On Wed, Jun 21, 2017 at 11:46:11PM +0100, Alec Muffett wrote:
Request: whist we're here, I would be delighted to
see/plagiarise the
cipher suites that Wikipedia uses - could you point me at them, please?
Cipher suites can be found here:
https://phabricator.wikimedia.org/source/operations-puppet/browse/productio…
The "type" argument specifies, essentially, the compatibility level
depends on the endpoint we're securing -- we can be more aggressive for
e.g. developer tools, where we don't expect old browsers or operating
systems. For the main websites, the level right now is "compat". The
list of ciphers is constantly evolving, as old browsers drop below
certain thresholds and become unsupported. For example, there is work
underway to phase out DES-CBC3-SHA, breaking IE8-on-Windows-XP, cf.
https://phabricator.wikimedia.org/T147199.
The rest of the HTTPS nginx config can be found at:
https://phabricator.wikimedia.org/source/operations-puppet/browse/productio…
(note that wikimedia-l attracts a wider audience, not just engineers, so
the above may be something that's not to everyone's interest here;
wikitech-l would probably be more appropriate if you have further
questions or input around technical matters :)
Allowing edits
over Tor is not the kind of decision the Foundation
can unilaterally make, while setting up the Onion service would be
something that the Foundation would do, since it would just be part
of our infrastructure and thus our mandate.
Understood. Is it safe to extrapolate this to (say) Wikibooks, also?
Are they likewise geographically distinct?
It would be and yes, typically each language/project combination (but
note: language, not geography) operate separately/independently. There
is
https://meta.wikimedia.org/ for broader/global community decisions,
though. Plus a few other exceptions, too :)
Best,
Faidon
--
Faidon Liambotis
Principal Engineer, Technical Operations
Wikimedia Foundation