On Wed, Jun 21, 2017 at 11:46:11PM +0100, Alec Muffett wrote:
Request: whist we're here, I would be delighted to see/plagiarise the cipher suites that Wikipedia uses - could you point me at them, please?
Cipher suites can be found here: https://phabricator.wikimedia.org/source/operations-puppet/browse/production...
The "type" argument specifies, essentially, the compatibility level depends on the endpoint we're securing -- we can be more aggressive for e.g. developer tools, where we don't expect old browsers or operating systems. For the main websites, the level right now is "compat". The list of ciphers is constantly evolving, as old browsers drop below certain thresholds and become unsupported. For example, there is work underway to phase out DES-CBC3-SHA, breaking IE8-on-Windows-XP, cf. https://phabricator.wikimedia.org/T147199.
The rest of the HTTPS nginx config can be found at: https://phabricator.wikimedia.org/source/operations-puppet/browse/production...
(note that wikimedia-l attracts a wider audience, not just engineers, so the above may be something that's not to everyone's interest here; wikitech-l would probably be more appropriate if you have further questions or input around technical matters :)
Allowing edits over Tor is not the kind of decision the Foundation can unilaterally make, while setting up the Onion service would be something that the Foundation would do, since it would just be part of our infrastructure and thus our mandate.
Understood. Is it safe to extrapolate this to (say) Wikibooks, also?
Are they likewise geographically distinct?
It would be and yes, typically each language/project combination (but note: language, not geography) operate separately/independently. There is https://meta.wikimedia.org/ for broader/global community decisions, though. Plus a few other exceptions, too :)
Best, Faidon -- Faidon Liambotis Principal Engineer, Technical Operations Wikimedia Foundation