On Sun, Aug 16, 2015 at 5:20 AM, Faidon Liambotis faidon@wikimedia.org wrote:
For Wikimedia sites, it is now impossible for proxies or firewalls to strip headers, after the switch to HTTPS-only. Was this analysis done before or during the HTTPS-only migration?
The data the 0.1% number is based on was collected from mid-April to this week. There is a chronological breakdown at T507#1530596 https://phabricator.wikimedia.org/T507#1530596.
Some firewalls add themselves as root CA and then do a man-in-the-middle on HTTPS connections; AFAIK we don't do certificate pinning yet.