HTTPS/Discussions

From Meta, a Wikimedia project coordination wiki
Jump to navigation Jump to search

The HTTPS topic was lengthly discussed in various places. This pages gives some links (hopefully most) where you can find past discussions.

Topics around HTTPS and Wikimedia[edit]

  • User interaction issues:
    • diffuse knowledge about HTTPS and security: documentation;
    • management of errors: how to manage in case of HTTPS error? in case of major TLS problem? opt-out mechanism;
    • promotion of the HTTPS: soft-activation (ask search engines to direct to HTTPS version, see point 4 of Ryan’s post), promotion of HTTPS Everywhere, HTTP Strict Transport Security (HSTS), ask third-party softwares to switch to HTTPS, hard-activation (see point 6 of Ryan’s post);
    • promotion of pinning/TACK? ([1] and [2]);
  • Diplomatic, legal and administrative issues:
    • Issuance of the certificate, Extended Validation, pinning ([3] and [4]);
    • Great Firewall of China: observation, documentation, communication with the government? (China repeatedly blocked HTTPS Wikimedia projects, and it is the case since the beginning of 2013);
    • Iran's government blocked SSL of WMF projects too. See bugzilla:52846
    • Surveillance programs: links with legal and citizen associations, legal protection of the servers and private key;
  • Technical issues:
    • caching: SSL terminaisons on the Varnish frontend caches, distributed SSL cache (see points 2 and 3 of Ryan’s post), etc.;
    • performance: studies and experience, OCSP stapling;
    • security: known attacks, best practices, cipher suites (Perfect forward secrecy (PFS)), man-in-the-middle mitigation (HTTP Strict Transport Security), DNSSEC, traffic analysis (see the link given in point 5 of Ryan’s post), etc.;
    • server security and management: protection of the private key (in the WMF network), response on case of major crisis (SSL software/hardware problem, fallback to pmtpa, TLS completely broken, disclosed private key), how to deal with HTTPS-deficient user agents (e.g. old or badly-written softwares, or blocked HTTPS in enterprises);
    • technical responses to the Great Firewall of China: GeoIP, specific domain, DNSSEC, opt-out mechanism (HTTP cookie, URL parameter, etc.), etc.

Past discussions[edit]

Bugzilla[edit]

Mailing lists[edit]

Wikis[edit]

Deployment in August 2013[edit]

English-language Wikipedia
French-language Wikipédia