HTTPS/Discussions

The HTTPS topic was lengthly discussed in various places. This pages gives some links (hopefully most) where you can find past discussions.

• User interaction issues:
  • diffuse knowledge about HTTPS and security: documentation;
  • management of errors: how to manage in case of HTTPS error? in case of major TLS problem? opt-out mechanism;
  • promotion of the HTTPS: soft-activation (ask search engines to direct to HTTPS version, see point 4 of Ryan’s post), promotion of HTTPS Everywhere, HTTP Strict Transport Security (HSTS), ask third-party softwares to switch to HTTPS, hard-activation (see point 6 of Ryan’s post);
  • promotion of pinning/TACK? ([1] and [2]);
• Diplomatic, legal and administrative issues:
  • Issuance of the certificate, Extended Validation, pinning ([3] and [4]);
  • Great Firewall of China: observation, documentation, communication with the government? (China repeatedly blocked HTTPS Wikimedia projects, and it is the case since the beginning of 2013);
  • Iran's government blocked SSL of WMF projects too. See bugzilla:52846
  • Surveillance programs: links with legal and citizen associations, legal protection of the servers and private key;
• Technical issues:
  • caching: SSL terminaisons on the Varnish frontend caches, distributed SSL cache (see points 2 and 3 of Ryan’s post), etc.;
  • performance: studies and experience, OCSP stapling;
  • security: known attacks, best practices, cipher suites (Perfect forward secrecy (PFS)), man-in-the-middle mitigation (HTTP Strict Transport Security), DNSSEC, traffic analysis (see the link given in point 5 of Ryan’s post), etc.;
  • server security and management: protection of the private key (in the WMF network), response on case of major crisis (SSL software/hardware problem, fallback to pmtpa, TLS completely broken, disclosed private key), how to deal with HTTPS-deficient user agents (e.g. old or badly-written softwares, or blocked HTTPS in enterprises);
  • technical responses to the Great Firewall of China: GeoIP, specific domain, DNSSEC, opt-out mechanism (HTTP cookie, URL parameter, etc.), etc.

Bugzilla[edit]

Mailing lists[edit]

• [August 2013] [Wikitech-l] HTTPS for logged in users on Wednesday August 21st
• [August 2013] [Wikitech-l] HTTPS for logged in users delayed. New date: August 28

Wikis[edit]

• [August 2013] mw:Requests for comment/Login security: Request for comment about the login security and surrounding topics like HTTPS

Deployment in August 2013[edit]

English-language Wikipedia

• Wikipedia:Village pump (technical): HTTPS for logged in users on Wednesday August 28th (Aug 20-Aug 22), HTTPS for users with an account (Aug 20-Aug 22), Technical maintenance banner (Aug 21-Aug 22), Secure site only? (Aug 28-Aug 30), Why does the staff keep breaking the wikipedia (Aug 28-Aug 29), Who is in charge (Aug 29-Aug 31), Secure site breaks X!'s Edit Counter (Aug 29), https change breaks Citation Expander gadget? (Aug 29-Aug 31), Error report in RFA (Aug 30-Sept 1), HTTPS (Aug 30), Regex editor (Aug 30-Sep 1), Edit summary no longer providing previously used summaries (Aug 30-Aug 31), Help Needed: Problems due to Secure site change (Sept 1)

French-language Wikipédia

• fr:Wikipédia:Le Bistro/21 août 2013#HTTPS pour les utilisateurs connectés: main section about August 21 then-aborded deployment
• fr:Wikipédia:Le Bistro/28 août 2013#HTTPS, le retour: main section about August 28 deployment
• fr:Wikipédia:Le Bistro/29 août 2013#Vector: problem with a loadJS function
• fr:Wikipédia:Le Bistro/29 août 2013#Redirection problématique: probable but mysterious link with HTTPS in some gadgets