I recently closed a huge RfC about using SSL in Persian Wikipedia which mainly runs by Iranian users.
Iran is the number one target in PRISM surveillance program (Further information) and long history of arresting, torturing and murdering internet activists (case in point Sattar Beheshti) or even family members of internet activists (case in point Yashar Khameneh) leaves no doubt on intention of Iranian government on surveillance and control of Iranian people. You can find a very long list in human rights defendants organizations (Breaching privacy of Iranian people is one of the very few things that both Iran and US governments agree about it) so we are sure we need to switch to SSL but using SSL in Iran has its own problems. Iranian authorities block SSL IP of some sites that they have blocked in non-SSL mode either it's blocked completely or partially, these sites includes facebook, twitter, and until recently Wikipedia. Wikipedia is not blocked in Iran but about 400 articles of Persian Wikipedia (and some other sites like the whole Hebrew Wikipedia) are blocked for viewing the complete list of the articles which are mainly about politics, religion, or sexology go to w:fa:رده:صفحههای فیلترشده در ایران. Access to Wikipedia in SSL is open since August 25. Speed of internet in Iran is one of the slowest in the world and it's not a big deal about loading pages of Wikipedia but variance of internet speed is too high and we will fail in our main goal on providing free knowledge for people who don't have easy access to knowledge, people like middle or elementary school students who are living in countryside and problem of internet access becomes even worse when the government makes speed of internet on SSL so low that time of opening a simple page becomes like 4 times higher when people try to use SSL, It's mainly because of encouraging people not to use SSL or even we can consider intention of decryption of SSL data. Scammed SSL certificates attack (Further information) which happened two years ago shows us how much the government desires to control people. Another problem is sometimes specially when there is a crisis in politics or in the country in general (which happens three or four times every year) access to any site outside of HTTP layer is impossible and all of other protocols even IRC happens to be blocked out of nowhere.
Community of Persian Wikipedia (readers and writers) are strongly against enforced SSL because of the issues I talked about it above and in other hand they worry about privacy and not letting the governments breach their privacy
Here is my suggestions and requests based on what Persian Wikipedia and Iranian Wikimedians in general agree:
- It's very important to let people choose their protocol, There is consensuses that the community agrees on SSL as default for logged in users but they are really insisting on making the protocol an arbitrary option and It seems It's not enabled in WMF projects except mediawiki.org
- In order to encourage people to use SSL and increase their safety of editing in Wikipedia we need to speed up loading of Wiki pages I suggest web designers and other experts come and help on optimizing Wikipedia specially Persian language projects. We warmly welcome any ideas about increasing safety.
- Because of the experience of the past community thinks It's very probable that SSL access to Wikipedia in Iran will be blocked several times and even maybe every block won't take more than one week but It will happen. So we need to be very flexible and fast in cases like this in future So hereby I ask people who are in charge of SSL in WMF to be prepared and be able to switch to from SSL to non-SSL and switch back easily and rapidly in cases of SSL blocking in Iran.
- Lack of documentation in safety issues put Iranian lives in danger, I can give you an example. Insisting on SSL is good but because of speed or other issues of SSL some people use proxy even they are using SSL, what they do when they want to bypass blocking in HTTP layer and speed of loading increases. It's very dangerous because data will not be encrypted until reception in proxy computer and that means easy information for the government with delusion of safety, SSL in this case becomes harmful not useful. We need to complete documentation and let people know about the safety.