Slashdot Mirror

← Back to Stories (view on slashdot.org)

Wikimedia Foundation Enables HTTPS For All Projects

Posted by Soulskill on from the secure-citation-needed dept.

An anonymous reader writes "The Wikimedia Foundation has enabled HTTPS for all of its projects (Wikipedia, Wikimedia Commons, etc.), to enable secure log-in and browsing privacy. Their blog post goes into detail about how the service is configured, linking to configuration files and implementation documentation. It also mentions that HTTPS Everywhere will have updated rules for this change soon."

8 of 69 comments (clear)

  1. Great... Now, if only we could trust EVERY CA. by Anonymous Coward · · Score: 5, Interesting

    It only takes one CA being compromised to compromise THE ENTIRE SYSTEM of TLS / SSL...
    DigiNotar.
    Additionally: *.* cert... <- WTF, who's brilliant idea WAS that feature?!

    Fact: The biggest problem with the CA system is that any CA can create a cert for ANY DOMAIN even if the domain owner doesn't request the cert first.

    Thus, EVERY CA must be 100% secure 100% of the time. TLS / SSL isn't a system that has a single point of failure... It's a system that has many Hundreds of points of failure; Any one of them being enough to cause the whole trust model to fall apart like so many cards stacked in the shape of a house.

    Your browser probably doesn't trust DigiNotar, but does it trust CNNIC?
    http://yro.slashdot.org/story/10/02/02/202238/mozilla-accepts-chinese-cnnic-root-ca-certificate

    FF: Tools/Edit > Options/Preferences > Advanced > Encryption > View Certificates

    You trust ALL OF THESE?! Well, enjoy your security theater suckers.

    1. Re:Great... Now, if only we could trust EVERY CA. by phantomfive · · Score: 4, Informative

      You do realize that this has been a problem from the beginning, right? If you sound surprised, it's only because you only recently started paying attention.

      In practice, there are multiple layers of security, and this is just one of them.

      --
      "First they came for the slanderers and i said nothing."
    2. Re:Great... Now, if only we could trust EVERY CA. by ObsessiveMathsFreak · · Score: 3, Insightful

      Yes, but this is the layer which causes end users browsers to throw a yellow screaming fit if they try to use an encrypted connection outside of the CA club.

      --
      May the Maths Be with you!
  2. Fixed link by subreality · · Score: 3, Informative

    Oh, for the love of crypto.

  3. Thank you, thank you very much! by Anonymous Coward · · Score: 5, Interesting

    Whoa, this is an incredibly neat deed for many wiki-editors out there, including myself. Ever since a neighbouring government passing all my foreign-bound data decided to start reading all my IP traffic to build a comprehensive sociogram of my believes, affiliations and interests, I became increasingly paranoid and afraid of expressing myself online on foreign sites. I tried using secure.wikimedia.org, but the site had unsatisfactory stability and responsiveness compared to the unencrypted site. So I just continued using the unencrypted site, but avoiding sensitive topics.

    I hope this decision finally enables us to use Wikipedia even for editing sensitive topics, and more importantly hiding our wiki-identity from the government. Kudos to the Wikimedia technical team, you are doing a great job!

  4. https://slashdot.org? by Anonymous Coward · · Score: 3, Interesting

    So, when will slashdot follow? Currently https://slashdot.org just redirects to http://slashdot.org

  5. Re:Adds to greenhouse problem by heypete · · Score: 4, Informative

    Not much:

    In January this year (2010), Gmail switched to using HTTPS for everything by default. Previously it had been introduced as an option, but now all of our users use HTTPS to secure their email between their browsers and Google, all the time. In order to do this we had to deploy no additional machines and no special hardware. On our production frontend machines, SSL/TLS accounts for less than 1% of the CPU load, less than 10KB of memory per connection and less than 2% of network overhead. Many people believe that SSL takes a lot of CPU time and we hope the above numbers (public for the first time) will help to dispel that.

  6. Re:Adds to greenhouse problem by vlm · · Score: 3, Informative

    I seriously hope not. SSL adds latency to the connection and is completely useless for a huge number of websites. Why would I need SSL to access a e.g. recipes page which doesn't even have a login page?

    You want to cook a non-Halal recipe in a Halal nation where improper religious observation will get you killed? Really simple example would be looking up mixed-drinks cocktails in Saudi Arabia...

    --
    "Science flies us to the moon. Religion flies us into buildings." - Victor Stenger