be sniffing my passwords and logging them quite happily. Suggested fix: Change the suggested URL to be: <langcode>.wikipedia.org Suggested improvement: Detect when the user is using such a proxying service, and display a big fat warning saying you are using a proxying service, and if you don't trust this service, it could intercept your password. (appologies if this bug report is filed twice, the system didn't seem to accept it the first time)
Oh, btw - the sixxs.org URL will only work if you have IPv6. Its an IPv6 to v4 gateway, allowing computers that only have native IPv6 connectivity to visit v4 websites. But please note that the problem is not limited to, or actually related in any way, to IPv6, except that IPv6 was how I discovered the problem.
You can discuss changes to the en-Wikipedia login message at [[MediaWiki talk:Loginend]]. I've switched the dynamic variable to plaintext, and added an automatic warning if another domain name is detected (which won't always work).