Hi Juliet, Your blog post states "this change could affect access for some Wikimedia traffic in certain parts of the world" - which makes some alarm bells go off.
Could you clarify in what kind of cases it would 'affect' and in what way? It's quite different whether a few dozen people have to wait for their connection a few ms longer, or whether whole countries are basically locked out because they can't (or won't) access through https. Also, it is unclear to me whether it is 'https by default but you can still access through https' or 'https or nothing'. The blogpost is not clear to me on this, but maybe I'm overlooking something, or not well versed enough in the concept. Hope you can clarify. Thanks! Lodewijk On Fri, Jun 12, 2015 at 10:22 PM, Juliet Barbara <jbarb...@wikimedia.org> wrote: > The Wikimedia Foundation is pleased to announce that we have begun the > transition of the Wikimedia projects and sites to the secure HTTPS > protocol. You may have seen our blog post from this morning; it has also > been posted to relevant Village Pumps (Technical). > > This post is available online here: > https://blog.wikimedia.org/2015/06/12/securing-wikimedia-sites-with-https/ > > Securing access to Wikimedia sites with HTTPS > > BY YANA WELINDER <https://blog.wikimedia.org/author/ywelinder/>, VICTORIA > BARANETSKY <https://blog.wikimedia.org/author/victoria-baranetsky/> AND > BRANDON > BLACK <https://blog.wikimedia.org/author/brandon-black/> ON JUNE 12TH > > > To be truly free, access to knowledge must be secure and uncensored. At the > Wikimedia Foundation, we believe that you should be able to use Wikipedia > and the Wikimedia sites without sacrificing privacy or safety. > > Today, we’re happy to announce that we are in the process of implementing > HTTPS <https://en.wikipedia.org/wiki/HTTPS> to encrypt all Wikimedia > traffic. We will also use HTTP Strict Transport Security > <https://en.wikipedia.org/wiki/HTTP_Strict_Transport_Security> (HSTS) to > protect against efforts to ‘break’ HTTPS and intercept traffic. With this > change, the nearly half a billion people who rely on Wikipedia and its > sister projects every month will be able to share in the world’s knowledge > more securely. > > The HTTPS protocol creates an encrypted connection between your computer > and Wikimedia sites to ensure the security and integrity of data you > transmit. Encryption makes it more difficult for governments and other > third parties to monitor your traffic. It also makes it harder for Internet > Service Providers (ISPs) to censor access to specific Wikipedia articles > and other information. > > HTTPS is not new to Wikimedia sites. Since 2011, we have been working on > establishing the infrastructure and technical requirements, and > understanding the policy and community implications of HTTPS for all > Wikimedia traffic, with the ultimate goal of making it available to all > users. In fact, for the past four years > < > https://blog.wikimedia.org/2011/10/03/native-https-support-enabled-for-all-wikimedia-foundation-wikis/ > >, > Wikimedia users could access our sites with HTTPS manually, through HTTPS > Everywhere <https://www.eff.org/https-everywhere>, and when directed to > our > sites from major search engines. Additionally, all logged in users > < > https://blog.wikimedia.org/2013/08/28/https-default-logged-in-users-wikimedia-sites/ > > > have been accessing via HTTPS since 2013. > > Over the last few years, increasing concerns about government surveillance > prompted members of the Wikimedia community to push > <https://blog.wikimedia.org/2013/08/01/future-https-wikimedia-projects/> > for more broad protection through HTTPS. We agreed, and made this > transition a priority for our policy and engineering teams. > > > We believe encryption makes the web stronger for everyone. In a world where > mass surveillance has become a serious threat to intellectual freedom, > secure connections are essential for protecting users around the world. > Without encryption, governments can more easily surveil sensitive > information, creating a chilling effect, and deterring participation, or in > extreme cases they can isolate or discipline citizens. Accounts may also be > hijacked, pages may be censored, other security flaws could expose > sensitive user information and communications. Because of these > circumstances, we believe that the time for HTTPS for all Wikimedia traffic > is now. We encourage others to join us as we move forward with this > commitment. > > The technical challenges of migrating to HTTPS > > HTTPS migration for one of the world’s most popular websites can be > complicated. For us, this process began years ago and involved teams from > across the Wikimedia Foundation. Our engineering team has been driving this > transition, working hard to improve our sites’ HTTPS performance, prepare > our infrastructure to handle the transition, and ultimately manage the > implementation. > > Our first steps involved improving our infrastructure and code base so we > could support HTTPS. We also significantly expanded and updated our server > hardware. Since we don’t employ third party content delivery systems, we > had to manage this process for our entire infrastructure stack in-house. > > HTTPS may also have performance implications for users, particularly our > many users accessing Wikimedia sites from countries or networks with poor > technical infrastructure. We’ve been carefully calibrating our HTTPS > configuration to minimize negative impacts related to latency, page load > times, and user experience. This was an iterative process that relied on > industry standards, a large amount of testing, and our own experience > running the Wikimedia sites. > > Throughout this process, we have carefully considered how HTTPS affects all > of our users. People around the world access Wikimedia sites from a > diversity of devices, with varying levels of connectivity and freedom of > information. Although we have optimized the experience as much as possible > with this challenge in mind, this change could affect access for some > Wikimedia traffic in certain parts of the world. > > In the last year leading up to this roll-out, we’ve ramped up our testing > and optimization efforts to make sure our sites and infrastructure can > support this migration. Our focus is now on completing the implementation > of HTTPS and HSTS for all Wikimedia sites. We look forward to sharing a > more detailed account of this unique engineering accomplishment once we’re > through the full transition. > > Today, we are happy to start the final steps of this transition, and we > expect completion within a couple of weeks. > > Yana Welinder <https://wikimediafoundation.org/wiki/User:YWelinder_(WMF)>, > Senior Legal Counsel, Wikimedia Foundation > > Victoria Baranetsky > <https://wikimediafoundation.org/wiki/User:VBaranetsky_(WMF)>, Legal > Counsel, Wikimedia Foundation > > Brandon Black <https://en.wikipedia.org/wiki/User:BBlack_(WMF)>, > Operations > Engineer, Wikimedia Foundation > > > -- > *Juliet Barbara* > Senior Communications Manager I Wikimedia Foundation > 149 New Montgomery Street I San Francisco, CA 94105 > jbarb...@wikimedia.org I +1 (512) 750-5677 > > _______________________________________________ > Please note: all replies sent to this mailing list will be immediately > directed to Wikimedia-l, the public mailing list of the Wikimedia > community. For more information about Wikimedia-l: > https://lists.wikimedia.org/mailman/listinfo/wikimedia-l > _______________________________________________ > WikimediaAnnounce-l mailing list > wikimediaannounc...@lists.wikimedia.org > https://lists.wikimedia.org/mailman/listinfo/wikimediaannounce-l > > _______________________________________________ > Wikimedia-l mailing list, guidelines at: > https://meta.wikimedia.org/wiki/Mailing_lists/Guidelines > Wikimedia-l@lists.wikimedia.org > Unsubscribe: https://lists.wikimedia.org/mailman/listinfo/wikimedia-l, > <mailto:wikimedia-l-requ...@lists.wikimedia.org?subject=unsubscribe> > _______________________________________________ Wikimedia-l mailing list, guidelines at: https://meta.wikimedia.org/wiki/Mailing_lists/Guidelines Wikimedia-l@lists.wikimedia.org Unsubscribe: https://lists.wikimedia.org/mailman/listinfo/wikimedia-l, <mailto:wikimedia-l-requ...@lists.wikimedia.org?subject=unsubscribe>
