[Bug 38516] Enable HSTS on Wikimedia wikis

Fri, 20 Jul 2012 15:05:51 -0700 

https://bugzilla.wikimedia.org/show_bug.cgi?id=38516

Roan Kattouw <roan.katt...@gmail.com> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
                 CC|                            |roan.katt...@gmail.com

--- Comment #4 from Roan Kattouw <roan.katt...@gmail.com> 2012-07-20 22:05:46 
UTC ---
(In reply to comment #3)
> We can turn it on by default for logged-in users right now. We can easily
> handle that load.
> 
You should realize that that means that once a browser is used by a logged-in
user *once*, it will use HTTPS for *everyone* *forever* (really until the STS
header expires, usually that's a year), even if they're not logged in. So in
practice that means that every shared computer (libraries, internet cafes) in
the world is gonna be hitting us exclusively via HTTPS within a few days of
deploying this change.

This is not necessarily a huge problem, but I just wanted to point this out.

Also, STS forbids accepting invalid certs, and we're currently serving wrong
certs for domains like wikipedia.com and wikidata.org; essentially all the misc
domains we have are sent to wikimedia-lb, which means they get the
star-wikimedia cert, which is bad. Serving STS fro those domains would be
deadly.

> To enable it for all users we'd need to expand the cluster so that every
> squid/varnish node is also an HTTPS node. That would be a requirement for 
> HSTS.
> Indeed HSTS is the last in the chain for this.
> 
Why is Squid/Varnish-side SSL termination required for STS? Why can't we just
scale up our current nginx cluster?

> Also, it isn't necessary for squid/varnish to send these headers. It would
> actually be nice if MediaWiki handled this, since then anyone could enable it.
Yes, MW should send these headers.

-- 
Configure bugmail: https://bugzilla.wikimedia.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.
You are on the CC list for the bug.

_______________________________________________
Wikibugs-l mailing list
Wikibugs-l@lists.wikimedia.org
https://lists.wikimedia.org/mailman/listinfo/wikibugs-l

Reply via email to