[Wikimedia-l] Wikimedia and the politics of encryption

Seb35 seb35wikipedia at gmail.com
Thu Sep 5 22:20:21 UTC 2013


I don’t see precisely how mandatory HTTPS could help spread the knowledge;
accordingly if users feel themselves spied and it prevent them to
contribute, yes, HTTPS helps; but if others feel cluttered by HTTPS (time
load, unfriendly firewalls, various problems), it could also lower the
number of editors.

On another side HTTPS is quite useless if users click-through any warning
("You are spied.": "Ok"/close me that ad → privacy education); anyway
encryption and code breaking is always a cat-and-mouse play, and we sould
have to carefully monitor state of the art if we really want to protect
the users; but imho it’s not our vision.

For HTTPS, I would like to see the users opt-in to the security they want:
e.g. if they write about intelligence, they probably know the dangers
about being spied and want minimize it as part of other means; if they
write about butterflies, perhaps they don’t matter about being spied. For
specific-rights editors security could be enforced, but possibly with
other means than encryption; e.g. if an oversight has to hide an article,
it is primarly needed to be sure the user has oversight rights
(authorisation), and it is not really useful to hide what article it is
(it was public). Accordingly for checkusers, we want the IPs stay private
(encrypted during the transport). This point is: HTTPS is not the solution
to all problems.

For HTTPS I see some security levels chosed by the users: no HTTPS at all
(Chinese users), equal HTTP/HTTPS (butterflies editor), prefered HTTPS
(privacy-conscious editor, but travelling to China regularly), always
HTTPS or nothing (intelligence editor). And this could be also implemented
for readers during their session. This option is politically neutral, it
just let the user choose.

Sébastien


Le Tue, 03 Sep 2013 21:38:36 +0200, Terry Chay <tchay at wikimedia.org> a
écrit:
> This part of the discussion has strayed a bit far from the politics of  
> encryption. ;-)
>
> Not that it doesn't have value, but if I can bring it back on-topic for  
> a moment…
>
> The gist of the HTTPS issues is that it's simply not an engineering  
> discussion, it's a political one. The abuses recently revealed in the  
> United States is either orthogonal to the issue of the politics of  
> encryption (in that HTTPS encryption in China, Iran, and the future is  
> in discussion), or is the direct salient (in that it is a prime  
> motivator for accelerating HTTPS rollout which has triggered this issue).
>
> I, for one, would like to see the discussion of what to do. I'm of the  
> believe that there is no simple engineering decision without introducing  
> practical, political, legal, and moral complications. I suspect that  
> even the more clever or complex ones also introduce these issues. It's  
> important to outline what our choices are and the consequences of those  
> choices, and derive consensus on what the right choice is going forward,  
> as it is clear what we have now[1] is a temporary band-aid.[2]
>
> I'm less sanguine about Erik's suggestion that creating a deadline to  
> HTTP-canonical will actually get us to an adequate resolution. The  
> reason is simply—whatever I think of Google personally—I feel Google has  
> a highly-capable, highly-motivated, engineering-driven staff, and they  
> were unable to come up with a workable solution. Unlike Google, we have  
> a clear sense about what motivates us[3], so we need to figure out how  
> best to get there/interpret it.
>
> [1]:  
> http://blog.wikimedia.org/2013/08/28/https-default-logged-in-users-wikimedia-sites/
> [2]: Maybe start an RfC or other wiki page on Meta with a summary of the  
> discussion so far?
> [3]: http://wikimediafoundation.org/wiki/Vision
>
> Take care,
>
> terry
>
> On Sep 3, 2013, at 11:50 AM, Kirill Lokshin <kirill.lokshin at gmail.com>  
> wrote:
>
>> The thing is, it's kind of a crapshoot anyways.  You might see  
>> something that you think might be classified and report it; but, unless  
>> you actually have the corresponding clearance yourself, you have no way  
>> of knowing for certain whether the material is in fact classified in  
>> the first place.  Conversely, anyone who does have that information is  
>> unlikely to confirm it one way or the other, for obvious reasons.
>>
>> To make things even more convoluted, reporting certain kinds of  
>> material to the WMF could itself potentially be considered illegal in  
>> some circumstances, since not everyone at the WMF is considered a "US  
>> person" for ITAR purposes.
>>
>> Kirill
>>
>> On Sep 3, 2013, at 2:34 PM, "Fred Bauder" <fredbaud at fairpoint.net>  
>> wrote:
>>
>>>> To be fair, none of the people receiving requests through legal@ or
>>>> emergency@ have security clearances either.
>>>>
>>>> Kirill
>>>
>>> True, but there are not so many of them. I'm not sure if a request  
>>> about
>>> a major matter has ever been made through any channel. In a way, that  
>>> is
>>> kind of a dumb move.
>>>
>>> Fred
>>
>
>
> _______________________________________________
> Wikimedia-l mailing list
> Wikimedia-l at lists.wikimedia.org
> Unsubscribe: https://lists.wikimedia.org/mailman/listinfo/wikimedia-l,  
> <mailto:wikimedia-l-request at lists.wikimedia.org?subject=unsubscribe>



More information about the Wikimedia-l mailing list