Wikimedia blog

News from the Wikimedia Foundation and about the Wikimedia movement

The future of HTTPS on Wikimedia projects

This post is available in 2 languages: 中文 7%English 7%

English

The Wikimedia Foundation believes strongly in protecting the privacy of its readers and editors. Recent leaks of the NSA’s XKeyscore program have prompted our community members to push for the use of HTTPS by default for the Wikimedia projects. Thankfully, this is already a project that was being considered for this year’s official roadmap and it has been on our unofficial roadmap since native HTTPS was enabled.

Our current architecture cannot handle HTTPS by default, but we’ve been incrementally making changes to make it possible. Since we appear to be specifically targeted by XKeyscore, we’ll be speeding up these efforts. Here’s our current internal roadmap:

  1. Redirect to HTTPS for log-in, and keep logged-in users on HTTPS. This change is scheduled to be deployed on August 21, at 16:00 UTC. Update as of 21 August: we have delayed this change and will now deploy it on Wednesday, August 28 at 20:00 UTC/1pm PT.
  2. Expand the HTTPS infrastructure: Move the SSL terminators directly onto the frontend varnish caches, and expand the frontend caching clusters as necessitated by increased load.
  3. Put in engineering effort to more properly distribute our SSL load across the frontend caches. In our current architecture, we’re using a source hashing based load balancer to allow for SSL session resumption. We’ll switch to an SSL terminator that supports a distributed SSL cache, or we’ll add one to our current solution. Doing so will allow us to switch to a weighted round-robin load balancer and will result in a more efficient SSL cache.
  4. Starting with smaller projects, slowly soft-enable HTTPS for anonymous users by default, gradually moving toward soft-enabling it on the larger projects as well. By soft-enable we mean changing our rel=canonical links in the head section of our pages to point to the HTTPS version of pages, rather than the HTTP versions. This will cause search engines to return HTTPS results, rather than HTTP results.
  5. Consider enabling perfect forward secrecy. Enabling perfect forward secrecy is only useful if we also eliminate the threat of traffic analysis of HTTPS, which can be used to detect a user’s browsing activity, even when using HTTPS.
  6. Consider doing a hard-enable of HTTPS. By hard-enable we mean force redirecting users from HTTP pages to the HTTPS versions of those pages. A number of countries, China being the largest example, completely block HTTPS to Wikimedia projects, so doing a hard-enable of HTTPS would probably block large numbers of users from accessing our projects at all. Because of this, we feel this action would probably do more harm than good, but we’ll continue to evaluate our options here.
  7. Consider enabling HTTP Strict Transport Security (HSTS) to protect against SSL-stripping man-in-the-middle attacks. Implementing HSTS could also lead to our projects being inaccessible for large numbers of users as it forces a browser to use HTTPS. If a country blocks HTTPS, then every user in the country that received an HSTS header would effectively be blocked from the projects.

Currently we don’t have time frames associated with any change other than redirecting logged-in users to HTTPS, but we will be making time frames internally and will update this post at that point.

Until HTTPS is enabled by default, we urge privacy-conscious users to use HTTPS Everywhere or Tor [1].

Ryan Lane
Operations Engineer, Wikimedia Foundation

[1]: There are restrictions with Tor; see Wikipedia’s information on this.

中文

关于维基媒体计划中HTTPS协议使用的未来构想

维基媒体基金会非常重视保护读者和编辑者的隐私。最近被曝光的NSA的XKeyscore项目促使着我们要使用HTTPS作为社区会员访问维基媒体基金会旗下项目的默认方式。值得庆幸的是,它的执行已经成为今年官方的计划,并且自从维基媒体项目可通过HTTPS方式访问时就已经成为了非官方的计划。

我们目前的软件架构还无法默认提供HTTPS连接,但我们一直对其修改使其能够支持这一点。由于此次更改专门针对XKeyscore计划,我们将加快这些改变。下面是我们目前计划的路线图:

  1. 登录时重定向至HTTPS,并保持登录用户的HTTPS状态。这个改变计划在8月21日16:00(UTC) 8月28日20:00(UTC) 实装。
  2. 开展https基础建设:在系统缓存中缓存SSL链接,前端服务器集群也会随着前端负载增大而扩大。
  3. 将更多的精力放在更恰当地分配在我们前端SSL的缓存负载。在我们当前的架构中,我们使用” 基于哈希算法的负载平衡器,以允许SSL会话恢复。我们将切换到一个能够支持分布式SSL缓存的架构,否则我们将我们目前的计划制作一个。这样做将使我们切换到一个[1],以使SSL缓存更有效率。
  4. 从一些小维基站点开始,渐渐地为匿名用户默认非强制启动https访问,之后逐渐使更大的项目也开始非强制启动。非强制启动是指通过更换我们网页头部分连接标志来使得搜索引擎索引https页面,而不是http页面。
  5. 可以考虑启用Perfect Foward Secrecy(英语简称PFS,中文名:全面加密中转)。这貌似是唯一一种在使用https的前提下还能进行流量分析、检测用户浏览活动的方式。
  6. 考虑为https做强制启动。强制启动意味着访问http的用户将被强制使用https加密版本。一部分国家,显而易见的例子是中国大陆,封锁了维基媒体基金会旗下项目的https连接。所以使用强制启动意味着大多中国大陆用户将很可能与绝大多数维基媒体项目说再见。正因为这样,我们认为这样做弊大于利。但我们仍将继续评估这样做是否合适。
  7. 考虑启用HTTP Strict Transport Security(HSTS,中文:HTTP高强度加密传输)来避免传输过程中的中间人攻击。使用HSTS也会使得我们的项目不能被很多用户访问,因为它将强制浏览器使用https访问。并且如果一个国家封锁了https,则该国的每个收到了有HSTS信息的顶条提醒的用户,将无法访问基金会的项目。

诚然我们除了已登录用户重定向至HTTPS外没有时间关注相关的任何变化,但我们会进行内部调整并将随时更新这个提议。

直到HTTPS被默认开启,我们强烈建议有隐私意识的用户使用HTTPS Everywhere带套穿墙 [1]。

Ryan Lane
营运工程师,维基媒体基金会

[1]: 注意使用带套穿墙的用户将限制编辑;请参阅英语维基百科的此页面

73 Responses to “The future of HTTPS on Wikimedia projects”

    1 2 3 4
  1. Ryan Lane says:

    Editing over HTTP as a logged-in user provides a false sense of privacy. Communications in China and everywhere else in the world, as we’ve recently become aware, are being monitored. If someone edits as a logged-in user over HTTP their privacy is already gone.

    Editing over HTTPS makes it much more likely for a logged-in user to stay anonymous. We’re making a choice of real privacy for the world over a false sense of privacy for Chinese users.

    We can’t control the Chinese government and we can’t allow them to dictate our security policy.

    Take in mind that I don’t speak absolutely on this topic and you should feel free to bring the topic up on the wikimedia-l email list.

    [This comment was merged from another:] Note that I’ve brought this topic up internally within Wikimedia Foundation and we’re discussing options for Chinese users. Please don’t feel like we’re ignoring the issue.

  2. William915@zhwiki says:

    Ryan, I have to restate that Wikipedia should be open for edit for anyone, not a few experts in computer science that knows how to use complicated things such as Tor. It is clear that you know “hard redirecting log-ins to HTTPS very soon will block out Chinese editors behind the GFW”(reply #16), which is the last thing we would like to happen. It means most active participants from mainland China will either have to leave the community completely or to continue editing as an anonymous editor.

    Additionally, I find it very difficult to understand ” It’s honestly dangerous to edit in China without using a VPN or Tor.” in reply #12. We mainland Chinese editors have been editing in this way for a long time and little trouble concerning security has been seen.

    Please think it over, if using HTTPS would force current active Chinese editors to edit anonymous (which means their IPs will be visible to ANYONE), the initial purpose of protecting users’ privacy is COMPLETELY NULLIFIED.

  3. quark says:

    Ryan Lane: The blog said that “Redirect to HTTPS for log-in, and keep logged-in users on HTTPS. This change is scheduled to be deployed on August 21, at 16:00 UTC.” That mean ALL log-in and logged-in users use wikipedia must be in HTTPS, is it?

  4. Yhz1221 says:

    Ryan, you should understand that NOT every single Chinese people knows how to use the VPN and Tor. You know how to use it, BUT there are millions of people do NOT know how to use it, Especially when almost all those common proxies were blocked by Wikipedia (Goagent, etc).

    You guys should understand that “redirect” can completely destroy the Chinese Wikipedian community. “Access” is much more important than “Security”. if anyone can not even access to a page, he can’t do anything, and his account will worth nothing.

  5. Ryan Lane says:

    quark, you’re misunderstanding. The blog post very explicitly says we are not planning on hard redirecting readers to HTTPS. That said, we are planning on hard redirecting log-ins to HTTPS very soon and that will block out Chinese editors behind the GFW.

    By using VPNs or Tor it’s possible to continue editing. It’ll be possible to continue reading even without VPNs or Tor, even after we “soft-enable” HTTPS for anonymous users.

  6. quark says:

    Ryan Lane: Default HTTPS at now does not give China average users any benefits, only can not edit and not log in.

    So, frist, redirecting to HTTPS bans ALL China users to visit and edit wikipedia. Second, most of China registered users will turn to use IP-account and HTTP to visit and edit after HTTPS defaulted, and more IP privacy will be exposeed. In IP-HTTP, the user’s privacy status will be more worse than now loged account. I can not picture it is a feast or a nightmares to China users.

    VPN and Tor is too difficult and expensive to China average users. At the same time, VPN or Tor is not the talisman to GFW. GFW is also obstructing VPN or Tor always, and most tools and informations of how to bypass the GFW.

    We had to fight the horrible GFW uncomfortably and painfully. WHY WMF have to give China users another wall to touch wikipedia? WMF refuse most China users visit and and edit wikipedia for those users’ privacy may be compromised. Dose it feel good about outside China in morality and justice, or drop a stone to the fallen person?

    There is so much misfortune. Why let the misfortune to become despair.

  7. Ryan Lane says:

    Seb35, it’s not on the Roadmap yet, but we’ll hopefully add it soon. We need to figure out reasonable target dates for each action.

  8. Ryan Lane says:

    Magnus, not really. We could use Javascript to detect if HTTPS is available and rewrite all links on the page to make subsequent requests HTTPS. We could also use geo targeting via Javascript, but it may not be accurate enough.

  9. Ryan Lane says:

    Quark, yes, we know forcing log-in over HTTPS will cause problems for editors in China, but it’s honestly dangerous to edit in China without using a VPN or Tor. Additionally, it’s simply poor security practice to allow log-ins over HTTP, as your credentials are being passed across the internet for anyone to steal. We can’t allow China or any other country that censors its users to dictate our security.

    Please read the Wikipedia article linked in the footnotes for WP:TOR. It lists technical measures you can use to bypass the great firewall of China. That will work for editing. Reading Wikipedia will not be affected by our changes.

  10. Ryan Lane says:

    Tristan, HTTPS Everywhere is known to cause browsing issues on many sites, otherwise I would have worded that sentence differently. I would love everyone to use it specifically for the SSL Observatory feature.

  11. Ryan Lane says:

    I’m confused about the comments regarding China. I thought I made it fairly clear that we believe hard-redirecting users to HTTPS would probably do more harm than good and specifically mentioned China as to why it would be. For the foreseeable future HTTP will still be available, but it won’t be the default.

  12. Angnation says:

    Chinese government didn’t ban Wikipedia from China. Wikimedia Foundation did the final move. Shame on the Foundation.

  13. auiwehgtf says:

    loks mith made a key on 2008/8/4 alredy coolden will publish wikip.private.k to proo we

  14. Magnus says:

    Is it possible to only hard-enable HTTPS in countries that does not block it?

  15. quark says:

    HTTPS is unavailable in China. Redirect to HTTPS for log-in, and keep logged-in users on HTTPS EQUAL banning ALL China users to visit wikipedia.

  16. 燃玉 (Ranyv) says:

    It’s nice to protects Users privacy. But in China, Mainland, we can’t use Wikipedia with SSL since May, 2013 (Except IPv6, You know why).

    If every Chinese has to use SSL, which means there will be no log in from mainland-China-IP, it will destroy the community of Chinese mainland. The wikimania 2013 will be The Last Supper of us.

    Sorry for my poor English,

    Ranyv, User:燃玉 of zh-Wikipedia

    To boldly go where no man has gone before
    勇踏前人未至之境!

  17. Seb35 says:

    Is there some link (on mediawiki.org or elsewhere) where this year’s roadmap mentions this deployment of HTTPS? I mean an other more stable ressource than this blog post; I didn’t found it on https://www.mediawiki.org/wiki/Roadmap

  18. I was very pleased to read this announcement and I applaud the steps Ryan and the WMF are taking to protect the privacy of Wikipedia readers and editors.

    My only (very minor) quibble is with the last sentence of this posting — *everyone*, not just the “privacy conscious”, should be using tools such as HTTPS Everywhere. These technologies aren’t for furtive paranoiacs; they help restore the sanctity of personal communication that was once commonplace.

  19. Ryan Lane says:

    Rupert, this does not protect against MITM attacks via signed certificated from CAs. However, there’s no evidence that it is being done on any large scale. Also, if done on any large scale, we hope that projects like the SSL observatory will detect this type of abuse, prompting browsers to remove malicious CAs from trusts.

  20. Rupert THURNER says:

    ryan, thank you for the detailled information! one detail i am still unsure about, how does this help against man in the middle attacks via the certification authority “digicert”, located in the USA:
    * http://www.wired.com/threatlevel/2010/03/packet-forensics/
    * https://www.eff.org/deeplinks/2010/03/researchers-reveal-likelihood-governments-fake-ssl

Leave a Reply