2017 Community Wishlist Survey/Reading/Make Wikimedia accessible via Tor and/or I2P

From Meta, a Wikimedia project coordination wiki
Jump to: navigation, search

⬅ Back to Reading The survey has concluded. Here are the results!


  • Problem: Some countries aren't familiar with spreading free and open knowledge. The proofs of censoring Wikipedia and the Internet in China People's Republic is already known. Turkey has blocked the whole Wikipedia this year. Such a tries there will be also in the future.
  • Who would benefit: Theoretically any Wikipedia-reader concerned about their privacy while reading. More practically for readers from countries with strong censorship of the Internet and especially from those directly blocking Wikimedia projects.
  • Proposed solution: To make Wikipedia and maybe some other Wikimedia projects available read-only as Hidden Service of Tor, I2P eepsite or using any other convenient technology.
  • More comments: Wikimedia projects are of course accessible via Tor network already today, but as being on the normal Internet, the users have to use exit nodes which can theoretically (and some of them practically) attack them as well as the countries which they're trying to avoid. As Tor Hidden Sevices and I2P eepsites (which is technically the same only on different networks) are end-to-end encrypted, it's harder to attack the users from the middle. As these protocols don't support subdomains, it could be possible to use similar thing as was used on secure.wikimedia.org before introducing of TLS on the main domains.
  • Proposer: Venca24 (talk) 09:43, 16 November 2017 (UTC)

Discussion

  • And hosting on en:IPFS?--YFdyh000 (talk) 16:18, 28 November 2017 (UTC)
  • "the users have to use exit nodes which can theoretically (and some of them practically) attack them as well as the countries which they're trying to avoid." - This is not true. Exit nodes cannot maliciously modify Wikipedia content due to us using HTTPS and HSTS. Concerns about malicious exit nodes really only apply to plain HTTP sites. Quite frankly, in my opinion, creating an exit node is more of a political statement than anything else. The effect hidden tor nodes have on privacy, security or censorship resitence is minimal to non-existent. At most, an exit node could determine which domain traffic is going to (due to SNI), but they cannot link that information to the originator of the request. (That said, I like tor, and support creating an exit node for political reasons) BWolff (WMF) (talk) 23:15, 28 November 2017 (UTC)
    • CNNIC has issued root TLS certificates and this organization is under the influence of the government of People's Republic of China. Having this root certificate in computers, they can technically issue a certificate for any domain, or am I mistaken? I haven't find on HTTPS Everywhere site if it checks the certificates (like I think did the Observatory). --Venca24 (talk) 21:16, 29 November 2017 (UTC)
      • you're correct that a mitm via a misissued certificate or malicious/incompetent CA is an attack that a tor hidden service can prevent. (Of course a tor hidden service introduces a risk of a mitm by tricking users into viewing the wrong onion url because onion urls arent human readable. Id consider that a much easier to pull off attack than malicious CA attack). CNNIC is probably not the CA id worry about - afaik they are already untrusted by apple and google chrome and firefox only trusts certificates from them prior to 2015 (which is kind of meaningless as they could backdate but i digress). However your point still stands with other CAs. That said I think it would be very difficult to pull off this type of attack without being discovered - the moment the attacker is detected their root gets immediately distrusted and they go out of bussiness, so there is a strong economic incentive not to be involved. And it would be difficult to participate in the attack secretly because a tor exit node doesnt know where the traffic is coming from so the attacker cannot target the attack. Thus there is a high likelyhood that anyone doing such an attack for any length of time would be discovered. Once expect-CT header becomes available in browsers (hopefully soon) the risk of this attack goes down quite a bit. (expect-CT: tells browsers to only accept certificates that are in the public certificate transparency lists. This ensures that anyone can figure out all the valid certificates for a domain, preventing a malicious CA from secretly issuing a cert for a domain they are not supposed to). BWolff (WMF) (talk) 03:21, 1 December 2017 (UTC)
  • Additionally - "As these protocols don't support subdomains, it could be possible to use similar thing as was used on secure.wikimedia.org before introducing of TLS on the main domains". I can't speak as to I2P, but for tor this statement is untrue. Subdomains work like virtual hosts when using tor with HTTP(S). BWolff (WMF) (talk) 23:18, 28 November 2017 (UTC)
    • I didn't know, thanks. --Venca24 (talk) 21:16, 29 November 2017 (UTC)

Voting