Re: [Wikimedia-l] [Wikimedia Announcements] Securing access to Wikimedia sites with HTTPS

[Yana Welinder]

Hi Austin,

Thanks for letting me know. I use PGP, but there's something wrong with my
key right now. I'll look into it and get back to you.

Thanks,
Yana

On Sun, Jun 14, 2015 at 11:22 PM, Austin Hair  wrote:

> On Sun, Jun 14, 2015 at 8:56 PM, Yana Welinder  wrote:
> > I should also mention that while we try to be as transparent as possible
> in
> > all our work (including holding community consultations around all major
> > legal policies and providing frequent updates on our work), there are
> very
> > limited situations where public discussions could actually hurt free
> access
> > to Wikipedia. If you have thoughts about the evolving censorship
> landscape,
> > feel free to email me directly, if possible via encrypted email.
>
> Would you mind clarifying which encryption method? S/MIME? PGP?
>
> I was actually going to reply, because what you said puzzled me, but
> this is the only PGP key I could find for you on the public
> keyservers:
>
> pub  4096R/FFF81E5E 2015-06-01 *** KEY REVOKED *** [not verified]
>Yana Welinder 
>
> Austin
>
> ___
> Wikimedia-l mailing list, guidelines at:
> https://meta.wikimedia.org/wiki/Mailing_lists/Guidelines
> Wikimedia-l@lists.wikimedia.org
> 
> Unsubscribe: https://lists.wikimedia.org/mailman/listinfo/wikimedia-l,
> 
>



-- 

Yana Welinder
Senior Legal Counsel
Wikimedia Foundation
415.839.6885 ext. 6867
@yanatweets 

NOTICE: This message may be confidential or legally privileged. If you have
received it by accident, please delete it and let us know about the
mistake.

As an attorney for the Wikimedia Foundation, for legal/ethical reasons I
cannot give legal advice to, or serve as a lawyer for, community members,
volunteers, or staff members in their personal capacity. In other words,
IANYL . For more on what this means,
please see our legal disclaimer
.
___
Wikimedia-l mailing list, guidelines at: 
https://meta.wikimedia.org/wiki/Mailing_lists/Guidelines
Wikimedia-l@lists.wikimedia.org
Unsubscribe: https://lists.wikimedia.org/mailman/listinfo/wikimedia-l, 

Re: [Wikimedia-l] [Wikimedia Announcements] Securing access to Wikimedia sites with HTTPS

[Austin Hair]

On Sun, Jun 14, 2015 at 8:56 PM, Yana Welinder  wrote:
> I should also mention that while we try to be as transparent as possible in
> all our work (including holding community consultations around all major
> legal policies and providing frequent updates on our work), there are very
> limited situations where public discussions could actually hurt free access
> to Wikipedia. If you have thoughts about the evolving censorship landscape,
> feel free to email me directly, if possible via encrypted email.

Would you mind clarifying which encryption method? S/MIME? PGP?

I was actually going to reply, because what you said puzzled me, but
this is the only PGP key I could find for you on the public
keyservers:

pub  4096R/FFF81E5E 2015-06-01 *** KEY REVOKED *** [not verified]
   Yana Welinder 

Austin

___
Wikimedia-l mailing list, guidelines at: 
https://meta.wikimedia.org/wiki/Mailing_lists/Guidelines
Wikimedia-l@lists.wikimedia.org
Unsubscribe: https://lists.wikimedia.org/mailman/listinfo/wikimedia-l, 

[Wikimedia-l] [Wikimedia Announcements] Securing access to Wikimedia sites with HTTPS

[Brian Wolff]

>I should also mention that while we try to be as transparent as possible in
>all our work (including holding community consultations around all major
>legal policies and providing frequent updates on our work), there are very
>limited situations where public discussions could actually hurt free access
>to Wikipedia. If you have thoughts about the evolving censorship landscape,
>feel free to email me directly, if possible via encrypted email.

I find the secrecy surrounding the HTTPS rollout to be odd (To put it mildly).

What are we worried about. A censor who follows wikimedia-l, but not
the press release the WMF issued?

All the technical details are public (The git repo is public. Not to
mention the whole fact we're using https is going to be painfully
obvious when you visit the site, and its in https). We aren't doing
anything surprising, we are in the process of simply following what
many people consider best practices. We've publicly stated our
intention to do this for years now. And its pretty obvious what the
next steps of the deployment are going to be. The only thing really
being kept secret is the timetable, and which specific projects are up
next.

--
bawolff

___
Wikimedia-l mailing list, guidelines at: 
https://meta.wikimedia.org/wiki/Mailing_lists/Guidelines
Wikimedia-l@lists.wikimedia.org
Unsubscribe: https://lists.wikimedia.org/mailman/listinfo/wikimedia-l, 

Re: [Wikimedia-l] [Wikimedia Announcements] Securing access to Wikimedia sites with HTTPS

[Yana Welinder]

Hi all,

Our understanding is that there is currently no country where only HTTPS
access to Wikipedia is blocked. In Iran
, the
government appears to have been blocking select Wikipedia articles at
different times.[1] The Great Firewall of China
 has also been
blocking select articles on Chinese and English Wikipedia.[2] While it
previously blocked all HTTPS access to Chinese Wikipedia, that block has
more recently been extended to HTTP access as well. The transition to HTTPS
by default therefore shouldn't block anyone's access to all of Wikipedia
due to censorship. Rather it should help prevent censorship of select
Wikipedia articles, which we know is a problem in different parts of the
world.

I should also mention that while we try to be as transparent as possible in
all our work (including holding community consultations around all major
legal policies and providing frequent updates on our work), there are very
limited situations where public discussions could actually hurt free access
to Wikipedia. If you have thoughts about the evolving censorship landscape,
feel free to email me directly, if possible via encrypted email.

With respect to Wikipedia Zero, we have been working with mobile carriers
for over a year to make sure that they are able to provide access free of
data charges over HTTPS. For many carriers, this required them to adjust
the technical implementation of how they waive data charges. We are now
finally ready to transition Wikipedia Zero access to HTTPS by default.

Best,
Yana

[1] https://en.wikipedia.org/wiki/Censorship_of_Wikipedia#Iran
[2] https://en.wikipedia.org/wiki/Censorship_of_Wikipedia#China

On Sun, Jun 14, 2015 at 6:27 AM, Tanweer Morshed 
wrote:

> But won't the people in Iran or China would be able to access the Wikimedia
> sites through http instead of https? And what about accessing through https
> within Wikipedia Zero? Is cost-free access available through https?
>
> On Sun, Jun 14, 2015 at 12:54 PM, geni  wrote:
>
> > On 14 June 2015 at 05:21, Comet styles  wrote:
> >
> > > China and Iran blocks https (and WMF thinks https is more secure than
> > > http when it can be EASILY blocked lol)
> >
> > China is currently blocking HTTP and has done so quite frequently. The
> > ability to block is largely unrelated to security.
> >
> >
> >
> > > so people in these countries
> > > used wikipedia on http, so some here think that these countries are
> > > spying on them by forcing them to use http, but that https block in
> > > this countries was NOT to target wikipedia, it was to target social
> > > networking sites and  american based email sites like yahoo and gmail
> > > etc..but now by moving to HTTPS, we have now become a target for those
> > > countries..well done..
> >
> >
> > That doesn't make sense. HTTPs doesn't hide the domain. The country can
> > still tell that someone is visiting wikipedia rather than say facebook.
> > What becomes more difficult is telling what a person is viewing on
> > wikipedia.
> >
> >
> >
> > > and to add to that, people who used
> > > wikipedia in those countries to find the "truth" about whats happening
> > > in their country and other regions can no longer do so since its
> > > blocked..Well Done again WMF..
> >
> >
> > Well actually no they couldn't if they had a government with active
> > blocking measures. With HTTP traffic governments and ISPs can (and did)
> > block individual pages that they don't like.
> >
> >
> >
> > >
> > > Someone has to be fired for this.
> > >
> > >
> > That would seem to be something of an over reaction even if you disagree
> > with the decision.
> >
> > --
> > geni
> > ___
> > Wikimedia-l mailing list, guidelines at:
> > https://meta.wikimedia.org/wiki/Mailing_lists/Guidelines
> > Wikimedia-l@lists.wikimedia.org
> > Unsubscribe: https://lists.wikimedia.org/mailman/listinfo/wikimedia-l,
> > 
> >
>
>
>
> --
> Regards,
> Tanweer Morshed
> ___
> Wikimedia-l mailing list, guidelines at:
> https://meta.wikimedia.org/wiki/Mailing_lists/Guidelines
> Wikimedia-l@lists.wikimedia.org
> 
> Unsubscribe: https://lists.wikimedia.org/mailman/listinfo/wikimedia-l,
> 
>



-- 

Yana Welinder
Senior Legal Counsel
Wikimedia Foundation
415.839.6885 ext. 6867
@yanatweets 

NOTICE: This message may be confidential or legally privileged. If you have
received it by accident, please delete it and let us know about the
mistake.

As an attorney for the Wikimedia Foundation, for legal/ethical reasons I
cannot give legal advice to, or serve as a lawyer for, community members,

Re: [Wikimedia-l] [Wikimedia Announcements] Securing access to Wikimedia sites with HTTPS

[Tanweer Morshed]

But won't the people in Iran or China would be able to access the Wikimedia
sites through http instead of https? And what about accessing through https
within Wikipedia Zero? Is cost-free access available through https?

On Sun, Jun 14, 2015 at 12:54 PM, geni  wrote:

> On 14 June 2015 at 05:21, Comet styles  wrote:
>
> > China and Iran blocks https (and WMF thinks https is more secure than
> > http when it can be EASILY blocked lol)
>
> China is currently blocking HTTP and has done so quite frequently. The
> ability to block is largely unrelated to security.
>
>
>
> > so people in these countries
> > used wikipedia on http, so some here think that these countries are
> > spying on them by forcing them to use http, but that https block in
> > this countries was NOT to target wikipedia, it was to target social
> > networking sites and  american based email sites like yahoo and gmail
> > etc..but now by moving to HTTPS, we have now become a target for those
> > countries..well done..
>
>
> That doesn't make sense. HTTPs doesn't hide the domain. The country can
> still tell that someone is visiting wikipedia rather than say facebook.
> What becomes more difficult is telling what a person is viewing on
> wikipedia.
>
>
>
> > and to add to that, people who used
> > wikipedia in those countries to find the "truth" about whats happening
> > in their country and other regions can no longer do so since its
> > blocked..Well Done again WMF..
>
>
> Well actually no they couldn't if they had a government with active
> blocking measures. With HTTP traffic governments and ISPs can (and did)
> block individual pages that they don't like.
>
>
>
> >
> > Someone has to be fired for this.
> >
> >
> That would seem to be something of an over reaction even if you disagree
> with the decision.
>
> --
> geni
> ___
> Wikimedia-l mailing list, guidelines at:
> https://meta.wikimedia.org/wiki/Mailing_lists/Guidelines
> Wikimedia-l@lists.wikimedia.org
> Unsubscribe: https://lists.wikimedia.org/mailman/listinfo/wikimedia-l,
> 
>



-- 
Regards,
Tanweer Morshed
___
Wikimedia-l mailing list, guidelines at: 
https://meta.wikimedia.org/wiki/Mailing_lists/Guidelines
Wikimedia-l@lists.wikimedia.org
Unsubscribe: https://lists.wikimedia.org/mailman/listinfo/wikimedia-l, 

Re: [Wikimedia-l] [Wikimedia Announcements] Securing access to Wikimedia sites with HTTPS

[Josh Lim]

Uh, I’m from a Third World country, and while I know the Internet here in the 
Philippines is shitty, I don’t think the WMF can be blamed for that.  I’ve been 
using HTTPS for quite a while now and for the most part, it works normally.

Let’s try to avoid overly generalizing the developing world here.  However, I 
too would like to hear something from the WMF as to how they will deal with the 
situation in countries where HTTPS is actively being blocked.

Josh

> Wiadomość napisana przez Comet styles  w dniu 13 cze 
> 2015, o godz. 06:34:
> 
> Congrats, you just made internet shitty for all 3rd world countries
> and did you people even bother to find out how it will affect users in
> China or Iran where HTTPS is BANNED?.
> 
> On 6/13/15, Tito Dutta  wrote:
>> Great job. :)
>> Thanks for informing
>> [PS. to members, you may read the WP:VPT
>> 
>> discussion too]
>> 
>> On 13 June 2015 at 03:05, Habib M'henni  wrote:
>> 
>>> This is really fantastic.
>>> 
>>> Thanks,
>>> 
>>> Habib
>>> 
>>> Le 12 juin 2015 21:22:26 CET, Juliet Barbara  a
>>> écrit :
 The Wikimedia Foundation is pleased to announce that we have begun the
 transition of the Wikimedia projects and sites to the secure HTTPS
 protocol. You may have seen our blog post from this morning; it has
 also
 been posted to relevant Village Pumps (Technical).
 
 This post is available online here:
 
>>> https://blog.wikimedia.org/2015/06/12/securing-wikimedia-sites-with-https/
 
 Securing access to Wikimedia sites with HTTPS
 
 BY YANA WELINDER ,
 VICTORIA
 BARANETSKY  AND
 BRANDON
 BLACK  ON JUNE 12TH
 
 
 To be truly free, access to knowledge must be secure and uncensored. At
 the
 Wikimedia Foundation, we believe that you should be able to use
 Wikipedia
 and the Wikimedia sites without sacrificing privacy or safety.
 
 Today, we’re happy to announce that we are in the process of
 implementing
 HTTPS  to encrypt all Wikimedia
 traffic. We will also use HTTP Strict Transport Security
  (HSTS)
 to
 protect against efforts to ‘break’ HTTPS and intercept traffic. With
 this
 change, the nearly half a billion people who rely on Wikipedia and its
 sister projects every month will be able to share in the world’s
 knowledge
 more securely.
 
 The HTTPS protocol creates an encrypted connection between your
 computer
 and Wikimedia sites to ensure the security and integrity of data you
 transmit. Encryption makes it more difficult for governments and other
 third parties to monitor your traffic. It also makes it harder for
 Internet
 Service Providers (ISPs) to censor access to specific Wikipedia
 articles
 and other information.
 
 HTTPS is not new to Wikimedia sites. Since 2011, we have been working
 on
 establishing the infrastructure and technical requirements, and
 understanding the policy and community implications of HTTPS for all
 Wikimedia traffic, with the ultimate goal of making it available to all
 users. In fact, for the past four years
 <
>>> https://blog.wikimedia.org/2011/10/03/native-https-support-enabled-for-all-wikimedia-foundation-wikis/
 ,
 Wikimedia users could access our sites with HTTPS manually, through
 HTTPS
 Everywhere , and when directed to
 our
 sites from major search engines. Additionally, all logged in users
 <
>>> https://blog.wikimedia.org/2013/08/28/https-default-logged-in-users-wikimedia-sites/
 
 have been accessing via HTTPS since 2013.
 
 Over the last few years, increasing concerns about government
 surveillance
 prompted members of the Wikimedia community to push
 
 for more broad protection through HTTPS. We agreed, and made this
 transition a priority for our policy and engineering teams.
 
 
 We believe encryption makes the web stronger for everyone. In a world
 where
 mass surveillance has become a serious threat to intellectual freedom,
 secure connections are essential for protecting users around the world.
 Without encryption, governments can more easily surveil sensitive
 information, creating a chilling effect, and deterring participation,
 or in
 extreme cases they can isolate or discipline citizens. Accounts may
 also be
 hijacked, pages may be censored, other security flaws could expose
 sensitive user information and communications. Because of

Re: [Wikimedia-l] [Wikimedia Announcements] Securing access to Wikimedia sites with HTTPS

[geni]

On 14 June 2015 at 05:21, Comet styles  wrote:

> China and Iran blocks https (and WMF thinks https is more secure than
> http when it can be EASILY blocked lol)

China is currently blocking HTTP and has done so quite frequently. The
ability to block is largely unrelated to security.



> so people in these countries
> used wikipedia on http, so some here think that these countries are
> spying on them by forcing them to use http, but that https block in
> this countries was NOT to target wikipedia, it was to target social
> networking sites and  american based email sites like yahoo and gmail
> etc..but now by moving to HTTPS, we have now become a target for those
> countries..well done..


That doesn't make sense. HTTPs doesn't hide the domain. The country can
still tell that someone is visiting wikipedia rather than say facebook.
What becomes more difficult is telling what a person is viewing on
wikipedia.



> and to add to that, people who used
> wikipedia in those countries to find the "truth" about whats happening
> in their country and other regions can no longer do so since its
> blocked..Well Done again WMF..


Well actually no they couldn't if they had a government with active
blocking measures. With HTTP traffic governments and ISPs can (and did)
block individual pages that they don't like.



>
> Someone has to be fired for this.
>
>
That would seem to be something of an over reaction even if you disagree
with the decision.

-- 
geni
___
Wikimedia-l mailing list, guidelines at: 
https://meta.wikimedia.org/wiki/Mailing_lists/Guidelines
Wikimedia-l@lists.wikimedia.org
Unsubscribe: https://lists.wikimedia.org/mailman/listinfo/wikimedia-l, 

Re: [Wikimedia-l] [Wikimedia Announcements] Securing access to Wikimedia sites with HTTPS

[Comet styles]

China and Iran blocks https (and WMF thinks https is more secure than
http when it can be EASILY blocked lol) so people in these countries
used wikipedia on http, so some here think that these countries are
spying on them by forcing them to use http, but that https block in
this countries was NOT to target wikipedia, it was to target social
networking sites and  american based email sites like yahoo and gmail
etc..but now by moving to HTTPS, we have now become a target for those
countries..well done..and to add to that, people who used
wikipedia in those countries to find the "truth" about whats happening
in their country and other regions can no longer do so since its
blocked..Well Done again WMF..I asked a few devs on IRC and on the
associated VP thread why this was done and the answer seems to be a
simple way of saying  "To protect Americans" ...didn't know Soviet
USA was that badreally a pathetic move by WMF when this was
previously discussed before and thrown out for the sam reasons  I
mentioned above..

Someone has to be fired for this.

On 6/14/15, Vira Motorko  wrote:
> Have I understood it correctly, that Wikipedia Zero traffic is free
> only while through http, and not https?
>
> --
> *--*
> *Vira Motorko*
> PR manager, Wikimedia Ukraine 
> +380667740499
>
> Are you saving your documents in free formats? ;)
> Help save natural resources – please think twice before printing this
> e-mail or any attachments.
>
> ___
> Wikimedia-l mailing list, guidelines at:
> https://meta.wikimedia.org/wiki/Mailing_lists/Guidelines
> Wikimedia-l@lists.wikimedia.org
> Unsubscribe: https://lists.wikimedia.org/mailman/listinfo/wikimedia-l,
> 


-- 
Cometstyles

___
Wikimedia-l mailing list, guidelines at: 
https://meta.wikimedia.org/wiki/Mailing_lists/Guidelines
Wikimedia-l@lists.wikimedia.org
Unsubscribe: https://lists.wikimedia.org/mailman/listinfo/wikimedia-l, 

Re: [Wikimedia-l] [Wikimedia Announcements] Securing access to Wikimedia sites with HTTPS

[Vira Motorko]

Have I understood it correctly, that Wikipedia Zero traffic is free
only while through http, and not https?

-- 
*--*
*Vira Motorko*
PR manager, Wikimedia Ukraine 
+380667740499

Are you saving your documents in free formats? ;)
Help save natural resources – please think twice before printing this
e-mail or any attachments.

___
Wikimedia-l mailing list, guidelines at: 
https://meta.wikimedia.org/wiki/Mailing_lists/Guidelines
Wikimedia-l@lists.wikimedia.org
Unsubscribe: https://lists.wikimedia.org/mailman/listinfo/wikimedia-l, 

Re: [Wikimedia-l] [Wikimedia Announcements] Securing access to Wikimedia sites with HTTPS

[geni]

On 12 June 2015 at 22:08, David Gerard  wrote:

> Excellent news!
>
> So how are we dealing with the Iran and China issue?
>

Well the introduction appears to have been timed for one of those periods
where we are completely blocked in china anyway.


-- 
geni
___
Wikimedia-l mailing list, guidelines at: 
https://meta.wikimedia.org/wiki/Mailing_lists/Guidelines
Wikimedia-l@lists.wikimedia.org
Unsubscribe: https://lists.wikimedia.org/mailman/listinfo/wikimedia-l, 

Re: [Wikimedia-l] [Wikimedia Announcements] Securing access to Wikimedia sites with HTTPS

[Lodewijk]

Hi Juliet,

Your blog post states "this change could affect access for some Wikimedia
traffic in certain parts of the world" - which makes some alarm bells go
off.

Could you clarify in what kind of cases it would 'affect' and in what way?
It's quite different whether a few dozen people have to wait for their
connection a few ms longer, or whether whole countries are basically locked
out because they can't (or won't) access through https.

Also, it is unclear to me whether it is 'https by default but you can still
access through https' or 'https or nothing'. The blogpost is not clear to
me on this, but maybe I'm overlooking something, or not well versed enough
in the concept.

Hope you can clarify. Thanks!

Lodewijk

On Fri, Jun 12, 2015 at 10:22 PM, Juliet Barbara 
wrote:

> The Wikimedia Foundation is pleased to announce that we have begun the
> transition of the Wikimedia projects and sites to the secure HTTPS
> protocol. You may have seen our blog post from this morning; it has also
> been posted to relevant Village Pumps (Technical).
>
> This post is available online here:
> https://blog.wikimedia.org/2015/06/12/securing-wikimedia-sites-with-https/
>
> Securing access to Wikimedia sites with HTTPS
>
> BY YANA WELINDER , VICTORIA
> BARANETSKY  AND
> BRANDON
> BLACK  ON JUNE 12TH
>
>
> To be truly free, access to knowledge must be secure and uncensored. At the
> Wikimedia Foundation, we believe that you should be able to use Wikipedia
> and the Wikimedia sites without sacrificing privacy or safety.
>
> Today, we’re happy to announce that we are in the process of implementing
> HTTPS  to encrypt all Wikimedia
> traffic. We will also use HTTP Strict Transport Security
>  (HSTS) to
> protect against efforts to ‘break’ HTTPS and intercept traffic. With this
> change, the nearly half a billion people who rely on Wikipedia and its
> sister projects every month will be able to share in the world’s knowledge
> more securely.
>
> The HTTPS protocol creates an encrypted connection between your computer
> and Wikimedia sites to ensure the security and integrity of data you
> transmit. Encryption makes it more difficult for governments and other
> third parties to monitor your traffic. It also makes it harder for Internet
> Service Providers (ISPs) to censor access to specific Wikipedia articles
> and other information.
>
> HTTPS is not new to Wikimedia sites. Since 2011, we have been working on
> establishing the infrastructure and technical requirements, and
> understanding the policy and community implications of HTTPS for all
> Wikimedia traffic, with the ultimate goal of making it available to all
> users. In fact, for the past four years
> <
> https://blog.wikimedia.org/2011/10/03/native-https-support-enabled-for-all-wikimedia-foundation-wikis/
> >,
> Wikimedia users could access our sites with HTTPS manually, through HTTPS
> Everywhere , and when directed to
> our
> sites from major search engines. Additionally, all logged in users
> <
> https://blog.wikimedia.org/2013/08/28/https-default-logged-in-users-wikimedia-sites/
> >
> have been accessing via HTTPS since 2013.
>
> Over the last few years, increasing concerns about government surveillance
> prompted members of the Wikimedia community to push
> 
> for more broad protection through HTTPS. We agreed, and made this
> transition a priority for our policy and engineering teams.
>
>
> We believe encryption makes the web stronger for everyone. In a world where
> mass surveillance has become a serious threat to intellectual freedom,
> secure connections are essential for protecting users around the world.
> Without encryption, governments can more easily surveil sensitive
> information, creating a chilling effect, and deterring participation, or in
> extreme cases they can isolate or discipline citizens. Accounts may also be
> hijacked, pages may be censored, other security flaws could expose
> sensitive user information and communications. Because of these
> circumstances, we believe that the time for HTTPS for all Wikimedia traffic
> is now. We encourage others to join us as we move forward with this
> commitment.
>
> The technical challenges of migrating to HTTPS
>
> HTTPS migration for one of the world’s most popular websites can be
> complicated. For us, this process began years ago and involved teams from
> across the Wikimedia Foundation. Our engineering team has been driving this
> transition, working hard to improve our sites’ HTTPS performance, prepare
> our infrastructure to handle the transition, and ultimately manage the
> implementation.
>
> Our first steps involved improving our infrastructu

[Wikimedia-l] [Wikimedia Announcements] Securing access to Wikimedia sites with HTTPS

[Brian Wolff]

>To be truly free, access to knowledge must be secure and uncensored. At the
>Wikimedia Foundation, we believe that you should be able to use Wikipedia
>and the Wikimedia sites without sacrificing privacy or safety.
>
>Today, we’re happy to announce that we are in the process of implementing
>HTTPS  to encrypt all Wikimedia
>traffic. We will also use HTTP Strict Transport Security
> (HSTS) to
>protect against efforts to ‘break’ HTTPS and intercept traffic. With this
>change, the nearly half a billion people who rely on Wikipedia and its
>sister projects every month will be able to share in the world’s knowledge
>more securely.

Well this is a great move, and I applaud it (About time :), until such
a time as IPSec is fully deployed, isn't that a little misleading as
to the actual security afforded by this change? There is quite a lot
of evidence that the NSA is slurping up data from unsecured inter data
centre links of other people [1], seems unlikely that they are
ignoring us.

I also think we should have a more balanced position on how much
privacy TLS actually provides in the context of Wikipedia, so that
users can be properly informed. Sure, TLS is a step in the right
direction, probably stops most less well funded adversaries, but its
not a panacea. In the case of Wikipedia, the content of every page is
not static, but it is totally public, so Wikipedia is probably the
ideal target of traffic analysis type attacks against SSL. That sort
of thing is almost certainly more expensive than just grepping
packets, but surely seems to be within the budget of the NSA to do,
even in a bulk manner (Assuming that non-targeted surveillance by a
state level adversary is the unspoken threat model we're trying to
defend against).

--
bawolff

[1] https://en.wikipedia.org/wiki/Muscular_%28surveillance_program%29

___
Wikimedia-l mailing list, guidelines at: 
https://meta.wikimedia.org/wiki/Mailing_lists/Guidelines
Wikimedia-l@lists.wikimedia.org
Unsubscribe: https://lists.wikimedia.org/mailman/listinfo/wikimedia-l, 

Re: [Wikimedia-l] [Wikimedia Announcements] Securing access to Wikimedia sites with HTTPS

[John]

This reminds me of the VE rollout debacle

On Friday, June 12, 2015, John  wrote:

> Comets, I can answer that. From the dev who switched HTTPS on during prime
> usage times, complained about working 60+ hours this week, then left for
> the day.
>
> I get the impression that the WMF doesn't give a shit about those users
> who choose to opt-out of HTTPS for one reason or another. It's basically
> your now screwed, it works for us so figure it out without us.
>
> On Friday, June 12, 2015, Comet styles  > wrote:
>
>> Congrats, you just made internet shitty for all 3rd world countries
>> and did you people even bother to find out how it will affect users in
>> China or Iran where HTTPS is BANNED?.
>>
>> On 6/13/15, Tito Dutta  wrote:
>> > Great job. :)
>> > Thanks for informing
>> > [PS. to members, you may read the WP:VPT
>> > <
>> https://en.wikipedia.org/wiki/Wikipedia:Village_pump_%28technical%29#HTTPS_by_default
>> >
>> > discussion too]
>> >
>> > On 13 June 2015 at 03:05, Habib M'henni  wrote:
>> >
>> >> This is really fantastic.
>> >>
>> >> Thanks,
>> >>
>> >> Habib
>> >>
>> >> Le 12 juin 2015 21:22:26 CET, Juliet Barbara 
>> a
>> >> écrit :
>> >> >The Wikimedia Foundation is pleased to announce that we have begun the
>> >> >transition of the Wikimedia projects and sites to the secure HTTPS
>> >> >protocol. You may have seen our blog post from this morning; it has
>> >> >also
>> >> >been posted to relevant Village Pumps (Technical).
>> >> >
>> >> >This post is available online here:
>> >> >
>> >>
>> https://blog.wikimedia.org/2015/06/12/securing-wikimedia-sites-with-https/
>> >> >
>> >> >Securing access to Wikimedia sites with HTTPS
>> >> >
>> >> >BY YANA WELINDER ,
>> >> >VICTORIA
>> >> >BARANETSKY 
>> AND
>> >> >BRANDON
>> >> >BLACK  ON JUNE 12TH
>> >> >
>> >> >
>> >> >To be truly free, access to knowledge must be secure and uncensored.
>> At
>> >> >the
>> >> >Wikimedia Foundation, we believe that you should be able to use
>> >> >Wikipedia
>> >> >and the Wikimedia sites without sacrificing privacy or safety.
>> >> >
>> >> >Today, we’re happy to announce that we are in the process of
>> >> >implementing
>> >> >HTTPS  to encrypt all Wikimedia
>> >> >traffic. We will also use HTTP Strict Transport Security
>> >> > (HSTS)
>> >> >to
>> >> >protect against efforts to ‘break’ HTTPS and intercept traffic. With
>> >> >this
>> >> >change, the nearly half a billion people who rely on Wikipedia and its
>> >> >sister projects every month will be able to share in the world’s
>> >> >knowledge
>> >> >more securely.
>> >> >
>> >> >The HTTPS protocol creates an encrypted connection between your
>> >> >computer
>> >> >and Wikimedia sites to ensure the security and integrity of data you
>> >> >transmit. Encryption makes it more difficult for governments and other
>> >> >third parties to monitor your traffic. It also makes it harder for
>> >> >Internet
>> >> >Service Providers (ISPs) to censor access to specific Wikipedia
>> >> >articles
>> >> >and other information.
>> >> >
>> >> >HTTPS is not new to Wikimedia sites. Since 2011, we have been working
>> >> >on
>> >> >establishing the infrastructure and technical requirements, and
>> >> >understanding the policy and community implications of HTTPS for all
>> >> >Wikimedia traffic, with the ultimate goal of making it available to
>> all
>> >> >users. In fact, for the past four years
>> >> ><
>> >>
>> https://blog.wikimedia.org/2011/10/03/native-https-support-enabled-for-all-wikimedia-foundation-wikis/
>> >> >,
>> >> >Wikimedia users could access our sites with HTTPS manually, through
>> >> >HTTPS
>> >> >Everywhere , and when directed
>> to
>> >> >our
>> >> >sites from major search engines. Additionally, all logged in users
>> >> ><
>> >>
>> https://blog.wikimedia.org/2013/08/28/https-default-logged-in-users-wikimedia-sites/
>> >> >
>> >> >have been accessing via HTTPS since 2013.
>> >> >
>> >> >Over the last few years, increasing concerns about government
>> >> >surveillance
>> >> >prompted members of the Wikimedia community to push
>> >> ><
>> https://blog.wikimedia.org/2013/08/01/future-https-wikimedia-projects/>
>> >> >for more broad protection through HTTPS. We agreed, and made this
>> >> >transition a priority for our policy and engineering teams.
>> >> >
>> >> >
>> >> >We believe encryption makes the web stronger for everyone. In a world
>> >> >where
>> >> >mass surveillance has become a serious threat to intellectual freedom,
>> >> >secure connections are essential for protecting users around the
>> world.
>> >> >Without encryption, governments can more easily surveil sensitive
>> >> >information, creating a chilling effect, and deterring participation,
>> >> >or in
>> >> >extreme ca

Re: [Wikimedia-l] [Wikimedia Announcements] Securing access to Wikimedia sites with HTTPS

[John]

Comets, I can answer that. From the dev who switched HTTPS on during prime
usage times, complained about working 60+ hours this week, then left for
the day.

I get the impression that the WMF doesn't give a shit about those users who
choose to opt-out of HTTPS for one reason or another. It's basically your
now screwed, it works for us so figure it out without us.

On Friday, June 12, 2015, Comet styles  wrote:

> Congrats, you just made internet shitty for all 3rd world countries
> and did you people even bother to find out how it will affect users in
> China or Iran where HTTPS is BANNED?.
>
> On 6/13/15, Tito Dutta > wrote:
> > Great job. :)
> > Thanks for informing
> > [PS. to members, you may read the WP:VPT
> > <
> https://en.wikipedia.org/wiki/Wikipedia:Village_pump_%28technical%29#HTTPS_by_default
> >
> > discussion too]
> >
> > On 13 June 2015 at 03:05, Habib M'henni  > wrote:
> >
> >> This is really fantastic.
> >>
> >> Thanks,
> >>
> >> Habib
> >>
> >> Le 12 juin 2015 21:22:26 CET, Juliet Barbara  > a
> >> écrit :
> >> >The Wikimedia Foundation is pleased to announce that we have begun the
> >> >transition of the Wikimedia projects and sites to the secure HTTPS
> >> >protocol. You may have seen our blog post from this morning; it has
> >> >also
> >> >been posted to relevant Village Pumps (Technical).
> >> >
> >> >This post is available online here:
> >> >
> >>
> https://blog.wikimedia.org/2015/06/12/securing-wikimedia-sites-with-https/
> >> >
> >> >Securing access to Wikimedia sites with HTTPS
> >> >
> >> >BY YANA WELINDER ,
> >> >VICTORIA
> >> >BARANETSKY 
> AND
> >> >BRANDON
> >> >BLACK  ON JUNE 12TH
> >> >
> >> >
> >> >To be truly free, access to knowledge must be secure and uncensored. At
> >> >the
> >> >Wikimedia Foundation, we believe that you should be able to use
> >> >Wikipedia
> >> >and the Wikimedia sites without sacrificing privacy or safety.
> >> >
> >> >Today, we’re happy to announce that we are in the process of
> >> >implementing
> >> >HTTPS  to encrypt all Wikimedia
> >> >traffic. We will also use HTTP Strict Transport Security
> >> > (HSTS)
> >> >to
> >> >protect against efforts to ‘break’ HTTPS and intercept traffic. With
> >> >this
> >> >change, the nearly half a billion people who rely on Wikipedia and its
> >> >sister projects every month will be able to share in the world’s
> >> >knowledge
> >> >more securely.
> >> >
> >> >The HTTPS protocol creates an encrypted connection between your
> >> >computer
> >> >and Wikimedia sites to ensure the security and integrity of data you
> >> >transmit. Encryption makes it more difficult for governments and other
> >> >third parties to monitor your traffic. It also makes it harder for
> >> >Internet
> >> >Service Providers (ISPs) to censor access to specific Wikipedia
> >> >articles
> >> >and other information.
> >> >
> >> >HTTPS is not new to Wikimedia sites. Since 2011, we have been working
> >> >on
> >> >establishing the infrastructure and technical requirements, and
> >> >understanding the policy and community implications of HTTPS for all
> >> >Wikimedia traffic, with the ultimate goal of making it available to all
> >> >users. In fact, for the past four years
> >> ><
> >>
> https://blog.wikimedia.org/2011/10/03/native-https-support-enabled-for-all-wikimedia-foundation-wikis/
> >> >,
> >> >Wikimedia users could access our sites with HTTPS manually, through
> >> >HTTPS
> >> >Everywhere , and when directed
> to
> >> >our
> >> >sites from major search engines. Additionally, all logged in users
> >> ><
> >>
> https://blog.wikimedia.org/2013/08/28/https-default-logged-in-users-wikimedia-sites/
> >> >
> >> >have been accessing via HTTPS since 2013.
> >> >
> >> >Over the last few years, increasing concerns about government
> >> >surveillance
> >> >prompted members of the Wikimedia community to push
> >> ><
> https://blog.wikimedia.org/2013/08/01/future-https-wikimedia-projects/>
> >> >for more broad protection through HTTPS. We agreed, and made this
> >> >transition a priority for our policy and engineering teams.
> >> >
> >> >
> >> >We believe encryption makes the web stronger for everyone. In a world
> >> >where
> >> >mass surveillance has become a serious threat to intellectual freedom,
> >> >secure connections are essential for protecting users around the world.
> >> >Without encryption, governments can more easily surveil sensitive
> >> >information, creating a chilling effect, and deterring participation,
> >> >or in
> >> >extreme cases they can isolate or discipline citizens. Accounts may
> >> >also be
> >> >hijacked, pages may be censored, other security flaws could expose
> >> >sensitive user information and communications. Because of these
> >> >

Re: [Wikimedia-l] [Wikimedia Announcements] Securing access to Wikimedia sites with HTTPS

[Comet styles]

Congrats, you just made internet shitty for all 3rd world countries
and did you people even bother to find out how it will affect users in
China or Iran where HTTPS is BANNED?.

On 6/13/15, Tito Dutta  wrote:
> Great job. :)
> Thanks for informing
> [PS. to members, you may read the WP:VPT
> 
> discussion too]
>
> On 13 June 2015 at 03:05, Habib M'henni  wrote:
>
>> This is really fantastic.
>>
>> Thanks,
>>
>> Habib
>>
>> Le 12 juin 2015 21:22:26 CET, Juliet Barbara  a
>> écrit :
>> >The Wikimedia Foundation is pleased to announce that we have begun the
>> >transition of the Wikimedia projects and sites to the secure HTTPS
>> >protocol. You may have seen our blog post from this morning; it has
>> >also
>> >been posted to relevant Village Pumps (Technical).
>> >
>> >This post is available online here:
>> >
>> https://blog.wikimedia.org/2015/06/12/securing-wikimedia-sites-with-https/
>> >
>> >Securing access to Wikimedia sites with HTTPS
>> >
>> >BY YANA WELINDER ,
>> >VICTORIA
>> >BARANETSKY  AND
>> >BRANDON
>> >BLACK  ON JUNE 12TH
>> >
>> >
>> >To be truly free, access to knowledge must be secure and uncensored. At
>> >the
>> >Wikimedia Foundation, we believe that you should be able to use
>> >Wikipedia
>> >and the Wikimedia sites without sacrificing privacy or safety.
>> >
>> >Today, we’re happy to announce that we are in the process of
>> >implementing
>> >HTTPS  to encrypt all Wikimedia
>> >traffic. We will also use HTTP Strict Transport Security
>> > (HSTS)
>> >to
>> >protect against efforts to ‘break’ HTTPS and intercept traffic. With
>> >this
>> >change, the nearly half a billion people who rely on Wikipedia and its
>> >sister projects every month will be able to share in the world’s
>> >knowledge
>> >more securely.
>> >
>> >The HTTPS protocol creates an encrypted connection between your
>> >computer
>> >and Wikimedia sites to ensure the security and integrity of data you
>> >transmit. Encryption makes it more difficult for governments and other
>> >third parties to monitor your traffic. It also makes it harder for
>> >Internet
>> >Service Providers (ISPs) to censor access to specific Wikipedia
>> >articles
>> >and other information.
>> >
>> >HTTPS is not new to Wikimedia sites. Since 2011, we have been working
>> >on
>> >establishing the infrastructure and technical requirements, and
>> >understanding the policy and community implications of HTTPS for all
>> >Wikimedia traffic, with the ultimate goal of making it available to all
>> >users. In fact, for the past four years
>> ><
>> https://blog.wikimedia.org/2011/10/03/native-https-support-enabled-for-all-wikimedia-foundation-wikis/
>> >,
>> >Wikimedia users could access our sites with HTTPS manually, through
>> >HTTPS
>> >Everywhere , and when directed to
>> >our
>> >sites from major search engines. Additionally, all logged in users
>> ><
>> https://blog.wikimedia.org/2013/08/28/https-default-logged-in-users-wikimedia-sites/
>> >
>> >have been accessing via HTTPS since 2013.
>> >
>> >Over the last few years, increasing concerns about government
>> >surveillance
>> >prompted members of the Wikimedia community to push
>> >
>> >for more broad protection through HTTPS. We agreed, and made this
>> >transition a priority for our policy and engineering teams.
>> >
>> >
>> >We believe encryption makes the web stronger for everyone. In a world
>> >where
>> >mass surveillance has become a serious threat to intellectual freedom,
>> >secure connections are essential for protecting users around the world.
>> >Without encryption, governments can more easily surveil sensitive
>> >information, creating a chilling effect, and deterring participation,
>> >or in
>> >extreme cases they can isolate or discipline citizens. Accounts may
>> >also be
>> >hijacked, pages may be censored, other security flaws could expose
>> >sensitive user information and communications. Because of these
>> >circumstances, we believe that the time for HTTPS for all Wikimedia
>> >traffic
>> >is now. We encourage others to join us as we move forward with this
>> >commitment.
>> >
>> >The technical challenges of migrating to HTTPS
>> >
>> >HTTPS migration for one of the world’s most popular websites can be
>> >complicated. For us, this process began years ago and involved teams
>> >from
>> >across the Wikimedia Foundation. Our engineering team has been driving
>> >this
>> >transition, working hard to improve our sites’ HTTPS performance,
>> >prepare
>> >our infrastructure to handle the transition, and ultimately manage the
>> >implementation.
>> >
>> >O

Re: [Wikimedia-l] [Wikimedia Announcements] Securing access to Wikimedia sites with HTTPS

[Tito Dutta]

Great job. :)
Thanks for informing
[PS. to members, you may read the WP:VPT

discussion too]

On 13 June 2015 at 03:05, Habib M'henni  wrote:

> This is really fantastic.
>
> Thanks,
>
> Habib
>
> Le 12 juin 2015 21:22:26 CET, Juliet Barbara  a
> écrit :
> >The Wikimedia Foundation is pleased to announce that we have begun the
> >transition of the Wikimedia projects and sites to the secure HTTPS
> >protocol. You may have seen our blog post from this morning; it has
> >also
> >been posted to relevant Village Pumps (Technical).
> >
> >This post is available online here:
> >
> https://blog.wikimedia.org/2015/06/12/securing-wikimedia-sites-with-https/
> >
> >Securing access to Wikimedia sites with HTTPS
> >
> >BY YANA WELINDER ,
> >VICTORIA
> >BARANETSKY  AND
> >BRANDON
> >BLACK  ON JUNE 12TH
> >
> >
> >To be truly free, access to knowledge must be secure and uncensored. At
> >the
> >Wikimedia Foundation, we believe that you should be able to use
> >Wikipedia
> >and the Wikimedia sites without sacrificing privacy or safety.
> >
> >Today, we’re happy to announce that we are in the process of
> >implementing
> >HTTPS  to encrypt all Wikimedia
> >traffic. We will also use HTTP Strict Transport Security
> > (HSTS)
> >to
> >protect against efforts to ‘break’ HTTPS and intercept traffic. With
> >this
> >change, the nearly half a billion people who rely on Wikipedia and its
> >sister projects every month will be able to share in the world’s
> >knowledge
> >more securely.
> >
> >The HTTPS protocol creates an encrypted connection between your
> >computer
> >and Wikimedia sites to ensure the security and integrity of data you
> >transmit. Encryption makes it more difficult for governments and other
> >third parties to monitor your traffic. It also makes it harder for
> >Internet
> >Service Providers (ISPs) to censor access to specific Wikipedia
> >articles
> >and other information.
> >
> >HTTPS is not new to Wikimedia sites. Since 2011, we have been working
> >on
> >establishing the infrastructure and technical requirements, and
> >understanding the policy and community implications of HTTPS for all
> >Wikimedia traffic, with the ultimate goal of making it available to all
> >users. In fact, for the past four years
> ><
> https://blog.wikimedia.org/2011/10/03/native-https-support-enabled-for-all-wikimedia-foundation-wikis/
> >,
> >Wikimedia users could access our sites with HTTPS manually, through
> >HTTPS
> >Everywhere , and when directed to
> >our
> >sites from major search engines. Additionally, all logged in users
> ><
> https://blog.wikimedia.org/2013/08/28/https-default-logged-in-users-wikimedia-sites/
> >
> >have been accessing via HTTPS since 2013.
> >
> >Over the last few years, increasing concerns about government
> >surveillance
> >prompted members of the Wikimedia community to push
> >
> >for more broad protection through HTTPS. We agreed, and made this
> >transition a priority for our policy and engineering teams.
> >
> >
> >We believe encryption makes the web stronger for everyone. In a world
> >where
> >mass surveillance has become a serious threat to intellectual freedom,
> >secure connections are essential for protecting users around the world.
> >Without encryption, governments can more easily surveil sensitive
> >information, creating a chilling effect, and deterring participation,
> >or in
> >extreme cases they can isolate or discipline citizens. Accounts may
> >also be
> >hijacked, pages may be censored, other security flaws could expose
> >sensitive user information and communications. Because of these
> >circumstances, we believe that the time for HTTPS for all Wikimedia
> >traffic
> >is now. We encourage others to join us as we move forward with this
> >commitment.
> >
> >The technical challenges of migrating to HTTPS
> >
> >HTTPS migration for one of the world’s most popular websites can be
> >complicated. For us, this process began years ago and involved teams
> >from
> >across the Wikimedia Foundation. Our engineering team has been driving
> >this
> >transition, working hard to improve our sites’ HTTPS performance,
> >prepare
> >our infrastructure to handle the transition, and ultimately manage the
> >implementation.
> >
> >Our first steps involved improving our infrastructure and code base so
> >we
> >could support HTTPS. We also significantly expanded and updated our
> >server
> >hardware. Since we don’t employ third party content delivery systems,
> >we
> >had to manage this process for our entire infrastructure stack
> >in-house.
> >
> >HTTPS may als

Re: [Wikimedia-l] [Wikimedia Announcements] Securing access to Wikimedia sites with HTTPS

[Habib M'henni]

This is really fantastic. 

Thanks,

Habib

Le 12 juin 2015 21:22:26 CET, Juliet Barbara  a écrit :
>The Wikimedia Foundation is pleased to announce that we have begun the
>transition of the Wikimedia projects and sites to the secure HTTPS
>protocol. You may have seen our blog post from this morning; it has
>also
>been posted to relevant Village Pumps (Technical).
>
>This post is available online here:
>https://blog.wikimedia.org/2015/06/12/securing-wikimedia-sites-with-https/
>
>Securing access to Wikimedia sites with HTTPS
>
>BY YANA WELINDER ,
>VICTORIA
>BARANETSKY  AND
>BRANDON
>BLACK  ON JUNE 12TH
>
>
>To be truly free, access to knowledge must be secure and uncensored. At
>the
>Wikimedia Foundation, we believe that you should be able to use
>Wikipedia
>and the Wikimedia sites without sacrificing privacy or safety.
>
>Today, we’re happy to announce that we are in the process of
>implementing
>HTTPS  to encrypt all Wikimedia
>traffic. We will also use HTTP Strict Transport Security
> (HSTS)
>to
>protect against efforts to ‘break’ HTTPS and intercept traffic. With
>this
>change, the nearly half a billion people who rely on Wikipedia and its
>sister projects every month will be able to share in the world’s
>knowledge
>more securely.
>
>The HTTPS protocol creates an encrypted connection between your
>computer
>and Wikimedia sites to ensure the security and integrity of data you
>transmit. Encryption makes it more difficult for governments and other
>third parties to monitor your traffic. It also makes it harder for
>Internet
>Service Providers (ISPs) to censor access to specific Wikipedia
>articles
>and other information.
>
>HTTPS is not new to Wikimedia sites. Since 2011, we have been working
>on
>establishing the infrastructure and technical requirements, and
>understanding the policy and community implications of HTTPS for all
>Wikimedia traffic, with the ultimate goal of making it available to all
>users. In fact, for the past four years
>,
>Wikimedia users could access our sites with HTTPS manually, through
>HTTPS
>Everywhere , and when directed to
>our
>sites from major search engines. Additionally, all logged in users
>
>have been accessing via HTTPS since 2013.
>
>Over the last few years, increasing concerns about government
>surveillance
>prompted members of the Wikimedia community to push
>
>for more broad protection through HTTPS. We agreed, and made this
>transition a priority for our policy and engineering teams.
>
>
>We believe encryption makes the web stronger for everyone. In a world
>where
>mass surveillance has become a serious threat to intellectual freedom,
>secure connections are essential for protecting users around the world.
>Without encryption, governments can more easily surveil sensitive
>information, creating a chilling effect, and deterring participation,
>or in
>extreme cases they can isolate or discipline citizens. Accounts may
>also be
>hijacked, pages may be censored, other security flaws could expose
>sensitive user information and communications. Because of these
>circumstances, we believe that the time for HTTPS for all Wikimedia
>traffic
>is now. We encourage others to join us as we move forward with this
>commitment.
>
>The technical challenges of migrating to HTTPS
>
>HTTPS migration for one of the world’s most popular websites can be
>complicated. For us, this process began years ago and involved teams
>from
>across the Wikimedia Foundation. Our engineering team has been driving
>this
>transition, working hard to improve our sites’ HTTPS performance,
>prepare
>our infrastructure to handle the transition, and ultimately manage the
>implementation.
>
>Our first steps involved improving our infrastructure and code base so
>we
>could support HTTPS. We also significantly expanded and updated our
>server
>hardware. Since we don’t employ third party content delivery systems,
>we
>had to manage this process for our entire infrastructure stack
>in-house.
>
>HTTPS may also have performance implications for users, particularly
>our
>many users accessing Wikimedia sites from countries or networks with
>poor
>technical infrastructure. We’ve been carefully calibrating our HTTPS
>configuration to minimize negative impacts related to latency, page
>load
>times, and user experience. This was an iterative process that relied
>on
>industry standards, a large amount of testing, and our own experience
>running the Wikimedia sites.
>
>Throughout t

Re: [Wikimedia-l] [Wikimedia Announcements] Securing access to Wikimedia sites with HTTPS

[David Gerard]

On 12 June 2015 at 21:22, Juliet Barbara  wrote:

> The Wikimedia Foundation is pleased to announce that we have begun the
> transition of the Wikimedia projects and sites to the secure HTTPS
> protocol. You may have seen our blog post from this morning; it has also
> been posted to relevant Village Pumps (Technical).


Excellent news!

So how are we dealing with the Iran and China issue?


- d.

___
Wikimedia-l mailing list, guidelines at: 
https://meta.wikimedia.org/wiki/Mailing_lists/Guidelines
Wikimedia-l@lists.wikimedia.org
Unsubscribe: https://lists.wikimedia.org/mailman/listinfo/wikimedia-l, 

[Wikimedia-l] [Wikimedia Announcements] Securing access to Wikimedia sites with HTTPS

[Juliet Barbara]

The Wikimedia Foundation is pleased to announce that we have begun the
transition of the Wikimedia projects and sites to the secure HTTPS
protocol. You may have seen our blog post from this morning; it has also
been posted to relevant Village Pumps (Technical).

This post is available online here:
https://blog.wikimedia.org/2015/06/12/securing-wikimedia-sites-with-https/

Securing access to Wikimedia sites with HTTPS

BY YANA WELINDER , VICTORIA
BARANETSKY  AND BRANDON
BLACK  ON JUNE 12TH


To be truly free, access to knowledge must be secure and uncensored. At the
Wikimedia Foundation, we believe that you should be able to use Wikipedia
and the Wikimedia sites without sacrificing privacy or safety.

Today, we’re happy to announce that we are in the process of implementing
HTTPS  to encrypt all Wikimedia
traffic. We will also use HTTP Strict Transport Security
 (HSTS) to
protect against efforts to ‘break’ HTTPS and intercept traffic. With this
change, the nearly half a billion people who rely on Wikipedia and its
sister projects every month will be able to share in the world’s knowledge
more securely.

The HTTPS protocol creates an encrypted connection between your computer
and Wikimedia sites to ensure the security and integrity of data you
transmit. Encryption makes it more difficult for governments and other
third parties to monitor your traffic. It also makes it harder for Internet
Service Providers (ISPs) to censor access to specific Wikipedia articles
and other information.

HTTPS is not new to Wikimedia sites. Since 2011, we have been working on
establishing the infrastructure and technical requirements, and
understanding the policy and community implications of HTTPS for all
Wikimedia traffic, with the ultimate goal of making it available to all
users. In fact, for the past four years
,
Wikimedia users could access our sites with HTTPS manually, through HTTPS
Everywhere , and when directed to our
sites from major search engines. Additionally, all logged in users

have been accessing via HTTPS since 2013.

Over the last few years, increasing concerns about government surveillance
prompted members of the Wikimedia community to push

for more broad protection through HTTPS. We agreed, and made this
transition a priority for our policy and engineering teams.


We believe encryption makes the web stronger for everyone. In a world where
mass surveillance has become a serious threat to intellectual freedom,
secure connections are essential for protecting users around the world.
Without encryption, governments can more easily surveil sensitive
information, creating a chilling effect, and deterring participation, or in
extreme cases they can isolate or discipline citizens. Accounts may also be
hijacked, pages may be censored, other security flaws could expose
sensitive user information and communications. Because of these
circumstances, we believe that the time for HTTPS for all Wikimedia traffic
is now. We encourage others to join us as we move forward with this
commitment.

The technical challenges of migrating to HTTPS

HTTPS migration for one of the world’s most popular websites can be
complicated. For us, this process began years ago and involved teams from
across the Wikimedia Foundation. Our engineering team has been driving this
transition, working hard to improve our sites’ HTTPS performance, prepare
our infrastructure to handle the transition, and ultimately manage the
implementation.

Our first steps involved improving our infrastructure and code base so we
could support HTTPS. We also significantly expanded and updated our server
hardware. Since we don’t employ third party content delivery systems, we
had to manage this process for our entire infrastructure stack in-house.

HTTPS may also have performance implications for users, particularly our
many users accessing Wikimedia sites from countries or networks with poor
technical infrastructure. We’ve been carefully calibrating our HTTPS
configuration to minimize negative impacts related to latency, page load
times, and user experience. This was an iterative process that relied on
industry standards, a large amount of testing, and our own experience
running the Wikimedia sites.

Throughout this process, we have carefully considered how HTTPS affects all
of our users. People around the world access Wikimedia sites from a
diversity of devices, with varying levels of connectivity and freedom of
information. Al