On Sun, Aug 16, 2015 at 5:20 AM, Faidon Liambotis <faidon(a)wikimedia.org>
wrote:
For Wikimedia sites, it is now impossible for proxies
or firewalls to
strip headers, after the switch to HTTPS-only. Was this analysis done
before or during the HTTPS-only migration?
The data the 0.1% number is based on was collected from mid-April to this
week. There is a chronological breakdown at T507#1530596
<https://phabricator.wikimedia.org/T507#1530596>.
Some firewalls add themselves as root CA and then do a man-in-the-middle on
HTTPS connections; AFAIK we don't do certificate pinning yet.