HTTPS/Discussions

The HTTPS topic was lengthly discussed in various places. This pages gives some links (hopefully most) where you can find past discussions.

Topics around HTTPS and WikimediaEdit

  • User interaction issues:
    • diffuse knowledge about HTTPS and security: documentation;
    • management of errors: how to manage in case of HTTPS error? in case of major TLS problem? opt-out mechanism;
    • promotion of the HTTPS: soft-activation (ask search engines to direct to HTTPS version, see point 4 of Ryan’s post), promotion of HTTPS Everywhere, HTTP Strict Transport Security (HSTS), ask third-party softwares to switch to HTTPS, hard-activation (see point 6 of Ryan’s post);
    • promotion of pinning/TACK? ([1] and [2]);
  • Diplomatic, legal and administrative issues:
    • Issuance of the certificate, Extended Validation, pinning ([3] and [4]);
    • Great Firewall of China: observation, documentation, communication with the government? (China repeatedly blocked HTTPS Wikimedia projects, and it is the case since the beginning of 2013);
    • Iran's government blocked SSL of WMF projects too. See bugzilla:52846
    • Surveillance programs: links with legal and citizen associations, legal protection of the servers and private key;
  • Technical issues:
    • caching: SSL terminaisons on the Varnish frontend caches, distributed SSL cache (see points 2 and 3 of Ryan’s post), etc.;
    • performance: studies and experience, OCSP stapling;
    • security: known attacks, best practices, cipher suites (Perfect forward secrecy (PFS)), man-in-the-middle mitigation (HTTP Strict Transport Security), DNSSEC, traffic analysis (see the link given in point 5 of Ryan’s post), etc.;
    • server security and management: protection of the private key (in the WMF network), response on case of major crisis (SSL software/hardware problem, fallback to pmtpa, TLS completely broken, disclosed private key), how to deal with HTTPS-deficient user agents (e.g. old or badly-written softwares, or blocked HTTPS in enterprises);
    • technical responses to the Great Firewall of China: GeoIP, specific domain, DNSSEC, opt-out mechanism (HTTP cookie, URL parameter, etc.), etc.

Past discussionsEdit

BugzillaEdit

Mailing listsEdit

WikisEdit

Deployment in August 2013Edit

English-language Wikipedia
French-language Wikipédia