Great to hear!
I have one caveat with it though - if I understand it correctly, it is currently in a man-in-the-middle position between the visitor and WMF, as it provides its own self-signed https certificate and performs various URL rewriting on the traffic to change the URLs to the onion domain.
Isn't it more secure, then, to just use Tor to access the main (clearnet) Wikipedia, since it enforces correct HTTPS?
Using Tor <-> clearnet WMF (HTTPS) still provides: 1) censorship circumvention; 2) location anonymity; 3) opaque encryption between the visitor and the WMF;
The #3 is missing if the onion service is not operated by the WMF itself.
Please correct me if I'm wrong.
I do think it's very good that such effort is taking place - but we need to make sure there's no weak points security-wise that aren't communicated prominently enough to the users.
Best, Yury.
wikimedia-l-request@lists.wikimedia.org writes:
Date: Fri, 24 Nov 2017 09:35:24 +0100 From: Dariusz Jemielniak darekj@alk.edu.pl To: Wikimedia Mailing List wikimedia-l@lists.wikimedia.org Subject: Re: [Wikimedia-l] Experimental onion service for all Wikimedia projects set up by Alec Muffett Message-ID: CADeSpGX2kE6tesoNUpAYCFHO3yU3QZ205hm5d+G=8jVihyVkAQ@mail.gmail.com Content-Type: text/plain; charset="UTF-8"
Excellent! Still, as I argued before, I believe that a solution we could use is defaulting to Tor channeling in our mobile app. Facebook offers it as an option in partnership with Orbot - I believe we should do the same, but default to it (so that people cannot be held responsible for making a choice). For unlogged Wikipedia reading this solution is practically transparent for users.
I've recently contacted the WMF with Orbot people and hope that at least we can evaluate this approach as a possibility.
best,
Dariusz Jemielniak "pundit"