[Wikimedia-l] [Wikitech-l] HTTPS for logged in users on Wednesday August 21st
Terry Chay
tchay at wikimedia.org
Wed Aug 21 06:49:03 UTC 2013
On Aug 21, 2013, at 1:39 AM, Pierre-Selim <pierre-selim at huard.info> wrote:
> Just a question: Why imposing HTTPS ? Really, it will be damaging
The reason why is outlined in Ryan's blog post as well as his previous post and the Wikipedia entry on https linked from that post.
The short answer is the current state is known to present a number of privacy and security vulnerabilities further emphasized by the now-known existence of software designed to deliberaty target these vulnerabilities in Wikipedia specifically.
https://blog.wikimedia.org/2013/08/01/future-https-wikimedia-projects/
> ...
> "Wikipedia the encyclopedia that anyone (which has HTTPS) can edit (as
> logged user)".
The article mentions that anons will still be able to edit. It also mentions that areas that block https will be considered for bypass on redirect even though this reduces the overall privacy protection of all the projects in the manner discussed on the parent thread on wikitech (linked by Ryan below).
> Sorry, HTTPS is nice, but I see no reason to force people using it, it
> might be slow in certain country, it might be filtered, etc.
Putting real numbers behind those "mights" has been part of the hard work put into it by the operations and platform engineers at the WMF and they are adjusting to the real world tradeoffs you mention. (Btw, the issue is not that https is filtered but that it is BLOCKED by certain countries BECAUSE it cannot be filtered.) They are inviting your discussion here and on wikitech on those details.
As for the decision itself, even though that has been on the roadmap for quite a while, I'm sure that even that is amenable to discussion. It would behoove anyone who wants to influence the decision to be well versed in the historical discussion first.
> Thank you for all the time you spent on this feature, however I'm not
> convinced at all.
Luckily, the standard for the Movement is consensus, not catering to every extremist view with 100% buy-in. The latter standard is impossible as people would be affected either way. The technical component is informing the decision and helps to hash out some of the details, but this is a case where parts of the Vision are being compromised today, and a different (hopefully better) compromise is being reached through this rollout.
Take care,
terry
>
>
> 2013/8/21 Ryan Lane <rlane at wikimedia.org>
>
>> On Wed, Aug 21, 2013 at 4:38 AM, Brion Vibber <bvibber at wikimedia.org>
>> wrote:
>>
>>> On Tue, Aug 20, 2013 at 1:33 PM, Nathan <nawrich at gmail.com> wrote:
>>>
>>>> Hi, context please?
>>>
>>>
>>> Continuation of this thread from wikitech-l:
>> http://lists.wikimedia.org/pipermail/wikitech-l/2013-August/thread.html#71285
>>>
>>>
>>> tl;dr summary:
>>> * ops plans to switch logins to HTTPS
>>> * switching all logins to HTTPS is known to break access for logged-in
>>> users in countries where Wikimedia's HTTPS servers are blocked by
>>> government censorship
>>> * there are some plans to mitigate this by excluding some languages from
>>> the requirement
>>> * this is controversial for several reasons, one of which is that it will
>>> break access for users in those countries on language projects that are
>> not
>>> excepted (eg English Wikipedia in mainland China)
>> The last point isn't accurate. The original plan was to exempt certain
>> languages from the login redirection, and those projects would be "home"
>> wikis. When someone logged-in there, they'd also be logged-in everywhere
>> else via central auth. The current plan is to disable the HTTPS redirect
>> using geolocation for countries that have a > 5% error rate for HTTPS
>> requests.
>>
>> This discussion is technical, so I'm going to move back to wikitech-l, now.
>>
>> - Ryan
>> _______________________________________________
>> Wikimedia-l mailing list
>> Wikimedia-l at lists.wikimedia.org
>> Unsubscribe: https://lists.wikimedia.org/mailman/listinfo/wikimedia-l,
>> <mailto:wikimedia-l-request at lists.wikimedia.org?subject=unsubscribe>
>
>
>
> --
> Pierre-Selim
> _______________________________________________
> Wikimedia-l mailing list
> Wikimedia-l at lists.wikimedia.org
> Unsubscribe: https://lists.wikimedia.org/mailman/listinfo/wikimedia-l, <mailto:wikimedia-l-request at lists.wikimedia.org?subject=unsubscribe>
More information about the Wikimedia-l
mailing list