Talk:HTTPS: Difference between revisions

Here are the thoughts which drived my writing/expansion of the content page.

I follow wikitech-l and wikitech-ambassadors since many years (less for the latter :) and I have difficulties to track the various topics. I’m interested in the HTTPS topic and I find both the technical and community people should be involved in this question, hence a job for a wikitech ambassador.

I find this page should be a portal/hub -- still better it is presently -- explaining the general topic, the various questions involved (better than only the keywords presently), the past and coming deployments, and a collection of pointers about the state of the discussion (wikitech-l and bugzilla mainly for this topic).

Any thoughts about this organisation?
(Perhaps we can use this section -- with subsections -- to discuss specifically about the organisation, and let the other sections about true HTTPS questions.)
~ Seb35 [^_^] 09:34, 18 August 2013 (UTC)Reply

Be bold. :-) --MZMcBride (talk) 16:40, 18 August 2013 (UTC)Reply

Hi Seb35. Thanks for the dump. I am a little concerned, though, that people who are pointed to this page due to the planned Wednesday deploy of SecureLogin by default won't know where to begin; it's a little text heavy without much "what is going on, what this means for you" in simple and brief language. I hope you don't mind, but I'm going to Be bold and drastically rearrange this page to address the most common questions and conerns from users who are having problems with HTTPS. I'm going to keep much of what you wrote, just re-arrange, mostly. Thanks again! Greg (WMF) (talk) 22:49, 19 August 2013 (UTC)Reply

Hi, thanks a lot for the rewritting, it’s better now with these simple explanations. I removed my paragraph about PRISM since you better summarised it in the introduction; I hesitated about adding a link, but it could distract the reader. ~ Seb35 [^_^] 12:14, 20 August 2013 (UTC)Reply

I wrote an extension for MediaWiki to enable HSTS on a per-user basis. The rationale behind is to let the privacy-conscious users to opt-in to HTTPS-everytime (for all compatible browsers) independently of their current connected or unconnected status, and at the same time not force the other users to use HTTPS (particularly if they use to live in a HTTPS-unfriendly environment as the China).

I find such an extension would be worth to be installed on the Wikimedia projects (in the first times on the test wikis and then the MediaWiki wiki) to balance between the advantages and drawbacks of HTTPS, as well as slowly increase the HTTPS load of the servers. HSTS coming with a high constraint (fatal error in case of bad TLS/HTTPS connection), I find it could be tested with increasing expiration times (1 hour; 1 day; 2 weeks; 1 month) with some volunteers during the next year to test if all works correctly (e.g. the users will obligatorily complain if their old browser’s cipher suite or SSL 3.0 is removed).

~ Seb35 [^_^] 17:03, 18 August 2013 (UTC)Reply

I misunderstood the deployment planned for August 21, 2013; I thought it was only the log-in page. This extension becomes almost useless if all HTTP traffic is 301-redirected to HTTPS, or it could be tweaked to remove the user preference and be activated for all logged-in users in order to remove the 301-redirect-over-HTTP step which can still be MITMed/spied. ~ Seb35 [^_^] 18:18, 18 August 2013 (UTC)Reply

And the extension is now updated to give the server administrator the possibility to force anonymous and/or logged-in users to have a STS header, or to let the logged-in users choose if they want one. ~ Seb35 [^_^] 20:06, 18 August 2013 (UTC)Reply

En.wiki is my homewiki, and in all other projects I have this in my vector.js:
mw.loader.load( '//en.wikipedia.org/w/index.php?title=User:Edokter/MenuTabsToggle.js&action=raw&ctype=text/javascript' );

This fails in modern browsers as a XSS-violation when in HTTPS. Are there any provisions where the several Wikimedia domains are trusted with regard to eachother? — Edokter (talk) — 09:56, 20 August 2013 (UTC)Reply

I don’t know well XSS, but this syntax works for me (Opera 12.16, I have it in my en.wp common.js). Else I see on mw:ResourceLoader/Migration guide (users)#Migrating user scripts it is recommanded to keep importScript instead of switching to mw.loader to avoid problems; perhaps you can try with importScript. Else what browser+version do you have? ~ Seb35 [^_^] 12:41, 20 August 2013 (UTC)Reply

I see en:User:Edokter/MenuTabsToggle.js itself calls mw.loader.load with 'http' explicitly specified, and Firefox 23.0 here complains about the mixed content due to that. Try making that protocol-relative as well? Anomie (talk) 13:47, 20 August 2013 (UTC)Reply

A bug in Chrome prevents use of protocol-relative stylesheets in the .load method. XSS stands for 'Cross-site scripting'. Most moders browsers block loading scripts form another domain when you are on a secure connection. The only way to allow secure cross-site scripts to load is by whitelisting those domains in the certificate. That is what my question partains to: does our certificate has such a whitelist? — Edokter (talk) — 20:47, 20 August 2013 (UTC)Reply

Independently of XSS, about the HTTP/HTTPS in the scripts and problems with protocol-relative, you can use some script like

mw.loader.load( window.location.protocol+'//en.wikipedia.org/w/...' );

(ref) ~ Seb35 [^_^] 22:03, 20 August 2013 (UTC)Reply

Please add ckb wikipedia to excluded language. All sysops of ckb.wiki are from Iran and we can not access to wikimedia projects via HTTPS.--Calak (talk) 19:01, 20 August 2013 (UTC)Reply

What is the exact list of the excluded languages: is it only zh and fa? Or are there also the other Chinese languages: yue/zh-yue, wuu, gan, cdo, nan/zh-min-nan? +those of Iran? Is there a gerrit patch about the config? ~ Seb35 [^_^] 20:25, 20 August 2013 (UTC)Reply

Please see bug 52846, these wikis mostly used in Iran and have same problem: fa, ckb, mzn, glk, ku. I don't know any thing about Chinese languages.--Calak (talk) 20:34, 20 August 2013 (UTC)Reply

Are pywikipediabot, autowikibrowser, etc, now https compliant? It would be extremely disruptive to implement this change without automated editing tools being able to accommodate it. DavidLeighEllis (talk) 19:24, 20 August 2013 (UTC)Reply

According to this message (just sent), pywikipediabot was updated for HTTPS and the pywikipediabot users must update their code with the last version. ~ Seb35 [^_^] 21:27, 20 August 2013 (UTC)Reply

Won't this create lots of trouble for people in China and Iran who need to upload an image to Commons or modify an interwiki link on Wikidata?

• Commons: You must be logged in to upload an image. If HTTPS is unavailable and mandatory, then you can't log in.
• Wikidata: It is possible to edit links without logging in, so I suppose that you can edit as an IP using HTTP? This however reveals your IP for everyone to see. Editing over HTTP also reveals your IP address, but only to anyone who is wiretapping you at the same time as you are accessing the Internet.
• SUL: Logs you in automatically if you visit another project. Doesn't this mean that Chinese and Iranian users will have to log out in order to read an article in another language? This could be very inconvenient if you at the same time need to be logged in on Chinese or Iranian Wikipedia.

You can presumably access HTTPS by using VPN or TOR and you can disable login on selected projects by changing your cookie settings. However, lots of users probably don't know how to do this and the result will instead be that logging in will be disabled. I am personally able to use HTTPS and have HTTPS Everywhere installed, but I understand that lack of unencrypted HTTP for logged in users may cause lots of problems to users in some countries. --Stefan2 (talk) 19:49, 20 August 2013 (UTC)Reply

Hello. Now we can't access to all WM projects (except Meta, Commons and Incubator)!--Calak (talk) 19:54, 20 August 2013 (UTC)Reply

• I guess Meta, Commons, and Incubator should all be excluded from the forced https until the "GeoIP" functions are available, in order not to cause any problems there for Iranian or Chinese users who e.g. want to complain here on Meta about https problems, are active with uploading files on Commons, or active in test-projects in their language on Incubator. --MF-W 20:01, 20 August 2013 (UTC)Reply

Now Bugzilla, MediaWiki and Wikidata have not any problem, but all WM projects are out of access. Now I am sysop on ckb wikipedia an I can't open even one page! What are we suppose to do?--Calak (talk) 20:07, 20 August 2013 (UTC)Reply

Please see the "Help!" section of the subject-space page. IRC is fastest. :-) --MZMcBride (talk) 21:23, 20 August 2013 (UTC)Reply

I think Chinese wikipedian community has made it clear that all Chinese language(Classical Chinees, Wuu chinese etc) should not be convert into https version, but here I see nothing. can somebody tell me why please? as A classical Chinese editor, I will no longer be able to do my work if it is true that Meta forget their promises.

Benjamin Jiperus (talk) 23:04, 20 August 2013 (UTC)Reply

See also bugzilla:52846#c12 and try to get a complete list of the languages. --Stefan2 (talk) 23:12, 20 August 2013 (UTC)Reply

The Chinese community has given a list, on that list, it shows what kind of Chinese language should not be https, that also include Tibetan, another Sino-Tibetan language that will be influenced. because most of the native speakers are located in China where HTTPs isn't an easy option. we have already got restrictions from Communist party. https is no help to us. ----Benjamin Jiperus (talk) 23:16, 20 August 2013 (UTC)Reply

Please let users choose which transport they want to use. --Purodha Blissenbach (talk) 23:06, 20 August 2013 (UTC)Reply

• This. It will be complete crap if I will be forced to edit through HTTPS, it's slow on my instable connection. And FYI, forcing users should be only last resort, and I see no reason to change to HTTPS voluntarily. KPu3uC B Poccuu (talk) 02:32, 21 August 2013 (UTC)Reply

Hi. Why neither this page nor global message delivery post isn't/wasn't translatable? Do you think everybody on the planet is at least en-2? Althought I try to AGF but I can't consider it another way than not respect to local not English communities who are not obliged to learn English. WMF should never do that way again. --Base (talk) 23:26, 20 August 2013 (UTC)Reply

Please Notice these languages also need to remain http.

• Classical Chinese(lzh)
• Wuu Chinese(wuu)
• Gan Chinese(Gan)
• Hakka Chinese(Hak)
• Cantonese(zh-yue)
• Tibetan(bo)
• Minnan Chinese(zh-min-nan)

Benjamin Jiperus (talk) 23:28, 20 August 2013 (UTC)Reply

Sorry there is two more languages:

• Mindong Chinese(cdo)
• Uyghur (ug)

Uyghur are Turkish language, a majority of Uighur people lives in the west part of China. Thank you

Will the new https-including setup have the Perfect forward secrecy property? If not, it would be nice to have. There should be an option to prioritize Diffie-Hellman for key-exchange to achieve this. Wishing you good results for the procedure, good to see that coming. --Methossant (talk) 23:35, 20 August 2013 (UTC)Reply

It says to report trouble here.
I have not been able to edit Wikidata while logged in for the past couple of days.
The [edit] buttons all appear initially, then they vanish.
Varlaam (talk) 00:36, 21 August 2013 (UTC)Reply