----- Original Message -----
From: "River Tarnell"
<r.tarnell(a)IEEE.ORG>
In article
<18849937.7157.1297583642909.JavaMail.root(a)benjamin.baylink.com>om>,
Jay Ashworth <jra(a)baylink.com> wrote:
> Yeah, secure.wikimedia.org's URL scheme
isn't really friendly
> to outsiders. Historically, this is because SSL certificates are
> expensive, and there just wasn't enough money in the budget
> to get more of them for the top-level domains. Maybe this isn't
> the case anymore.
Is that in fact the root cause, Chad? I assumed,
myself, that it's
because
of the squid architecture.
LVS is in front of Squid, so it would be fairly simple to send SSL
traffic (port 443) to a different machine; which is how secure.wm.o
works now, except that instead of using LVS, it requires a different
hostname.
Got it.
However, I think the idea is not to start allowing
https://en.wikipedia.org URLs until there's a better SSL
infrastructure
which can handle the extra load an easy-to-use, widely advertised SSL
gateway is likely to create. secure.wm.o is currently a single machine
and sometimes falls over, e.g. when Squid breaks for some reason and
people notice that secure still works.
You did get the "EFF is pushing a Firefox plugin that has a rule that
redirects all WP accesses to the secure site" part of that report, though,
right? This curve has probably already started to ramp; now might be a
good time for someone ops-y to be thinking about this.
Cheers,
-- jra