[HOME] [DOWNLOAD] [DOCS] [NEWS] [SUPPORT] [TIPS] [ISSUES] [DONATE]

Wiki Miss offer Secure Connection while the connection over Onion

When you go to wiki login on onion:

http://www.dds6qkxpwdeubwucdiaord2xgbbeyds25rbsgr73tbfpqpt4a6vjwsyd.onion/w/index.php?title=Special:UserLogin&returnto=Documentation

you will find “Use secure connection” with URL:

https://www.dds6qkxpwdeubwucdiaord2xgbbeyds25rbsgr73tbfpqpt4a6vjwsyd.onion/w/index.php?title=Special:UserLogin&returnto=Documentation&error=

It consider onion with http without TLS as not secure connection thus offering an https connection to onion URL which wont work.

1 Like

Confrimed. Mediawiki thinks the connection is insecure since it does not have internal concepts onion traffic. I am now sending http request X-Forwarded-Proto: https for onion to let mediawiki now that it’s a secure connection.

reference:

That mediawiki feature does not make much sense anymore nowadays since a sane website is all https (or onion) and not just for login.

Should now be fixed.

1 Like

when you search in the wiki it will add tls to the http onion e.g:

go to:

http://www.dds6qkxpwdeubwucdiaord2xgbbeyds25rbsgr73tbfpqpt4a6vjwsyd.onion/wiki/Documentation

search for stream isolation, it will redirect to:

https://www.dds6qkxpwdeubwucdiaord2xgbbeyds25rbsgr73tbfpqpt4a6vjwsyd.onion/wiki/Stream_Isolation

thus url wont work

Patrick via Whonix Forum:

1 Like

Alright. Then my workaround won’t work. Reverted.

Could you please report a bug report against mediawiki deprecating that feature or feature request adding onion support? Whatever seems more likely?

1 Like

On IRC i have been told:

<Vulpix> https://phabricator.wikimedia.org/T225728#5259666
<Vulpix> If you're able to set the X-Forwarded-Proto header, that should 
work for you
<Vulpix> (that header should be on requests arriving to MediaWiki)

i showed him this issue:

and said:

<Vulpix> Well, I'm pretty sure MediaWiki won't give you the choice to 
use "secure connection" unless there's some setting that tells MediaWiki 
https is available
<Vulpix> The problem may be that you've set https:  somewhere in your 
LocalSettings.php
<Vulpix> Get rid of it

Hope it can be useful.

About registration,Well i cant register in mediawiki because they want
real IP as they block Tor.

2 Likes

I doubt this is fixable with reasonable effort. We’re already doing the “impossible”, something not really popular, that is using mediawiki with the same database on two different domains, a clearnet and onion domain, which was a lot effort to figure out since it’s not really documented.

That may be doable when using a wiki with onion only.

The only thing I find is $wgCanonicalServer which is set to $wgCanonicalServer = 'https://www.whonix.org'; on the onion.

But changing that to onion would break other things.

https://www.mediawiki.org/wiki/Manual:$wgCanonicalServer

languages/i18n/en.json: “userlogin-signwithsecure”: “Use secure connection”,

userlogin-signwithsecure

https://doc.wikimedia.org/mediawiki-core/master/php/LoginSignupSpecialPage_8php_source.html

includes/specialpage/LoginSignupSpecialPage.php

            if ( $this->mSecureLoginUrl ) {
                    $secureLoginLink = Html::element( 'a', [
                            'href' => $this->mSecureLoginUrl,
                            'class' => 'mw-ui-flush-right mw-secure',
                    ], $this->msg( 'userlogin-signwithsecure' )->text() );
            }

I guess to avoid userlogin-signwithsecure being injected into the html we would need to influence the contents of variable mSecureLoginUrl.

https://doc.wikimedia.org/mediawiki-core/master/php/LoginSignupSpecialPage_8php_source.html

includes/specialpage/LoginSignupSpecialPage.php
                // If logging in and not on HTTPS, either redirect to it or offer a link.
                global $wgSecureLogin;
                if ( $this->getRequest()->getProtocol() !== 'https' ) {
                        $title = $this->getFullTitle();
                        $query = $this->getPreservedParams( false ) + [
                                        'title' => null,
                                        ( $this->mEntryErrorType === 'error' ? 'error'
                                                : 'warning' ) => $this->mEntryError,
                                ] + $this->getRequest()->getQueryValues();
                        $url = $title->getFullURL( $query, false, PROTO_HTTPS );
                        if ( $wgSecureLogin && !$this->mFromHTTP &&
                                 wfCanIPUseHTTPS( $this->getRequest()->getIP() )
                        ) {
                                // Avoid infinite redirect
                                $url = wfAppendQuery( $url, 'fromhttp=1' );
                                $this->getOutput()->redirect( $url );
                                // Since we only do this redir to change proto, always vary
                                $this->getOutput()->addVaryHeader( 'X-Forwarded-Proto' );

                                return;
                        } else {
                                // A wiki without HTTPS login support should set $wgServer to
                                // http://somehost, in which case the secure URL generated
                                // above won't actually start with https://
                                if ( substr( $url, 0, 8 ) === 'https://' ) {
                                        $this->mSecureLoginUrl = $url;
                                }
                        }
                }

Changed:

$wgServer = '//www.dds6qkxpwdeubwucdiaord2xgbbeyds25rbsgr73tbfpqpt4a6vjwsyd.onion';

To:

$wgServer = 'http://www.dds6qkxpwdeubwucdiaord2xgbbeyds25rbsgr73tbfpqpt4a6vjwsyd.onion';

This is now gone on onion. Please try now.

yes now i think everything working fine. good job!

Patrick via Whonix Forum:

1 Like

i showed him this issue:
Wiki Miss offer Secure Connection while the connection over Onion

Well, I’m pretty sure MediaWiki won’t give you the choice to
use “secure connection” unless there’s some setting that tells MediaWiki
https is available

About registration,Well i cant register in mediawiki because they want
real IP as they block Tor.

Just guessing: maybe what they really want is just a longer-lasting IP, such as when you set:

OutboundBindAddressExit

in your torrc.

I think I needed that too, in different circumstances. However, that might be some longer time learning needed to find out what nodes offer TLS exit, that you can also trust. [*]

I never made it to do that yet… But I know people of Onionmail [**] are able to do it, because if you create account with them with a node they don’t trust, you get “relay not allowed”, and you’re dropped.

[*] I gave a link somewhere in a topic here on whonix forums, must be topic with words “download” “tor” via “onion”, and talk about vanguards I is there too, and I mention Mike Perryr. The link gave is about Nusenu’s work published on media.com if I remember correctly, I mean there’s bad nodes a huge lot…

[**] onionmail.info IIRC

[Imprint] [Privacy Policy] [Cookie Policy] [Terms of Use] [E-Sign Consent] [DMCA] [Investors] [Priority Support] [Professional Support]