Authentication

edit

Right now Huggle provides two ways to login:

Bot passwords

edit

Recommended method, read this page to find more info: Bot Passwords. In this case, Huggle will never know your real password, only the temporary bot token you generate for it and it will have limited access to your account. Your real password is completely protected.

Legacy login

edit

Huggle will ask you for your username and password and will perform the authentication using API action=login. After this operation, the password is permanently removed from operating memory (username is kept stored until you exit Huggle, and may be stored in a configuration file if you wish). The authentication provides your username and password using POST data directly to wiki. Wikimedia wikis no longer allow access without SSL, so SSL is always enabled.

IRC feed (deprecated)

edit

This feed was replaced by XmlRcs in newer Huggle. Huggle 1x (0.x), 2x and 3x are using your wiki username (Huggle 3 appends a random string to it) as an IRC feed username. The following is unencrypted in the connection to irc.wikimedia.org and may be revealed to other users:

  • Your username
  • When you are using Huggle (being online in any Wikimedia channel signals your Huggle usage at some point)
  • Your IP? (probably only to Wikimedia staff)

XmlRcs

edit

XmlRcs is used by newer Huggle to retrieve RC stream instead of IRC feed. This system is running on Wikimedia Cloud VPS and it's not recording or storing any information about its clients at all. No client data is stored on the server.

Huggle 3 uses HAN (Huggle antivandalism network) which is a system that allows Huggle users to work together. This feature is optional, but is enabled by default. HAN uses an unencrypted connection by default to irc.tm-irc.org, and reveals the following data:

  • Your username
  • Huggle version
  • When and what are you doing in Huggle (reverts, etc)
  • Your IP (only to network staff, regular users can't see it)

Whitelist

edit

Huggle 2 and 3 is accessing a whitelist which used to be hosted on wmflabs and now is temporarily hosted at http://huggle.tm-irc.org/wl until wmflabs become more stable. These website are using apache2 and by default collect your IP address in server logs.

ORES

edit

Huggle 3 comes with optional extension that is connecting to webserver at http://ores.wmflabs.org/ this webserver may have access to your IP address but is likely not collecting it. The extension can be disabled in preferences (Scoring Helper) should you have any problem with that.