HTTPS/Discussions
< HTTPS
The HTTPS topic was lengthly discussed in various places. This pages gives some links (hopefully most) where you can find past discussions.
Topics around HTTPS and Wikimedia
edit- User interaction issues:
- diffuse knowledge about HTTPS and security: documentation;
- management of errors: how to manage in case of HTTPS error? in case of major TLS problem? opt-out mechanism;
- promotion of the HTTPS: soft-activation (ask search engines to direct to HTTPS version, see point 4 of Ryan’s post), promotion of HTTPS Everywhere, HTTP Strict Transport Security (HSTS), ask third-party softwares to switch to HTTPS, hard-activation (see point 6 of Ryan’s post);
- promotion of pinning/TACK? ([1] and [2]);
- Diplomatic, legal and administrative issues:
- Issuance of the certificate, Extended Validation, pinning ([3] and [4]);
- Great Firewall of China: observation, documentation, communication with the government? (China repeatedly blocked HTTPS Wikimedia projects, and it is the case since the beginning of 2013);
- Iran's government blocked SSL of WMF projects too. See bugzilla:52846
- Surveillance programs: links with legal and citizen associations, legal protection of the servers and private key;
- Technical issues:
- caching: SSL terminaisons on the Varnish frontend caches, distributed SSL cache (see points 2 and 3 of Ryan’s post), etc.;
- performance: studies and experience, OCSP stapling;
- security: known attacks, best practices, cipher suites (Perfect forward secrecy (PFS)), man-in-the-middle mitigation (HTTP Strict Transport Security), DNSSEC, traffic analysis (see the link given in point 5 of Ryan’s post), etc.;
- server security and management: protection of the private key (in the WMF network), response on case of major crisis (SSL software/hardware problem, fallback to pmtpa, TLS completely broken, disclosed private key), how to deal with HTTPS-deficient user agents (e.g. old or badly-written softwares, or blocked HTTPS in enterprises);
- technical responses to the Great Firewall of China: GeoIP, specific domain, DNSSEC, opt-out mechanism (HTTP cookie, URL parameter, etc.), etc.
Past discussions
editBugzilla
editMailing lists
edit- [August 2013] [Wikitech-l] HTTPS for logged in users on Wednesday August 21st
- [August 2013] [Wikitech-l] HTTPS for logged in users delayed. New date: August 28
Wikis
edit- [August 2013] mw:Requests for comment/Login security: Request for comment about the login security and surrounding topics like HTTPS
Deployment in August 2013
edit- English-language Wikipedia
- Wikipedia:Village pump (technical): HTTPS for logged in users on Wednesday August 28th (Aug 20-Aug 22), HTTPS for users with an account (Aug 20-Aug 22), Technical maintenance banner (Aug 21-Aug 22), Secure site only? (Aug 28-Aug 30), Why does the staff keep breaking the wikipedia (Aug 28-Aug 29), Who is in charge (Aug 29-Aug 31), Secure site breaks X!'s Edit Counter (Aug 29), https change breaks Citation Expander gadget? (Aug 29-Aug 31), Error report in RFA (Aug 30-Sept 1), HTTPS (Aug 30), Regex editor (Aug 30-Sep 1), Edit summary no longer providing previously used summaries (Aug 30-Aug 31), Help Needed: Problems due to Secure site change (Sept 1)
- French-language Wikipédia
- fr:Wikipédia:Le Bistro/21 août 2013#HTTPS pour les utilisateurs connectés: main section about August 21 then-aborded deployment
- fr:Wikipédia:Le Bistro/28 août 2013#HTTPS, le retour: main section about August 28 deployment
- fr:Wikipédia:Le Bistro/29 août 2013#Vector: problem with a loadJS function
- fr:Wikipédia:Le Bistro/29 août 2013#Redirection problématique: probable but mysterious link with HTTPS in some gadgets