On Mon, Apr 2, 2012 at 12:33 PM, Tim Starling tstarling@wikimedia.org wrote:
On 02/04/12 06:14, Ryan Lane wrote:
TL;DR: we have no plans for anonymous HTTPS by default, but will eventually default to HTTPS for logged-in users.
- It would require an ssl terminator on every frontend cache. The ssl
terminators eat memory, which is also what the frontend caches do.
Once we enable it by default for logged-in users, we will care a lot more if someone tries to take it down with a DoS attack. Unless the redirection can be disabled without actually logging in, a DoS attack on the HTTPS frontend would prevent any authenticated activity.
It suggests a need for a robust, overprovisioned service, with tools and procedures in place for identifying and blocking or throttling malicious traffic.
Indeed. We're already pretty over provisioned. We have 4 servers per datacenter, each of which is very bored. All they are doing is acting as a transparent proxy, after ssl termination. We're using RC4 by default (due to BEAST), and AES is also available (the processors we are using have AES support).
Ideally we'll be using STS for logged in users. This will mean it's impossible to turn off the redirection for users that have already logged in for whatever period of time we have STS headers set. We need to consider blocking a DoS from the SSL proxies, the LVS servers, or the routers.
- Some countries may completely block HTTPS, but allow HTTP to our
sites so that they can track users. Is it better for us to provide them content, or protect their privacy? 4. It's still possible for governments to see that people are going to wikimedia sites when using HTTPS, so it's still possible to oppress people for trying to visit sites that are disallowed.
It's also possible for governments to snoop on HTTPS communications, by using a private key from a trusted CA to perform a man-in-the-middle attack. Apparently the government of Iran has done this.
We really should publish our certificate fingerprints. An attack like this can be detected. An end-user being attacked can see if the certificate they are being handed is different from the one we advertise. We could also provide a convergence notary service (or one of the other things like convergence).
If we really want to protect the privacy of our users then we should shut down the regular website and serve our content only via a Tor hidden service ;)
I agree that it's impossible to provide total protection of a user's privacy. We could provide a number of services that would help users, though. That said, I don't feel this should be on the top of our priority list.
- Ryan