----- Original Message -----
From: "River Tarnell" r.tarnell@IEEE.ORG
In article 18849937.7157.1297583642909.JavaMail.root@benjamin.baylink.com, Jay Ashworth jra@baylink.com wrote:
Yeah, secure.wikimedia.org's URL scheme isn't really friendly to outsiders. Historically, this is because SSL certificates are expensive, and there just wasn't enough money in the budget to get more of them for the top-level domains. Maybe this isn't the case anymore.
Is that in fact the root cause, Chad? I assumed, myself, that it's because of the squid architecture.
LVS is in front of Squid, so it would be fairly simple to send SSL traffic (port 443) to a different machine; which is how secure.wm.o works now, except that instead of using LVS, it requires a different hostname.
Got it.
However, I think the idea is not to start allowing https://en.wikipedia.org URLs until there's a better SSL infrastructure which can handle the extra load an easy-to-use, widely advertised SSL gateway is likely to create. secure.wm.o is currently a single machine and sometimes falls over, e.g. when Squid breaks for some reason and people notice that secure still works.
You did get the "EFF is pushing a Firefox plugin that has a rule that redirects all WP accesses to the secure site" part of that report, though, right? This curve has probably already started to ramp; now might be a good time for someone ops-y to be thinking about this.
Cheers, -- jra