Slashdot Mirror

← Back to Stories (view on slashdot.org)

Wikimedia Foundation Enables HTTPS For All Projects

Posted by Soulskill on from the secure-citation-needed dept.

An anonymous reader writes "The Wikimedia Foundation has enabled HTTPS for all of its projects (Wikipedia, Wikimedia Commons, etc.), to enable secure log-in and browsing privacy. Their blog post goes into detail about how the service is configured, linking to configuration files and implementation documentation. It also mentions that HTTPS Everywhere will have updated rules for this change soon."

13 of 69 comments (clear)

  1. greeat by waddgodd · · Score: 2

    Of course, wait until after the persistent TLS1.0 connection bug gets exploited. Because, you know, nothing says "we care about security" quite as much as making available an exploited protocol.

    --
    Just because you're paranoid doesn't mean they aren't out to get you
  2. It's a good thing. by Frosty+Piss · · Score: 2

    Sure. When I look up "Dog Poop Girl" I need to make sure the government isn't tracking it...

    --
    If you want news from today, you have to come back tomorrow.
  3. Great... Now, if only we could trust EVERY CA. by Anonymous Coward · · Score: 5, Interesting

    It only takes one CA being compromised to compromise THE ENTIRE SYSTEM of TLS / SSL...
    DigiNotar.
    Additionally: *.* cert... <- WTF, who's brilliant idea WAS that feature?!

    Fact: The biggest problem with the CA system is that any CA can create a cert for ANY DOMAIN even if the domain owner doesn't request the cert first.

    Thus, EVERY CA must be 100% secure 100% of the time. TLS / SSL isn't a system that has a single point of failure... It's a system that has many Hundreds of points of failure; Any one of them being enough to cause the whole trust model to fall apart like so many cards stacked in the shape of a house.

    Your browser probably doesn't trust DigiNotar, but does it trust CNNIC?
    http://yro.slashdot.org/story/10/02/02/202238/mozilla-accepts-chinese-cnnic-root-ca-certificate

    FF: Tools/Edit > Options/Preferences > Advanced > Encryption > View Certificates

    You trust ALL OF THESE?! Well, enjoy your security theater suckers.

    1. Re:Great... Now, if only we could trust EVERY CA. by phantomfive · · Score: 4, Informative

      You do realize that this has been a problem from the beginning, right? If you sound surprised, it's only because you only recently started paying attention.

      In practice, there are multiple layers of security, and this is just one of them.

      --
      "First they came for the slanderers and i said nothing."
    2. Re:Great... Now, if only we could trust EVERY CA. by ObsessiveMathsFreak · · Score: 3, Insightful

      Yes, but this is the layer which causes end users browsers to throw a yellow screaming fit if they try to use an encrypted connection outside of the CA club.

      --
      May the Maths Be with you!
    3. Re:Great... Now, if only we could trust EVERY CA. by petermgreen · · Score: 2

      In practice, there are multiple layers of security

      In a normal SSL web browser configuration there are exactly two layers of security, SSL and the security of the underlying network you are using. Break both of those and you can set up as a man in the middle and sniff the user's data.

      You do realize that this has been a problem from the beginning, right?

      However it is a problem that has got worse over time for several reasons.

      Firstly the list of trusted CAs has been ever growing both through the addition of root certs to browsers and through the issuance of "intermediate certs" by the existing CAs. How many people know that their browser trusts the Chinese government?

      Secondly people used to access the internet through relatively safe networks (while ethernet isn't secure you at least need a physical connection to mess with it). However there is a trend towards use of wifi hotspots which are usually unencrypted and relatively easy to subject to man in the middle attacks.

      --
      note: i'm known as plugwash most places but i screwd up registering that here somehow in the past and now can't register
  4. Fixed link by subreality · · Score: 3, Informative

    Oh, for the love of crypto.

  5. Thank you, thank you very much! by Anonymous Coward · · Score: 5, Interesting

    Whoa, this is an incredibly neat deed for many wiki-editors out there, including myself. Ever since a neighbouring government passing all my foreign-bound data decided to start reading all my IP traffic to build a comprehensive sociogram of my believes, affiliations and interests, I became increasingly paranoid and afraid of expressing myself online on foreign sites. I tried using secure.wikimedia.org, but the site had unsatisfactory stability and responsiveness compared to the unencrypted site. So I just continued using the unencrypted site, but avoiding sensitive topics.

    I hope this decision finally enables us to use Wikipedia even for editing sensitive topics, and more importantly hiding our wiki-identity from the government. Kudos to the Wikimedia technical team, you are doing a great job!

  6. https://slashdot.org? by Anonymous Coward · · Score: 3, Interesting

    So, when will slashdot follow? Currently https://slashdot.org just redirects to http://slashdot.org

    1. Re:https://slashdot.org? by jones_supa · · Score: 2

      Good question. As a geek site, Slashdot should be a pioneer in these things. Full Unicode character support has also been missing for a long time. The box for notification messages on the front page feels a bit old too, something like the Facebook globe icon could be more sleek. Different color themes. Things like that.

  7. Re:Adds to greenhouse problem by heypete · · Score: 4, Informative

    Not much:

    In January this year (2010), Gmail switched to using HTTPS for everything by default. Previously it had been introduced as an option, but now all of our users use HTTPS to secure their email between their browsers and Google, all the time. In order to do this we had to deploy no additional machines and no special hardware. On our production frontend machines, SSL/TLS accounts for less than 1% of the CPU load, less than 10KB of memory per connection and less than 2% of network overhead. Many people believe that SSL takes a lot of CPU time and we hope the above numbers (public for the first time) will help to dispel that.

  8. Re:Adds to greenhouse problem by icebraining · · Score: 2

    I seriously hope not. SSL adds latency to the connection and is completely useless for a huge number of websites. Why would I need SSL to access a e.g. recipes page which doesn't even have a login page?

    --
    Dilbert RSS feed
  9. Re:Adds to greenhouse problem by vlm · · Score: 3, Informative

    I seriously hope not. SSL adds latency to the connection and is completely useless for a huge number of websites. Why would I need SSL to access a e.g. recipes page which doesn't even have a login page?

    You want to cook a non-Halal recipe in a Halal nation where improper religious observation will get you killed? Really simple example would be looking up mixed-drinks cocktails in Saudi Arabia...

    --
    "Science flies us to the moon. Religion flies us into buildings." - Victor Stenger