Hi,
Following last year's Native HTTPS efforts¹, I've pushed a change² today that redirects all the old secure.wikimedia.org URLs to the respective native HTTPS ones, e.g. https://secure.wikimedia.org/wikipedia/en/wiki/Main_Page gets redirected to https://en.wikipedia.org/wiki/Main_Page
The redirects are HTTP temporary redirects (302) for now. I'll soon switch them to permanent (301), please do let me know if you see any breakage in the meantime.
Regards, Faidon
¹: http://blog.wikimedia.org/2011/10/03/native-https-support-enabled-for-all-wi... ²: https://gerrit.wikimedia.org/r/#/c/13429/
Following last year's Native HTTPS efforts¹, I've pushed a change² today that redirects all the old secure.wikimedia.org URLs to the respective native HTTPS ones, e.g. https://secure.wikimedia.org/wikipedia/en/wiki/Main_Page gets redirected to https://en.wikipedia.org/wiki/Main_Page
Does anyone know if EFF's HTTPS Everywhere extension is set up to redirect to secure.wikimedia.org? If so, someone might want to let them know that we've made this change.
I'll volunteer to do so if no one else wishes to.
The redirects are HTTP temporary redirects (302) for now. I'll soon switch them to permanent (301), please do let me know if you see any breakage in the meantime.
On Wed, Nov 14, 2012 at 10:48 AM, Derric Atzrott datzrott@alizeepathology.com wrote:
Following last year's Native HTTPS efforts¹, I've pushed a change² today that redirects all the old secure.wikimedia.org URLs to the respective native HTTPS ones, e.g. https://secure.wikimedia.org/wikipedia/en/wiki/Main_Page gets redirected to https://en.wikipedia.org/wiki/Main_Page
Does anyone know if EFF's HTTPS Everywhere extension is set up to redirect to secure.wikimedia.org? If so, someone might want to let them know that we've made this change.
I'll volunteer to do so if no one else wishes to.
HTTPS Everywhere should've been updated some time ago to use the native https urls.
-Chad
On Wed, Nov 14, 2012 at 01:48:27PM -0500, Derric Atzrott wrote:
Following last year's Native HTTPS efforts¹, I've pushed a change² today that redirects all the old secure.wikimedia.org URLs to the respective native HTTPS ones, e.g. https://secure.wikimedia.org/wikipedia/en/wiki/Main_Page gets redirected to https://en.wikipedia.org/wiki/Main_Page
Does anyone know if EFF's HTTPS Everywhere extension is set up to redirect to secure.wikimedia.org? If so, someone might want to let them know that we've made this change.
I'll volunteer to do so if no one else wishes to.
HTTPS Everywhere is currently set up to redirect using the native HTTPS support (http://en.wp -> https://en.wp); it used to support redirects to secure.wikimedia.org, but Roan Kattouw and Sam Reed updated it quite a while ago. secure.wm.org never supported HTTP and secure.wm.org HTTPS gets redirected by our redirects without any privacy loss, so there's nothing to add to HTTPS Everywhere that I can see.
Thanks for the offer though.
Regards, Faidon
PS. Fun fact: HTTPS Everywhere's git master already has rules for Wikidata & Wikivoyage, thanks to the always awesome Reedy.
Faidon Liambotis wrote:
Following last year's Native HTTPS efforts¹, I've pushed a change² today that redirects all the old secure.wikimedia.org URLs to the respective native HTTPS ones, e.g. https://secure.wikimedia.org/wikipedia/en/wiki/Main_Page gets redirected to https://en.wikipedia.org/wiki/Main_Page
This is great. Thank you for your work on this. :-)
MZMcBride
On 11/14/12 5:56 PM, MZMcBride wrote:
Faidon Liambotis wrote:
Following last year's Native HTTPS efforts¹, I've pushed a change² today that redirects all the old secure.wikimedia.org URLs to the respective native HTTPS ones, e.g. https://secure.wikimedia.org/wikipedia/en/wiki/Main_Page gets redirected to https://en.wikipedia.org/wiki/Main_Page
This is great. Thank you for your work on this. :-)
Cool. Tested and works fine with HTTPS Everywhere. And thanks for all the helpful https work in the past few years!
On Wed, Nov 14, 2012 at 8:25 AM, Faidon Liambotis faidon@wikimedia.orgwrote:
Following last year's Native HTTPS efforts¹, I've pushed a change² today that redirects all the old secure.wikimedia.org URLs to the respective native HTTPS ones, e.g. https://secure.wikimedia.org/wikipedia/en/wiki/Main_Page gets redirected to https://en.wikipedia.org/wiki/Main_Page
Awesome! Another old hack swept away. :D
Do we have a timetable for migrating all login sessions to HTTPS yet? I love that we've got a clean HTTPS option available, but it really skeezes me out that we still allow logins and passwords over plain HTTP.
-- brion
On 16/11/12 22:04, Brion Vibber wrote:
Awesome! Another old hack swept away. :D
Do we have a timetable for migrating all login sessions to HTTPS yet? I love that we've got a clean HTTPS option available, but it really skeezes me out that we still allow logins and passwords over plain HTTP.
We have self-signed certificates, too... (bug 27291).
On Sat, Nov 17, 2012 at 9:32 AM, Platonides Platonides@gmail.com wrote:
On 16/11/12 22:04, Brion Vibber wrote:
Awesome! Another old hack swept away. :D
Do we have a timetable for migrating all login sessions to HTTPS yet? I love that we've got a clean HTTPS option available, but it really skeezes me out that we still allow logins and passwords over plain HTTP.
We have self-signed certificates, too... (bug 27291).
Correction: a self-signed certificate on a portion of our infrastructure we don't want as part of the cluster, where we don't trust our star certificates to live, and where we plan on completely changing how this works, possibly with a different hostname. All of this is mentioned in the bug and none of it has changed. That bug has nothing to do with this discussion.
- Ryan
Le 16/11/12 22:04, Brion Vibber a écrit : <snip>
Do we have a timetable for migrating all login sessions to HTTPS yet? I love that we've got a clean HTTPS option available, but it really skeezes me out that we still allow logins and passwords over plain HTTP.
-- brion
I guess it is all about enabling $wgSecureLogin [1] which would force the login form to use HTTPS for its POST. I speedy hacked it two years ago and Chris Steipp has fixed it a few weeks ago.
Maybe we could enable it on test first and see how it goes?
[1] http://www.mediawiki.org/wiki/Manual:$wgSecureLogin
wgSecureLogin works. I patched the broken version of it not too long ago. Now I'm just waiting on my patch in Gerrit to turn on wgSecureLogin on WMF wikis. On Nov 17, 2012 1:03 PM, "Antoine Musso" hashar+wmf@free.fr wrote:
Le 16/11/12 22:04, Brion Vibber a écrit :
<snip> > Do we have a timetable for migrating all login sessions to HTTPS yet? I > love that we've got a clean HTTPS option available, but it really skeezes > me out that we still allow logins and passwords over plain HTTP. > > -- brion
I guess it is all about enabling $wgSecureLogin [1] which would force the login form to use HTTPS for its POST. I speedy hacked it two years ago and Chris Steipp has fixed it a few weeks ago.
Maybe we could enable it on test first and see how it goes?
[1] http://www.mediawiki.org/wiki/Manual:$wgSecureLogin
-- Antoine "hashar" Musso
Wikitech-l mailing list Wikitech-l@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/wikitech-l
There is one more bug I'd like to fix before turning wgSecurelogin on.. I'm going to get it into wmf5, and then we can turn it on. On Nov 17, 2012 10:03 AM, "Antoine Musso" hashar+wmf@free.fr wrote:
Le 16/11/12 22:04, Brion Vibber a écrit :
<snip> > Do we have a timetable for migrating all login sessions to HTTPS yet? I > love that we've got a clean HTTPS option available, but it really skeezes > me out that we still allow logins and passwords over plain HTTP. > > -- brion
I guess it is all about enabling $wgSecureLogin [1] which would force the login form to use HTTPS for its POST. I speedy hacked it two years ago and Chris Steipp has fixed it a few weeks ago.
Maybe we could enable it on test first and see how it goes?
[1] http://www.mediawiki.org/wiki/Manual:$wgSecureLogin
-- Antoine "hashar" Musso
Wikitech-l mailing list Wikitech-l@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/wikitech-l
Which bug is that? If there's not a patch I'll work on it ASAP. ;)
*--* *Tyler Romeo* Stevens Institute of Technology, Class of 2015 Major in Computer Science www.whizkidztech.com | tylerromeo@gmail.com
On Sat, Nov 17, 2012 at 2:57 PM, Chris Steipp csteipp@wikimedia.org wrote:
There is one more bug I'd like to fix before turning wgSecurelogin on.. I'm going to get it into wmf5, and then we can turn it on. On Nov 17, 2012 10:03 AM, "Antoine Musso" hashar+wmf@free.fr wrote:
Le 16/11/12 22:04, Brion Vibber a écrit :
<snip> > Do we have a timetable for migrating all login sessions to HTTPS yet? I > love that we've got a clean HTTPS option available, but it really
skeezes
me out that we still allow logins and passwords over plain HTTP.
-- brion
I guess it is all about enabling $wgSecureLogin [1] which would force the login form to use HTTPS for its POST. I speedy hacked it two years ago and Chris Steipp has fixed it a few weeks ago.
Maybe we could enable it on test first and see how it goes?
[1] http://www.mediawiki.org/wiki/Manual:$wgSecureLogin
-- Antoine "hashar" Musso
Wikitech-l mailing list Wikitech-l@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/wikitech-l
Wikitech-l mailing list Wikitech-l@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/wikitech-l
wikitech-l@lists.wikimedia.org