On 08/17/2013 06:47 AM, Faidon Liambotis wrote:
On Fri, Aug 16, 2013 at 08:04:24PM -0400, Zack
Weinberg wrote:
Hi, I'm a grad student at CMU studying
network security in general
and censorship / surveillance resistance in particular. I also used
to work for Mozilla, some of you may remember me in that capacity. My
friend Sumana Harihareswara asked me to comment on Wikimedia's plans
for hardening the encyclopedia against state surveillance.
<snip>
First of all, thanks for your input. It's much appreciated. As I'm sure
Sumanah has already mentioned, all of our infrastructure is being
developed in the open using free software and we'd be also very happy to
accept contributions in code/infrastructure-as-code as well.
That being said, literally everything in your mail has been already
considered and discussed multiple times :), plus a few others you didn't
mention (GCM ciphers, OCSP stapling, SNI & split certificates,
short-lived certificates, ECDSA certificates). A few have been
discussed on wikitech, others are under internal discussion &
investigation by some of us with findings to be posted here too when we
have something concrete.
I don't mean this to sound rude, but I think you may be oversimplifying
the situation quite a bit.
Thanks to both of you, and to everyone on these threads, for thinking
about and working on these issues. I apologize for not quite briefing
Zack enough before asking him to share his thoughts -- I presumed that
https://blog.wikimedia.org/2013/08/01/future-https-wikimedia-projects/ ,
http://www.gossamer-threads.com/lists/wiki/wikitech/378169 and
http://www.gossamer-threads.com/lists/wiki/wikitech/378940 , and the
"NSA" and "Disinformation regarding perfect forward secrecy for
HTTPS"
threads in
http://lists.wikimedia.org/pipermail/wikimedia-l/2013-August/thread.html
would be enough for him to get started with. I probably should have
done more research.
We'll keep wikitech -and blog, where appropriate-
up to date with our
plans as these evolve.
I suggest that we also update either
https://meta.wikimedia.org/wiki/HTTPS or a hub page on
http://wikitech.wikimedia.org/ or
https://www.mediawiki.org/wiki/Security_auditing_and_response with
up-to-date plans, to make it easier for experts inside and outside the
Wikimedia community to get up to speed and contribute. For topics under
internal discussion and investigation, I would love a simple bullet
point saying: "we're thinking about that, sorry nothing public or
concrete yet, contact $person if you have experience to share."
In the meantime, feel free to dive in our puppet
repository and see our setup and make your suggestions :)
You can browse that repository at
https://git.wikimedia.org/summary/?r=operations/puppet.git and you can
learn how to contribute a patch at
https://wikitech.wikimedia.org/wiki/Puppet_coding (using Git and Gerrit
the way we do per
https://www.mediawiki.org/wiki/Gerrit/Tutorial ).
Best,
Faidon
(wmf ops)
Thanks again!
--
Sumana Harihareswara
Engineering Community Manager
Wikimedia Foundation