== HTTPS enabled by default for logged-in users on Wikimedia sites ==
Today, August 28, the Wikimedia Foundation is making a change to the software that powers the Wikimedia projects: By default, all logged-in users will now be using HTTPS to access Wikimedia sites. What this does is encrypt the connection between the Wikimedia servers and the user's browser so that the information sent between the two is not readable by anyone else. This is in response to the recent concerns over the privacy and security of our user community, and we explained the rationale for this change in our post about the future of HTTPS at Wikimedia[0].
===What this means for you ===
How this works is simple: If a user wants to log in, they will be redirected to use HTTPS for the login, thus keeping their username and password secure. After they are logged in, they stay on the HTTPS version of the Wikimedia site they are using.
=== Excluded Countries === Some users live in areas where HTTPS is not an easy option, most times because of explicit blocking by a government. At the request of these communities, we have made an explicit exclusion for users from those affected countries. Simply put, users from China and Iran will not be required to use HTTPS for logging in, nor for viewing any Wikimedia project site
===Disabling===
Are you having a slow or unreliable experience while browsing Wikimedia sites over HTTPS? Then you can turn HTTPS off in your user preferences, under the "User profile" tab: Uncheck "Always use a secure connection when logged in". You will need to log out and log in again for the preference to take effect. But remember, you will still need to log in using the secure HTTPS process.
===HELP!=== For further details, please see the HTTPS[1] page on Meta-Wiki, which is available in several languages.
Are you unable to log in and edit a Wikimedia wiki after this change? Please contact the Wikimedia Foundation Operations team via any means you find comfortable, including this blog post's comments section, on IRC in the #wikimedia-operations channel, or via the https@wikimedia.org email address.
Greg Grossmeier
[0] http://blog.wikimedia.org/2013/08/01/future-https-wikimedia-projects/ [1] http://meta.wikimedia.org/wiki/HTTPS
After many months of struggle, WMF takes one big step towards a more secure Wikipedia. Good job everybody!
*-- * *Tyler Romeo* Stevens Institute of Technology, Class of 2016 Major in Computer Science www.whizkidztech.com | tylerromeo@gmail.com
On Wed, Aug 28, 2013 at 6:11 PM, Greg Grossmeier greg@wikimedia.org wrote:
== HTTPS enabled by default for logged-in users on Wikimedia sites ==
Today, August 28, the Wikimedia Foundation is making a change to the software that powers the Wikimedia projects: By default, all logged-in users will now be using HTTPS to access Wikimedia sites. What this does is encrypt the connection between the Wikimedia servers and the user's browser so that the information sent between the two is not readable by anyone else. This is in response to the recent concerns over the privacy and security of our user community, and we explained the rationale for this change in our post about the future of HTTPS at Wikimedia[0].
===What this means for you ===
How this works is simple: If a user wants to log in, they will be redirected to use HTTPS for the login, thus keeping their username and password secure. After they are logged in, they stay on the HTTPS version of the Wikimedia site they are using.
=== Excluded Countries === Some users live in areas where HTTPS is not an easy option, most times because of explicit blocking by a government. At the request of these communities, we have made an explicit exclusion for users from those affected countries. Simply put, users from China and Iran will not be required to use HTTPS for logging in, nor for viewing any Wikimedia project site
===Disabling===
Are you having a slow or unreliable experience while browsing Wikimedia sites over HTTPS? Then you can turn HTTPS off in your user preferences, under the "User profile" tab: Uncheck "Always use a secure connection when logged in". You will need to log out and log in again for the preference to take effect. But remember, you will still need to log in using the secure HTTPS process.
===HELP!=== For further details, please see the HTTPS[1] page on Meta-Wiki, which is available in several languages.
Are you unable to log in and edit a Wikimedia wiki after this change? Please contact the Wikimedia Foundation Operations team via any means you find comfortable, including this blog post's comments section, on IRC in the #wikimedia-operations channel, or via the https@wikimedia.org email address.
Greg Grossmeier
[0] http://blog.wikimedia.org/2013/08/01/future-https-wikimedia-projects/ [1] http://meta.wikimedia.org/wiki/HTTPS
-- | Greg Grossmeier GPG: B2FA 27B1 F7EB D327 6B8E | | identi.ca: @greg A18D 1138 8E47 FAC8 1C7D |
Wikitech-l mailing list Wikitech-l@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/wikitech-l
On Wed, Aug 28, 2013 at 3:19 PM, Tyler Romeo tylerromeo@gmail.com wrote:
After many months of struggle, WMF takes one big step towards a more secure Wikipedia. Good job everybody!
Agreed - fantastic to see this out the door :-). Thanks to everyone who made it happen.
Erik
Thanks a lot to everybody who make it possible! I find the GeoIP solution quite elegant.
I wrote a script this morning to let anonymous users opt-in for being redirected to HTTPS with the same forceHTTPS cookie [1]; such a script could be used to increase the proportion of HTTPS visitors (probably this script should be not used now before the server load is better known).
[1] https://www.mediawiki.org/wiki/Snippets/forceHTTPS_cookie
Sébastien
Le Thu, 29 Aug 2013 00:25:50 +0200, Erik Moeller erik@wikimedia.org a écrit:
On Wed, Aug 28, 2013 at 3:19 PM, Tyler Romeo tylerromeo@gmail.com wrote:
After many months of struggle, WMF takes one big step towards a more secure Wikipedia. Good job everybody!
Agreed - fantastic to see this out the door :-). Thanks to everyone who made it happen.
Erik
wikitech-l@lists.wikimedia.org