On 08/17/2013 06:47 AM, Faidon Liambotis wrote:
On Fri, Aug 16, 2013 at 08:04:24PM -0400, Zack Weinberg wrote:
Hi, I'm a grad student at CMU studying network security in general and censorship / surveillance resistance in particular. I also used to work for Mozilla, some of you may remember me in that capacity. My friend Sumana Harihareswara asked me to comment on Wikimedia's plans for hardening the encyclopedia against state surveillance.
<snip>
First of all, thanks for your input. It's much appreciated. As I'm sure Sumanah has already mentioned, all of our infrastructure is being developed in the open using free software and we'd be also very happy to accept contributions in code/infrastructure-as-code as well.
That being said, literally everything in your mail has been already considered and discussed multiple times :), plus a few others you didn't mention (GCM ciphers, OCSP stapling, SNI & split certificates, short-lived certificates, ECDSA certificates). A few have been discussed on wikitech, others are under internal discussion & investigation by some of us with findings to be posted here too when we have something concrete.
I don't mean this to sound rude, but I think you may be oversimplifying the situation quite a bit.
Thanks to both of you, and to everyone on these threads, for thinking about and working on these issues. I apologize for not quite briefing Zack enough before asking him to share his thoughts -- I presumed that https://blog.wikimedia.org/2013/08/01/future-https-wikimedia-projects/ , http://www.gossamer-threads.com/lists/wiki/wikitech/378169 and http://www.gossamer-threads.com/lists/wiki/wikitech/378940 , and the "NSA" and "Disinformation regarding perfect forward secrecy for HTTPS" threads in http://lists.wikimedia.org/pipermail/wikimedia-l/2013-August/thread.html would be enough for him to get started with. I probably should have done more research.
We'll keep wikitech -and blog, where appropriate- up to date with our plans as these evolve.
I suggest that we also update either https://meta.wikimedia.org/wiki/HTTPS or a hub page on http://wikitech.wikimedia.org/ or https://www.mediawiki.org/wiki/Security_auditing_and_response with up-to-date plans, to make it easier for experts inside and outside the Wikimedia community to get up to speed and contribute. For topics under internal discussion and investigation, I would love a simple bullet point saying: "we're thinking about that, sorry nothing public or concrete yet, contact $person if you have experience to share."
In the meantime, feel free to dive in our puppet repository and see our setup and make your suggestions :)
You can browse that repository at https://git.wikimedia.org/summary/?r=operations/puppet.git and you can learn how to contribute a patch at https://wikitech.wikimedia.org/wiki/Puppet_coding (using Git and Gerrit the way we do per https://www.mediawiki.org/wiki/Gerrit/Tutorial ).
Best, Faidon (wmf ops)
Thanks again!