Community Wishlist Survey 2017/Archive/Improve DNS- and TSL(SSL)security

From Meta, a Wikimedia project coordination wiki

Improve DNS- and TSL(SSL)security

  • Problem: Wikipedia is used around the world. Unfortunately not every country is a democracy and a constitutional state, but many countries are dictatorships and/or have no citizen rights (or not enough). Many of these countries (and a few of the democratic too) try to spy their own burghers, and which Wikipedia pages somebody reads (or what he writes about his leaders) is of course interesting for these bad countries.

While Wikipedia uses TLS (also knows as SSL) since a few years, this is not enough. Because many of these bad countries run default-trusted Certification Authorities (CA), which are able to generate certificates for every domain they like – including Wikipedia.

  • Who would benefit: In theory every users of Wikipedia (reader and writer), but especially users in non-free-countries.
  • Proposed solution: Implement DNSSEC for the DNS of the Wikipedia-domains as a first step. Than add TLSA-records (also known as DANE) to the DNS to secure the TSL. Then the users can install a plugin in their browsers that will warn them if somebody tampers with the TSL-certificate.
  • More comments: The work (without testing and documentation) should need less than 1 day. I can offer help, if needed.

Discussion[edit]

Archive[edit]

The Operations team doesn't have resources to work on DNSSEC and we at Community Tech can't do it on our own. Additionally, DNSSEC is an outdated standard on its way out. Its browser support only decreases because it's pretty much predates proper TLS and have never been developed further. TLS itself was designed to handle unsafe DNS so there's virtually no extra security that DNSSEC would add in any case. Thanks for participating in our survey. Max Semenik (talk) 21:16, 20 November 2017 (UTC)[reply]