Hello! I recently closed a huge [[w:fa:ویکیپدیا:نظرخواهی برای استفاده از اساسال برای ویکیپدیای فارسی|RfC]] about using SSL in Persian Wikipedia which mainly runs by Iranian users.
Iran is the number one target in PRISM surveillance program (Further information: https://bit.ly/17N57rx) and long history of arresting, torturing and murdering internet activists (case in point [[w:en:Sattar Beheshti|Sattar Beheshti]]) or even family members of internet activists (case in point Yashar Khameneh) leaves no doubt on intention of Iranian government on surveillance and control of Iranian people. You can find a very long list in human rights defendants organizations (Breaching privacy of Iranian people is one of the very few things that both Iran and US governments agree about it) so we are sure we need to switch to SSL but using SSL in Iran has its own problems. Iranian authorities block SSL IP of some sites that they have blocked in non-SSL mode either it's blocked completely or partially, these sites includes facebook, twitter, and until recently Wikipedia. Wikipedia is not blocked in Iran but about 400 articles of Persian Wikipedia (and some other sites like the whole Hebrew Wikipedia) are blocked for viewing the complete list of the articles which are mainly about politics, religion, or sexology go to [[w:fa:رده:صفحههای فیلترشده در ایران]]. Access to Wikipedia in SSL is open since August 25. Speed of internet in Iran is one of the slowest in the world and it's not a big deal about loading pages of Wikipedia but variance of internet speed is too high and we will fail in our main goal on providing free knowledge for people who don't have easy access to knowledge, people like middle or elementary school students who are living in countryside and problem of internet access becomes even worse when the government makes speed of internet on SSL so low that time of opening a simple page becomes like 4 times higher when people try to use SSL, It's mainly because of encouraging people not to use SSL or even we can consider intention of decryption of SSL data. Scammed SSL certificates attack (Further information: https://bit.ly/1dXl5Ub) which happened two years ago shows us how much the government desires to control people. Another problem is sometimes specially when there is a crisis in politics or in the country in general (which happens three or four times every year) access to any site outside of HTTP layer is impossible and all of other protocols even IRC happens to be blocked out of nowhere.
Community of Persian Wikipedia (readers and writers) are strongly against enforced SSL because of the issues I talked about it above and in other hand they worry about privacy and not letting the governments breach their privacy
Here is my suggestions and requests based on what Persian Wikipedia and Iranian Wikimedians in general agree: *It's very important to let people choose their protocol, There is consensuses that the community agrees on SSL as default for logged in users but they are really insisting on making the protocol an arbitrary option and It seems It's not enabled in WMF projects except mediawiki.org (in [[m:HTTPS]] you can find the documentation about disabling SSL but as far as I checked It's not possible and I couldn't find the option in my preferences maybe It's a bug) *In order to encourage people to use SSL and increase their safety of editing in Wikipedia we need to speed up loading of Wiki pages I suggest web designers and other experts come and help on optimizing Wikipedia specially Persian language projects. We warmly welcome any ideas about increasing safety. *Because of the experience of the past community thinks It's very probable that SSL access to Wikipedia in Iran will be blocked several times and even maybe every block won't take more than one week but It will happen. So we need to be very flexible and fast in cases like this in future So hereby I ask people who are in charge of SSL in WMF to be prepared and be able to switch to from SSL to non-SSL and switch back easily and rapidly in cases of SSL blocking in Iran. *Lack of documentation in safety issues put Iranian lives in danger, I can give you an example. Insisting on SSL is good but because of speed or other issues of SSL some people use proxy even they are using SSL, what they do when they want to bypass blocking in HTTP layer and speed of loading increases. It's very dangerous because data will not be encrypted until reception in proxy computer and that means easy information for the government with delusion of safety, SSL in this case becomes harmful not useful. We need to complete documentation and let people know about the safety.
I'm sending this mail to wikitech-l because I think Iranian people need help of technical people who can do something about the SSL issue Best
I absolutely endorse this request. Forcing SSL was one of silliest things that could happen. Most of wikimedia developers and technicians are working with most modern technologies in the world, but I can imagine in other parts of world people are working on something what people in modern parts of world can see only in museum.
What is actually a point in having SSL enforced? Do you realize that most of traffic to / from wikipedia doesn't matter to anyone (hackers / governments / spies). It's not a facebook where people collect tons of private content. Wikipedia is meant to share free knowledge, why do we need to encrypt that?
On Tue, Sep 10, 2013 at 9:49 AM, Amir Ladsgroup ladsgroup@gmail.com wrote:
Hello! I recently closed a huge [[w:fa:ویکیپدیا:نظرخواهی برای استفاده از اساسال برای ویکیپدیای فارسی|RfC]] about using SSL in Persian Wikipedia which mainly runs by Iranian users.
Iran is the number one target in PRISM surveillance program (Further information: https://bit.ly/17N57rx) and long history of arresting, torturing and murdering internet activists (case in point [[w:en:Sattar Beheshti|Sattar Beheshti]]) or even family members of internet activists (case in point Yashar Khameneh) leaves no doubt on intention of Iranian government on surveillance and control of Iranian people. You can find a very long list in human rights defendants organizations (Breaching privacy of Iranian people is one of the very few things that both Iran and US governments agree about it) so we are sure we need to switch to SSL but using SSL in Iran has its own problems. Iranian authorities block SSL IP of some sites that they have blocked in non-SSL mode either it's blocked completely or partially, these sites includes facebook, twitter, and until recently Wikipedia. Wikipedia is not blocked in Iran but about 400 articles of Persian Wikipedia (and some other sites like the whole Hebrew Wikipedia) are blocked for viewing the complete list of the articles which are mainly about politics, religion, or sexology go to [[w:fa:رده:صفحههای فیلترشده در ایران]]. Access to Wikipedia in SSL is open since August 25. Speed of internet in Iran is one of the slowest in the world and it's not a big deal about loading pages of Wikipedia but variance of internet speed is too high and we will fail in our main goal on providing free knowledge for people who don't have easy access to knowledge, people like middle or elementary school students who are living in countryside and problem of internet access becomes even worse when the government makes speed of internet on SSL so low that time of opening a simple page becomes like 4 times higher when people try to use SSL, It's mainly because of encouraging people not to use SSL or even we can consider intention of decryption of SSL data. Scammed SSL certificates attack (Further information: https://bit.ly/1dXl5Ub) which happened two years ago shows us how much the government desires to control people. Another problem is sometimes specially when there is a crisis in politics or in the country in general (which happens three or four times every year) access to any site outside of HTTP layer is impossible and all of other protocols even IRC happens to be blocked out of nowhere.
Community of Persian Wikipedia (readers and writers) are strongly against enforced SSL because of the issues I talked about it above and in other hand they worry about privacy and not letting the governments breach their privacy
Here is my suggestions and requests based on what Persian Wikipedia and Iranian Wikimedians in general agree: *It's very important to let people choose their protocol, There is consensuses that the community agrees on SSL as default for logged in users but they are really insisting on making the protocol an arbitrary option and It seems It's not enabled in WMF projects except mediawiki.org (in [[m:HTTPS]] you can find the documentation about disabling SSL but as far as I checked It's not possible and I couldn't find the option in my preferences maybe It's a bug) *In order to encourage people to use SSL and increase their safety of editing in Wikipedia we need to speed up loading of Wiki pages I suggest web designers and other experts come and help on optimizing Wikipedia specially Persian language projects. We warmly welcome any ideas about increasing safety. *Because of the experience of the past community thinks It's very probable that SSL access to Wikipedia in Iran will be blocked several times and even maybe every block won't take more than one week but It will happen. So we need to be very flexible and fast in cases like this in future So hereby I ask people who are in charge of SSL in WMF to be prepared and be able to switch to from SSL to non-SSL and switch back easily and rapidly in cases of SSL blocking in Iran. *Lack of documentation in safety issues put Iranian lives in danger, I can give you an example. Insisting on SSL is good but because of speed or other issues of SSL some people use proxy even they are using SSL, what they do when they want to bypass blocking in HTTP layer and speed of loading increases. It's very dangerous because data will not be encrypted until reception in proxy computer and that means easy information for the government with delusion of safety, SSL in this case becomes harmful not useful. We need to complete documentation and let people know about the safety.
I'm sending this mail to wikitech-l because I think Iranian people need help of technical people who can do something about the SSL issue Best -- Amir _______________________________________________ Wikitech-l mailing list Wikitech-l@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/wikitech-l
On Tue, 2013-09-10 at 18:04 +0200, Petr Bena wrote:
I absolutely endorse this request. Forcing SSL was one of silliest things that could happen. Most of wikimedia developers and technicians are working with most modern technologies in the world, but I can imagine in other parts of world people are working on something what people in modern parts of world can see only in museum.
Alright, but are there also any new arguments, compared to your postings in the "Countdown to SSL for all sessions" thread on April 30th?
What is actually a point in having SSL enforced?
Errm, please check the mailing list archives.
Thanks, andre
On Sep 10, 2013 6:38 PM, "Andre Klapper" aklapper@wikimedia.org wrote:
On Tue, 2013-09-10 at 18:04 +0200, Petr Bena wrote:
I absolutely endorse this request. Forcing SSL was one of silliest things that could happen. Most of wikimedia developers and technicians are working with most modern technologies in the world, but I can imagine in other parts of world people are working on something what people in modern parts of world can see only in museum.
Alright, but are there also any new arguments, compared to your postings in the "Countdown to SSL for all sessions" thread on April 30th?
What is actually a point in having SSL enforced?
Errm, please check the mailing list archives.
Thanks, andre
Correct me if I'm wrong, but isn't Iran one if the few countries fro which we would disable forced secure login through ip geo location?
Martijn
-- Andre Klapper | Wikimedia Bugwrangler http://blogs.gnome.org/aklapper/
Wikitech-l mailing list Wikitech-l@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/wikitech-l
I wanted to say the same. SSL wasn't enforce as long as I know. Am 10.09.2013 18:45, schrieb Martijn Hoekstra:
On Sep 10, 2013 6:38 PM, "Andre Klapper" aklapper@wikimedia.org wrote:
On Tue, 2013-09-10 at 18:04 +0200, Petr Bena wrote:
I absolutely endorse this request. Forcing SSL was one of silliest things that could happen. Most of wikimedia developers and technicians are working with most modern technologies in the world, but I can imagine in other parts of world people are working on something what people in modern parts of world can see only in museum.
Alright, but are there also any new arguments, compared to your postings in the "Countdown to SSL for all sessions" thread on April 30th?
What is actually a point in having SSL enforced?
Errm, please check the mailing list archives.
Thanks, andre
Correct me if I'm wrong, but isn't Iran one if the few countries fro which we would disable forced secure login through ip geo location?
Martijn
-- Andre Klapper | Wikimedia Bugwrangler http://blogs.gnome.org/aklapper/
Wikitech-l mailing list Wikitech-l@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/wikitech-l
Wikitech-l mailing list Wikitech-l@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/wikitech-l
On Tue, Sep 10, 2013 at 9:04 AM, Petr Bena benapetr@gmail.com wrote:
I absolutely endorse this request. Forcing SSL was one of silliest things that could happen. Most of wikimedia developers and technicians are working with most modern technologies in the world, but I can imagine in other parts of world people are working on something what people in modern parts of world can see only in museum.
What is actually a point in having SSL enforced? Do you realize that most of traffic to / from wikipedia doesn't matter to anyone (hackers / governments / spies). It's not a facebook where people collect tons of private content. Wikipedia is meant to share free knowledge, why do we need to encrypt that?
I'll address this first. There are two issues that turning on https for logins solves: 1) People reuse passwords[1]. So sending the cleartext passwords is not good. That is why we enforce https for the actual login page, and the submission of your password, but then have a preference to go back to http. 2) Non-repudiation of edits. If the user is logging in over http, or they use Wikipedia while logged in over http, then it's trivial (e.g., firesheep) for an attacker on the network to make edits on behalf of that user. That's why we default the preference on.
There are plenty of ways that a government-scale attacker can subvert these, but turning on https for the login and logged in users makes it significantly more difficult for the most common attackers.
On Tue, Sep 10, 2013 at 9:49 AM, Amir Ladsgroup ladsgroup@gmail.com wrote:
Hello! I recently closed a huge [[w:fa:ویکیپدیا:نظرخواهی برای استفاده از
اساسال
برای ویکیپدیای فارسی|RfC]] about using SSL in Persian Wikipedia which mainly runs by Iranian users.
First off, huge thanks for running this!
Iran is the number one target in PRISM surveillance program (Further information: https://bit.ly/17N57rx) and long history of arresting, torturing and murdering internet activists (case in point [[w:en:Sattar Beheshti|Sattar Beheshti]]) or even family members of internet activists (case in point Yashar Khameneh) leaves no doubt on intention of Iranian government on surveillance and control of Iranian people. You can find a very long list in human rights defendants organizations (Breaching
privacy
of Iranian people is one of the very few things that both Iran and US governments agree about it) so we are sure we need to switch to SSL but using SSL in Iran has its own problems. Iranian authorities block SSL IP
of
some sites that they have blocked in non-SSL mode either it's blocked completely or partially, these sites includes facebook, twitter, and
until
recently Wikipedia. Wikipedia is not blocked in Iran but about 400
articles
of Persian Wikipedia (and some other sites like the whole Hebrew
Wikipedia)
are blocked for viewing the complete list of the articles which are
mainly
about politics, religion, or sexology go to [[w:fa:رده:صفحههای فیلترشده
در
ایران]]. Access to Wikipedia in SSL is open since August 25. Speed of internet in Iran is one of the slowest in the world and it's not a big
deal
about loading pages of Wikipedia but variance of internet speed is too
high
and we will fail in our main goal on providing free knowledge for people who don't have easy access to knowledge, people like middle or elementary school students who are living in countryside and problem of internet access becomes even worse when the government makes speed of internet on SSL so low that time of opening a simple page becomes like 4 times higher when people try to use SSL, It's mainly because of encouraging people not to use SSL or even we can consider intention of decryption of SSL data. Scammed SSL certificates attack (Further information: https://bit.ly/1dXl5Ub) which happened two years ago shows us how much the government desires to control people. Another problem is sometimes specially when there is a crisis in politics or in the country in general (which happens three or four times every year) access to any site outside of HTTP layer is impossible and all of other protocols even IRC happens to be blocked out
of
nowhere.
Community of Persian Wikipedia (readers and writers) are strongly against enforced SSL because of the issues I talked about it above and in other hand they worry about privacy and not letting the governments breach
their
privacy
Here is my suggestions and requests based on what Persian Wikipedia and Iranian Wikimedians in general agree: *It's very important to let people choose their protocol, There is consensuses that the community agrees on SSL as default for logged in
users
but they are really insisting on making the protocol an arbitrary option and It seems It's not enabled in WMF projects except mediawiki.org (in [[m:HTTPS]] you can find the documentation about disabling SSL but as far as I checked It's not possible and I couldn't find the option in my preferences maybe It's a bug)
This is currently how we have https enforced for IP's that appear to come from Iran. We don't require https for these users, however, if they are browsing on https, or click the "use secure connection" link on the login page, they will be protected by https.
The preference is actually hidden for Iran/China IP's, because we thought it would cause more confusion, since the preference is overridden by the geoip data. However, if you feel like that should be visible, we can certainly show it.
For everyone interested in how we structure enforcing https for logins, logged in connections, and exempt users, please give input on https://www.mediawiki.org/wiki/Requests_for_comment/Login_security
*In order to encourage people to use SSL and increase their safety of
editing in Wikipedia we need to speed up loading of Wiki pages I suggest web designers and other experts come and help on optimizing Wikipedia specially Persian language projects. We warmly welcome any ideas about increasing safety.
This is something I resonate with-- security must be usable, or, as you mention later, people will circumvent it. So yes, I'd love to see better design to make the https experience faster for people in Iran and other rule areas.
*Because of the experience of the past community thinks It's very
probable
that SSL access to Wikipedia in Iran will be blocked several times and
even
maybe every block won't take more than one week but It will happen. So we need to be very flexible and fast in cases like this in future So hereby
I
ask people who are in charge of SSL in WMF to be prepared and be able to switch to from SSL to non-SSL and switch back easily and rapidly in cases of SSL blocking in Iran. *Lack of documentation in safety issues put Iranian lives in danger, I
can
give you an example. Insisting on SSL is good but because of speed or
other
issues of SSL some people use proxy even they are using SSL, what they do when they want to bypass blocking in HTTP layer and speed of loading increases. It's very dangerous because data will not be encrypted until reception in proxy computer and that means easy information for the government with delusion of safety, SSL in this case becomes harmful not useful. We need to complete documentation and let people know about the safety.
I agree this is very much. I'm not sure what the training should look like, but I'm more than happy to work with you guys to generate advice / documentation.
I'm sending this mail to wikitech-l because I think Iranian people need help of technical people who can do something about the SSL issue Best -- Amir _______________________________________________ Wikitech-l mailing list Wikitech-l@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/wikitech-l
Wikitech-l mailing list Wikitech-l@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/wikitech-l
[1] - http://www.lightbluetouchpaper.org/2011/02/09/measuring-password-re-use-empi...
On Sep 10, 2013, at 12:49 AM, Amir Ladsgroup ladsgroup@gmail.com wrote:
and problem of internet access becomes even worse when the government makes speed of internet on SSL so low that time of opening a simple page becomes like 4 times higher when people try to use SSL,
We are not proposing to shut of http://, we are proposing to require it for nearly all logins.
Normal user browsing will not be affected. Reader experience will be unaffected.
Editors have more reason to use https there than almost anywhere.
Sent from Kangphone
I'm not talking about right now. Right now is okay (consensuses of the community because of availability of SSL of WMF projects since August 25 in Iran) to enable SSL as default like other countries and I'm asking to do that, but I'm saying do this if you don't enforce editors to use SSL by hiding the option in preference
I'm talking about stance of Persian Wikipedia about switching whole traffic of the site and shutting down http:// in future too. This action will drop number of readers in Iran by 95-99% you'll loose almost all of readers. It's a "safety vs. accessibility" issue and I'm saying this much concern about safety will cause enormous lack of accessibility in Iran
Best
On 9/10/13, George William Herbert george.herbert@gmail.com wrote:
On Sep 10, 2013, at 12:49 AM, Amir Ladsgroup ladsgroup@gmail.com wrote:
and problem of internet access becomes even worse when the government makes speed of internet on SSL so low that time of opening a simple page becomes like 4 times higher when people try to use SSL,
We are not proposing to shut of http://, we are proposing to require it for nearly all logins.
Normal user browsing will not be affected. Reader experience will be unaffected.
Editors have more reason to use https there than almost anywhere.
Sent from Kangphone _______________________________________________ Wikitech-l mailing list Wikitech-l@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/wikitech-l
On Tue, Sep 10, 2013 at 10:58 AM, Amir Ladsgroup ladsgroup@gmail.comwrote:
I'm not talking about right now. Right now is okay (consensuses of the community because of availability of SSL of WMF projects since August 25 in Iran) to enable SSL as default like other countries and I'm asking to do that, but I'm saying do this if you don't enforce editors to use SSL by hiding the option in preference
I'm talking about stance of Persian Wikipedia about switching whole traffic of the site and shutting down http:// in future too. This action will drop number of readers in Iran by 95-99% you'll loose almost all of readers. It's a "safety vs. accessibility" issue and I'm saying this much concern about safety will cause enormous lack of accessibility in Iran
We have no current plans to ever disable HTTP and force the use of HTTPS. I know there was another thread about this on wikimedia-l, but there's no consensus for doing this and at this point isn't something you should worry about.
- Ryan
wikitech-l@lists.wikimedia.org