Hi all,
I wanted to share a clarifying email from Ryan Lane in WMF Ops. He's
working through the challenges of HTTPS from the Foundation's end.
Please see below for more details:
-Matthew
On Fri, Jun 7, 2013 at 2:31 PM, Ryan Lane <rlane(a)wikimedia.org> wrote:
How does it impact people? Short answer: it
shouldn't. Long answer: It may
make the site slightly slower due to increased network latency, and it is
slightly more computationally expensive, which may make the site slower on
computers that are underpowered.
How does it impact the WMF? It depends. For enabling it for logged-in
users, or for those that use HTTPS-anywhere? It doesn't affect us, because
that's the state we're in right now. For making HTTPS the default for
anonymous users? We need to change how our infrastructure works. We may
need to buy additional hardware. We definitely need to do some engineering
work.
How does it impact the government's ability to apply censorship? Short
answer: it doesn't. It affects their ability to eavesdrop on people. Long
answer: It depends on how sophisticated the government's censorship program
is. In some countries the government's censorship program can be totally
bypassed using HTTPS. China's program is very sophisticated. The best HTTPS
is going to help the Chinese is to give them a reasonable amount of
protection against eavesdropping. It's still possible for China to
eavesdrop, even when users are using HTTPS, if China has subverted any of
the Certificate Authorities trusted by our browsers.
Are there negative sides of each choice? Yes. Not providing HTTPS means
that users will always be subject to eavesdropping, which in very
authoritative countries could mean they are imprisoned or killed for
reading or editing Wikipedia, depending on what they are reading or
editing. Realistically not making HTTPS the default is similar to not
providing it for all intents and purposes. Search engines will bring people
to the HTTP version of the site, not the HTTPS version so the vast majority
of users will still be able to be eavesdropped on. Making HTTPS the default
also has negatives. A very small minority of users don't have HTTPS
support, or their computers are so old that it makes the site unusably
slow. That's a *very* small percentage of users, though. Additionally, it
makes the site slower for everyone, which may cause a decrease in viewers
and/or editors.
This is likely the most non-technical way I can explain things. I hope it
helps!
On Fri, Jun 7, 2013 at 11:39 AM, Benjamin Chen <bencmqwiki(a)gmail.com> wrote:
On 8 Jun, 2013, at 12:24 AM, Matthew Roth
<mroth(a)wikimedia.org> wrote:
We have had contact with the authors of the blog
and they have said they
will publish our response to their article, though I'm not sure when or
in
what format.
Great. That's really fast response.
On the issue itself, we haven't seen any large scale blocks for years
(around the time since last time Jimbo visited some Chinese official more
than 4 or 5 years ago I think).
The secure.wikimedia domain was blocked long ago, but they waited till now
to block HTTPS, after 3 years? (I can't remember when it was enabled). I
wonder how long it took for them to realise.
It is suggested that this could be a long term block similar to how
secure.wikimedia was blocked - for HTTPS they have no control over content,
so they are simply blocking it all. For HTTP they are still performing deep
package inspection (means content censoring), so since they can filter what
the Chinese people can see, it's likely that they'll leave HTTP alone.
Regards,
Benjamin Chen / [[User:Bencmq]]
_______________________________________________
Wikimedia-l mailing list
Wikimedia-l(a)lists.wikimedia.org
Unsubscribe:
https://lists.wikimedia.org/mailman/listinfo/wikimedia-l
--
Matthew Roth
Global Communications Manager
Wikimedia Foundation
+1.415.839.6885 ext 6635
www.wikimediafoundation.org
*http://blog.wikimedia.org/*