Jimmy Wales Threatens To Obstruct UK Government Snooping

judgecorp writes "Wikipedia founder Jimmy Wales has threatened to encrypt communications between Wikipedia and UK users in order to frustrate the proposed Communications Bill, known as the Snooper's Charter, which would give the UK government the right to routinely track citizens' web and phone use. Wales was addressing the committee which is scrutinising the Bill before it is considered by Parliament."

Good

[netwarerip]

Nice to see someone has a pair of balls. Not very common on an adult named 'Jimmy'.

Re:Good

Nice to see someone has a pair of balls. Not very common on an adult named 'Jimmy'.

"The Outlaw Jimmy Wales"

Re:Good

[wonkey_monkey]

The virgin Connie Swail?

Re:Good

[camionbleu]

Yes, a good gesture indeed. However, encrypting the packets will not prevent traffic analysis by the UK government. To avoid that, individual users will have to take their own security measures (such as using Tor). Nevertheless, it's nice to see high-profile opposition to the Communications Bill.

Re:Good

[cpu6502]

>>>a pair of balls. Not very common on an adult named 'Jimmy'.

Jimmy Swaggert (stood-up against segregation)
Jimmy Carter (stood-up against Arab terrorists)
Jimmy Stewart (World War 2 fighter pilot)
Jimmy Buffett (okay this is a bit of a stretch)

Re:Good

[Anne_Nonymous]

Those are excellent examples, but my brother-in-law, Jimmy, acts as a sort of maturity-credit offset to all of them and then some.

Re:Good

[Roberticus]

Minor correction: Jimmy Stewart flew bombers, not fighters.

Re:Good

Except for back in the good ole days when Men were men and sheep were nervous Jimmy was often used as a name for any one of working class origins called James.

Many of them miners / iron workers etc and built like a brick shit house, I doubt you would have said that to their face.

Re:Good

For the average person to figure out how to use TOR *properly* - well, forget it, cause that will never happen. Improperly configuring TOR is more likely to give someone a false sense of anonymity and get them into more trouble. TOR has been significantly compromised now that the governments' researchers have gamed it by strategically controlling a large number of nodes (particularly exit nodes) and performing side-channel attacks, etc. to identify the originating hosts. That's not to say you can't force yourself to use lists of known safe nodes, but again that goes back to *proper configuration of TOR* which is beyond the average person. Nonetheless, the average person still deserves the same rights as anyone else regardless of what they are researching and that includes the right to not be snooped on for no good reason. If they (Wikipedia) implement secure encrypted connections for their UK users - it means the government can see that person X connected to Wikipedia's servers, but not that data that they are sending/receiving. If you are suggesting this makes them "guilty of something" then by the same logic it is possible to see that someone has connected themselves to the TOR network and assume that they are guilty of something, right? Connect to TOR all you want, but again if it isn't configured properly to use encryption then what is the point? - I can't readily see your end destination but your data is wide open to look at. By that measure I would still be able to identify your destination host.

TL;DR - The encryption aspect of the communications is important in any case - be it through TOR or a direct connection.

Re:Good

Wrong movie: http://www.imdb.com/title/tt0092925/
Right movie: http://www.imdb.com/title/tt0075029/

Re:Good

[jd2112]

UK GOV: We can't read it so it must be pedophile terrorists trading MP3s.

Re:Good

Oddly enough, the distinction is tricky as we move from the WWII era to the modern era.

WWII Bombers were heavily armed with anti-air weapons. Even if you ignore their payload, they were more heavily armed than any fighters (There may be some exception to this). WWII Bombers probably had a pretty good chance to be involved in air-to-air combat. Certainly not the iconic dogfights we imagine, but they certainly trained for and expected it.

As we moved onward, bombers air-to-air offensive/active defenses were slowly stripped out and the 'standard' image of the bomber we have today was born. A large high flying cargo-like aircraft with almost no active defences is what most imagine bombers to be. It is strange though that the popular conception of bombers excludes attack aircraft even though they fill very similar roles when used for the purpose of delivering dumb or semi-guided bombs.

I guess what I'm saying is that the distinction is an odd one, in that a modern pilot could be considered a fighter pilot, and a bomber pilot as well for certain aircraft.

Don't mind me, I'm just rambling.

Re:Good

"Jimmy Carter (stood-up against Arab terrorists)"

Are you high?

Re:Good

Not tricky at all. WWII Bombers flew straight and level over a target and dropped a payload of bombs. Yes they bristled with machine guns, but those were not aimed or controlled by the pilot. Taken it to today and while the latest bomber designs don't carry machine guns we still have B52's in service which do have at least one pair of machine guns in the tail.

A fighter can drop bombs but a bomber cannot dogfight and does not go after other aircraft despite the number of lead spitting tubes on the craft. The distinction is clear and always has been. Anyone who gets them confused really has no idea what they are talking about.

Re:Good

You've just rustled a few Jimmies.

Re:Good

https://www.youtube.com/watch?v=BtKUyfkBA2w

Re:Good

[dywolf]

Clint Eastwood reference deserves a mod up. Great movie

Re:Good

[Hillgiant]

Hey. Let's keep our history straight. It was Reagan that negotiated with the terrorists.

Re:Good

[Harvey+Manfrenjenson]

>>>a pair of balls. Not very common on an adult named 'Jimmy'.

Jimmy Swaggert (stood-up against segregation)
Jimmy Carter (stood-up against Arab terrorists)
Jimmy Stewart (World War 2 fighter pilot)
Jimmy Buffett (okay this is a bit of a stretch)

Although Carter is perhaps better known for standing up against right-wing Israelis.

Re:Good

Connie Swail

ftfy.

Re:Good

[Maxwell'sSilverLART]

...and standing down against a rabbit.

Re:Good

[AmberBlackCat]

UK GOV: We can't read it so it must be pedophile terrorists trading MP3s.

That kind of happened to me in high school. Not the pedophile terrorist part, but I was saving my school assignments in WordPerfect files that could not be opened without a password. School administrators considered me a "hacker" or something and routinely examined the files I had saved on the school network. They could not read my WordPerfect files but the words added to my spellchecker's dictionary were in plain text. And they deleted all of my school assignments on the grounds that there were dirty words in the spellchecker dictionary and therefore, there must have been dirty words in the files they couldn't read.

Re:Good

[cpu6502]

>>>Let's keep our history straight. It was Reagan that negotiated with the terrorists.

False. Jimmy Carter's men did the negotiations and it was essentially a done deal to release the hostages. However the Arabs refused to send them home until Reagan took the oath of office, thereby enabling him to take credit for his predecessors' actions. (Source: My college history class.)

Re:Good

[dwye]

However the Arabs refused to send them home until Reagan took the oath of office,

They were Iranians, not Arabs. Both Arab terrorists and Iranians would be insulted if they read your mistake. I hope that no one can figure out where you live :-)

Re:Good

[wonkey_monkey]

Dum, da dum-dum!

Re:Good

[xmundt]

greetings and salutations;
          Dealing with the Middle East, and the attack rabbit were certainly interesting moments in Carter's tenure. I have to say that the the Iranian Students refusing to release the hostages they held until Reagan was sworn in was a childish and pitiful action that brought contempt down on a society that had some significant high points in its history.
          However, perhaps what is more important is the fact that Pres. Carter has been one of the few presidents who has truly continued to serve the country after leaving office. He has done this in two ways. Firstly, his long-time association with Habitat for Humanity has meant that there are a lot of people out there with homes that Pres. Carter had a real hand in building. He is a fine woodworker, and I would be proud to say that he applied that craftsmanship to MY house! Secondly, his travels around the world to monitor elections and involve himself in diplomatic talks where rational discussion over rides emotion have helped mend America's image in the eyes of the world, and, have helped nurture the spread of democracy - and freedom - which is also a good thing
          Pleasant dreams
          dave mundt

Re:Good

[TheGratefulNet]

same backwards way of life, same hate toward the west, same exact hate toward jews and the goal of wiping israel off the globe.

to us, they ARE pretty much the same. in what matters and what affects us, they ARE the same.

and if that insults, well, so be it.

there is no love loss between our peoples. you reap what you sow.

Here we go...

[benjymous]

https://en.wikipedia.org/wiki/Main_Page

Done.

Re:Here we go...

[L4t3r4lu5]

HTTPS Everywhere

If I were a Russian meerkat, I'd be sucking my teeth right now.

Re:Here we go...

[tomtomtom]

It's also worth pointing out HTTPS Finder which will work for the random sites you visit that aren't in HTTPS Everywhere's default list. And of course you might want to use some other privacy-protecting addons to stop info leaking out to ad-trackers over plain old HTTP and/or alert you to a potential compromise of your HTTPS certificate chain of authority.

Re:Here we go...

[ftobin]

Thank you for pointing me to HTTPS Finder. It definitely fits a need.

Re:Here we go...

[Control-Z]

HTTPS doesn't encrypt the request though does it? The government could still see you requested https://wikipedia.com/how_to_make_bombs.html

Re:Here we go...

[PsychoKiller]

The URL is encrypted:

http://stackoverflow.com/questions/499591/are-https-urls-encrypted

Re:Here we go...

The extension does not work for me. It says HTTPS Finder cannot be installed as Firefox cannot modify the needed file. I am running FF 16 (I am on the beta channel) on Windows 7.

Re:Here we go...

Convergence addon, http://convergence.io/details.html
great for further protecting our HTTPS requests.

Re:Here we go...

[Pieroxy]

I do believe only the host name is readable in an https request.

Re:Here we go...

Or for Chrome users, there's KB SSL Enforcer:
https://chrome.google.com/webstore/detail/flcpelgcagfhfoegekianiofphddckof

Why not just do it?

[MisterP]

I understand that wikipedia is a non-profit and has limited resources, but why not just do it? This doesn't seem like a radical stance at all. This should be on their roadmap. Given wikipedia history of taking sides on issues like this, they should be pioneers in doing this sort of thing.

Plain text HTTP is on its way to becoming a legacy protocol.

Re:Why not just do it?

[xded]

Given the traffic volume experienced by Wikipedia every day, switching the entire UK (or worldwide) traffic to HTTPS would represent a significant hit on the servers CPU load if they're not using cryptographically capable hardware (and maybe even if they do, however IANANE and I'm not sure how this could work with load balancing).

Re:Why not just do it?

I'm not sure how this could work with load balancing

Their load balancers probably already handle the SSL and unwrap it for the web servers.
Most decent load balancers support hardware-SSL these days.

Re:Why not just do it?

Perfect response to the many people saying the same thing over and over... 'why not just DO it??!??!?'. They're threatening for now because it would require a significant financial and time investment to follow through. There's also the chances of downtime, server overload, etc... that needs to be taken into consideration. With Wikipedia's reputation, at least from all i can tell, of having a solid and stable domain, it wouldn't do well to fight on a stance like this and cripple itself in the process.
Besides, with the widespread use of Wikipedia, it's a good way to get the word out there to the millions who use the site daily.
I've said it before, and will reiterate now...
V for Vendetta's view of England seems to be coming closer to reality with every passing year.

-- Valor958

Re:Why not just do it?

[Seumas]

If only they were able to raise tens of millions of dollars per year for their "non-profit". Perhaps via some banner at the top of every page on their site, so they could afford servers.

Re:Why not just do it?

[Cajun+Hell]

I totally agree with the idea that he should just go ahead and do it, but

Most decent load balancers support hardware-SSL these days.

That's gotta at least increase the wattage. Nothing is ever really free though in 2012 you'd think crypto would be dirt cheap. If your 20 year old computer can do it...

Re:Why not just do it?

[X0563511]

Plain text HTTP is on its way to becoming a legacy protocol.

No it's not. What do you think that SSL/TLS session is encapsulating?

Re:Why not just do it?

[cpu6502]

https is the answer but it should be a voluntary thing.

According to the politicians & judges we have "no expectation of privacy in a public arena". It's why they camcord us in the streets, and why we can camcord them as they are writing tickets or beating people with clubs. So isn't the world wide web also a public venue? The politicians appear to be saying "yes".

Re:Why not just do it?

opencl+a couple graphics cards. Not energy-free, but I'll guarantee even if you use the high-wattage cards it'll use a lot less cycles to do the same amount of work (this is of course assuming you have enough spare slots and i/o bandwidth in the system, but it's also the direction AMD claims they're heading next cpu generation for their servers.... given how bad *dozer is turning out to be, it seems likely.)

Re:Why not just do it?

[trancemission]

Yes I agree it sould be on their roadmap, the issue I see is there is now real need for it at this point and Wikipedia is run by only a few people IIRC [Volunteers?]

Technically and financially it is very feesable as it is already in place.

Practically could be quite difficult for a small group of people with a large infrastructure to switch off HTTP.

Re:Why not just do it?

HTTPS used to be a problem for CPU load back in the old days, that isn't so much the case now though.

Re:Why not just do it?

[DarwinSurvivor]

Wikipedia already supports SSL, all they seem to *really* be threatening is making it *default* for UK users (either through a redirect or some other method). Anyone with "HTTPS Everywhere" already has it enabled.

Re:Why not just do it?

[Inda]

Google released a report a year or so back. I'm sure the figures they quoted showed 1-2% extra CPU usage.

Re:Why not just do it?

[DarwinSurvivor]

Your second paragraph doesn't back up the first in the slightest. Give me a SINGLE valid reason for preferring http over https (from a normal user's perspective).

Re:Why not just do it?

[Tanktalus]

Talk about nit-picking. You know what he meant, but you had to pick on how he said it instead.

Is this any better? "Unencrypted HTTP is on its way to becomming a legacy protocol."

(Typo left in so you can ignore my point, too, and instead nit pick on something else.)

Re:Why not just do it?

that's being a bit pedantic ...

by this definition there is no such thing as an encrypted protocol. "No no it's not encrypted, it's plain text encapsulated by encryption"

Re:Why not just do it?

[LihTox]

So isn't the world wide web also a public venue? The politicians appear to be saying "yes".

Which is like saying that because Harry Potter is a publicly published book series, reading a Harry Potter book in bed is a public act.

Re:Why not just do it?

Indeed, and that was on the whole of gmail.

http://www.imperialviolet.org/2010/06/25/overclocking-ssl.html

Re:Why not just do it?

[tolan-b]

With HTTPS there's less caching going on in general so it's a bit slower. Doesn't bother me but it's definitely a valid reason.

Re:Why not just do it?

[X0563511]

False. If your protocol includes encryption out-of-the-box, it's an encrypted protocol.

Re:Why not just do it?

[X0563511]

It's still not legacy, as it's unencrypted HTTP as soon as the SSL/TLS layer is removed.

It's not nit picking if you're correcting someone who's just plain wrong.

Re:Why not just do it?

You may as well consider that your "out-of-the-box encrypted protocol" is going to encrypt plain text at one end and give you back plain text at the other end. If you remove the encryption layer, it's just plain text.

I understand that you meant that in this specific case HTTP is still "under-the-hood" of HTTPS and is going nowhere. But still, arguing between "HTTPS is a plain text protocol with an encryption layer on top of it" vs. "HTTPS is an encrypted protocol" is what I'd call being pedantic.

Re:Why not just do it?

HTTPS Everywhere or KB Enforcer for Chrome.

Re:Why not just do it?

It's expensive (hardware-wise) to provide encryption. Especially on the scale of Wikipedia with their practically nonexistent budget.

Re:Why not just do it?

[Valor958]

Some of this I 'should' know, but admittedly I use enhanced level defaults for my browsers of choice, Chrome. Slightly enhanced security, but no custom settings aside from my theme. I'm a smart browser and haven't had a virus in years, excluding the wife downloads.... I DO use Incognito Browsing for Chrome from time to time though, and may do some custom enhancements to Chrome for security if I get off my butt. Since it's apparently sub-topic now... anyone have suggestions on enhancements that don't sacrifice the speed of Chrome I've come to love?

Re:Why not just do it?

It is STILL nickpicking.

Telnet is considered legacy in the face of SSH.

Jeez get over it already, you be claiming that wind up cars ain't legacy next!

Re:Why not just do it?

[TheLink]

Latency.

Re:Why not just do it?

[cduffy]

Google released a report a year or so back. I'm sure the figures they quoted showed 1-2% extra CPU usage.

With a whole lot of tuning and optimization, that is -- certainly not free.

I don't remember whether the 1%-2% was requiring client-side support as well.

Re:Why not just do it?

Direct-route load-balancing distributes the SSL work.

http://www.linuxvirtualserver.org/VS-DRouting.html

Re:Why not just do it?

[X0563511]

SSH does not contain telnet. Doesn't apply.

Re:Why not just do it?

[anared]

Latency will be indistinquishable from HTTP if you are a decent webmaster and know what you do.

Re:Why not just do it?

[TheLink]

OK assuming 200ms round trip latency from Asia Pacific to USA (which is currently close to the actual figure under good conditions). So 100ms one way.

TCP 3 way handshake= 300ms. HTTP =-300ms.
TCP + SSL handshake = 300ms + 300ms. HTTPS = 600ms.

If the RTT link latency goes up to 400ms (does happen), HTTP would be 600 and HTTPS would be 1200.

Human average reflexes are about 200ms. So it will be distinguishable - a http website will feel "snappier", assuming "light" pages.

Of course if by decent webmaster you mean someone who will load pages up with flash, ads from doubleclick etc, huge images, huge javascript, css hosted on overloaded servers then yeah it will be indistinguishable... It'll just be slow either way.

Re:Why not just do it?

[Eil]

HTTPS would represent a significant hit on the servers CPU load if they're not using cryptographically capable hardware

I thought that myth has been pretty well debunked for quite some time now.

Re:Why not just do it?

[mug+funky]

Wales is making a statement.

Dr. Strangelove: Of course, the whole point of a Doomsday Machine is lost, if you keep it a secret! Why didn't you tell the world, EH?

Re:Why not just do it?

[tepples]

Plain text HTTP is on its way to becoming a legacy protocol.

"On it's way to becoming": True. Any domain big enough to have its own IP, such as wikipedia.org, can switch to HTTPS.

"Has already become": False. Only once Windows XP and Android 2.x usage shares will it become practical to use HTTPS for name-based shared hosting, and only this month has Windows 7 surpassed Windows XP in usage share.

Re:Why not just do it?

I don't have an active account so I'm posting anon. I'm the Operations Engineer who implemented HTTPS for Wikimedia Foundation.

We use LVS-DR for load balancing, with a in-house written load balance manager and health-checker called pybal. The load balancers themselves only direct traffic. We have an SSL termination cluster that manages HTTPS using nginx. The following blog post has links to the design documentation, and the actual implementation (nginx config, pybal config, puppet config, etc):

https://blog.wikimedia.org/2011/10/03/native-https-support-enabled-for-all-wikimedia-foundation-wikis/

Re:Why not just do it?

[J'raxis]

Actually, if you record them, you're likely to be charged with a felony in many places. Latest example.

Why "threaten"? That's lame

[fustakrakich]

Just do it! What's stopping him?

Re:Why "threaten"? That's lame

Cost. https is slightly more expensive because it can't be cached, and as such, every access will hit his servers rather than someone's cache servers.

Re:Why "threaten"? That's lame

[gman003]

Because *threats* get more publicity than *action*. Especially when the action is this simple (force HTTPS), but the threat is phrased as something more complex (defeat the government's system).

Re:Why "threaten"? That's lame

[fustakrakich]

There are other governments already doing what the Brits want to do. Why is he singling them out? I would doubt his sincerity if he's more worried about some cost/benefit ratio over protecting people's rights. I hope that's not the case. Self defense against government intrusion should be a priority.

  I don't like threats. I prefer action.

Re:Why "threaten"? That's lame

[fustakrakich]

Well, he could act. And then make the press release. To me, that's the better course of action. It would prove he means business.

Re:Why "threaten"? That's lame

[jythie]

Not only that, but moving everything over to https can be time consuming as you track down all the places that assume http is available. Depending on what is lurking in those configuration files, simply cutting off port 80 might not be enough. I know when I tried to do it to some of our servers, some worked fine, others started having mysterious errors that took a while to run to ground. One I gave up because people needed the service immediately and the cause was not obvious.

Re:Why "threaten"? That's lame

[Dishevel]

Maybe you run a web server from your house that gets 12 hits a day. Or. Maybe you run something for a company that just gives you all the cash you request.
For everyone else forcing HTTPS is not "simple".

Re:Why "threaten"? That's lame

[xaxa]

He lives in Britain (in London), so perhaps he chooses to get more involved in politics here than anywhere else.

Re:Why "threaten"? That's lame

[DarwinSurvivor]

You can still cache the content, you just have to re-encrypt the content. Many load balancing systems and site caches support SSL already.

Re:Why "threaten"? That's lame

[MightyMartian]

Which is why you don't have your webservers do the encryption, you use some sort of https load balancer acting as an https proxy. Throw in some caching and there you go.

Re:Why "threaten"? That's lame

[Dr_Barnowl]

Yes, but most large ISPs in the UK operate transparent web caches to reduce their interconnect fees, so instead of being served up from your ISP, your page will have to come from Wikipedia.

Not a threat, just a statement

From what I read of TFA, it doesn't look like Jimbo is actually making a threat. He's just saying "Your idea sucks because I, and any competent server operator, could bypass it in 30 seconds."

Threat?

[betterunixthanunix]

It is interesting to refer to this as a "threat" -- what exactly is being threatened here? There is nothing illegal about using cryptography in the UK, and the UK has a key disclosure law. It is only logical for people to use cryptography when they have good reason to suspect that untrusted third parties might be reading their traffic, and frankly, we should have been encrypting our communications from the start.

Re:Threat?

[Impy+the+Impiuos+Imp]

History shows the far and away most dangerous, most untrustworthy 3rd party is government.

Re:Threat?

[marka63]

And the next most untrustworthy party is your ISP.

Snooper's Charter?

How does a bill like this even get proposed in this day and age? What ever happened to privacy?

I'd hate to make the ridiculous V for Vendetta reference.. but yikes. The UK really isn't supposed to be going that way.

Re:Snooper's Charter?

Air Strip One was ever thus. Thoughtcrime is death.

Re:Snooper's Charter?

[BMOC]

UK Citizens unfortunately trust their government too much. I like UK citizens, and I think they're very very rational people, but they can't seem to grasp that no matter how reasonable and rational a politician might seem, they still want power over you, so they can't be trusted

Re:Snooper's Charter?

[betterunixthanunix]

https://en.wikipedia.org/wiki/Gordon_Kaye_v._Andrew_Robertson_and_Sport_Newspapers_Ltd

https://en.wikipedia.org/wiki/Wainwright_v_Home_Office

The UK is not the USA; here in the US, we can point to our constitution and say, "We are supposed to have these rights, so what's up with this snooping by the government?!" In the UK, there is no such guarantee of a right to privacy.

Re:Snooper's Charter?

[RabidReindeer]

How does a bill like this even get proposed in this day and age? What ever happened to privacy?

I'd hate to make the ridiculous V for Vendetta reference.. but yikes. The UK really isn't supposed to be going that way.

Smile for the cameras, now!

Smith! 6079 Smith W! Sit up straight!

Re:Snooper's Charter?

[cpghost]

How does a bill like this even get proposed in this day and age? What ever happened to privacy?

George Orwell of 1984 fame was British. It was not a coincidence, you know?

Re:Snooper's Charter?

Much like the US government, namely Bush, pointed to the constitution and laughed, decrying it as just a piece of paper.

What good is a constitution if it cannot be enforced anymore. Exactly that, a piece of paper!

Re:Snooper's Charter?

I would have thought the security theatre around the Olympics and students being jailed for tweets would help turn the tide of public opinion...

Re:Snooper's Charter?

Meanwhile in the USA, don't say anything bad whilst on that phone, the NSA are eavesdropping and compiling complete dossiers on your life as part of their Perfect Citizen program.

Re:Snooper's Charter?

It's actually all in line with the national character. These people still bow to Her Majesty, remember.

Re:Snooper's Charter?

[steelfood]

The UK really isn't supposed to be going that way.

In the same way the book 1984 stopped the events of 1984 from happening?

Re:Snooper's Charter?

[radio4fan]

UK Citizens unfortunately trust their government too much.

I don't know anyone in the UK who trusts the government.

But what to do? Vote for a Labour government, who lied about WMD, tuition fees and lots more, and introduced police-state bollocks like the RIPA?

Or opt for a Conservative-led government, who lied about the NHS, pension age, child benefit, reining in the banks, and lots more, then introduce police-state bollocks like the Draft Communications Bill?

I like UK citizens, and I think they're very very rational people, but they can't seem to grasp that no matter how reasonable and rational a politician might seem, they still want power over you, so they can't be trusted

Oh, they grasp this very well.

But the fact remains that the UK electorate has a choice between shit and shite, and the politicians know it.

I despair of the UK political landscape. And the rest of Europe is going exactly the same way.

Re:Snooper's Charter?

[Intrinsic]

But the fact remains that the UK electorate has a choice between shit and shite, and the politicians know it.

That funny? That system reminds me of exactly what is happening in here in the United Government to Enslave America.

Re:Snooper's Charter?

[Intrinsic]

Or if you prefer: United Bankers to Enslave America" Thats a more appropriate term since the government is just a pawn for the ponzi scheme.

Video...

[trancemission]

Video: http://www.parliamentlive.tv/Main/Player.aspx?meetingId=11355 [Windows silverlight warning!]

To highlight what we are up against - the chairman wasn't aware that 'kids' these days are able to chat to each other in games using their Xbox - 'Good Lord' was his reaction.

The committee really do not have a clue, and have no real chance of getting it if the goverment machine gets their way - the witnesses here showed this.

The 25% arguement is laughable [That being it is claimed that 25% of internet data is not available to collect thorugh current legislation]

Just do it anyway?

[JustAnotherIdiot]

Why "threaten" to do it?
Like Nike says, Just Do It.

Re:Just do it anyway?

[thegarbz]

Great then we can look forward to another few months of begging for money after the Wikipedia servers turn into a puddle at the bottom of a 19" rack. SSL has some serious overhead issues, kind of a problem when you run a website which attracts 2500 pageviews each second.

Re:Just do it anyway?

Why "threaten" to do it?

Like Nike says, Just Do It.

A threat gets more publicity. Publicity about bad and stupid laws is the issue here.

Re:Just do it anyway?

[OdinOdin_]

Erm nope... a modern core can do over 500Mb/sec per core. A gigaBIT NIC only do ~125Mb/sec. So core speed per core speed wins here. Around me it is common for server to have 8 cores and just 2 gigabit NICs. That kind of ratio or better is normal so NICs are your resource restriction.

There is a bottleneck computing the key exchange but then both ends exchange a SSL session id that can be reused for different connections (if both client and server cache and reuse). It can be reused days days/weeks/months later.

The client end has the highest cost CPU overhead of verifying the PKI certificate given out by the server with the local copy of the parent CA installed in the browser. Usually the CA signing key is the largest key in use and the more bits in the PKI key increases the computing power needed to verify it in a non-linear way.

I am sure wikipedia have plenty of scalable HTTPS accelerator hardware endpoints at their disposal to offload all this to.

Re:Shouldn't Jimmy Wales be more concerned

He uses the donation to keep the site running, since this is what he claimed he'd use the donations for it's not correct to say this is a scam.

Yes, just simply do it.

If you have the balls, just do it. Empty threats like this make you sound like a yapping chihuahua.

That's fine and all

[Quakeulf]

Now how about cleaning up internally so that all these moderators on Wikipedia become productive, useful additions to its service?

Re:Shouldn't Jimmy Wales be more concerned

[dyingtolive]

You must be popular with your government.

self signed

I'd love to see him use a self signed cert. intstead of one of these centeral authority issued ones..

Re:self signed

That'd be interesting actually, opinions would be split into 2 different camps

1. WHY IS HE SELF SIGNING ZOMG INSECURE!!!

2. That is intelligent of him for sticking it to the signing authorities of which some have been proven to have back doors and / or sign willy nilly for government espionage.

I am with 2.

Re:self signed

[lightBearer]

Or Wikipedia could join CACert.org.

Re:self signed

[marka63]

And use DANE to publish the CERT in a cryptographically verifiable manner,

Re:Shouldn't Jimmy Wales be more concerned

[hypergreatthing]

Why? are they going to deport him to Sweden?

All these attacks to freedom will end

[aglider]

Once we'll all switch to peer-to-peer encrypted communication.
Using HTTPS is not enough, though.

Re:All these attacks to freedom will end

[fustakrakich]

No, they won't end... Not until we can create an internet without a central service provider. They can just restrict encryption to 'authorized' (a government white list) connections. The attacks will never end. Self defense is the only way to render them useless.

Re:All these attacks to freedom will end

Freedom has been under attack since the dawn of organized coercion. What makes you think a trend that has been intact for tens of thousands of years (i.e. consolidation and centralization of power) is finally ready to break down?

As the famous saying goes, "freedom is the process of setting man free from men". Look around at the world today -- that process hasn't even begun.

I'll humor the question and say that human beings will NOT be set free from other human beings, on a world-wide scale, for at least another 1000 years (assuming that war doesn't destroy the human race permanently).

Re:All these attacks to freedom will end

[aglider]

Internet? Why Internet?
Mesh wireless networks!

Re:All these attacks to freedom will end

OFCOM would treat those the same was as they do WiFi networks during the Olympic games.

Guns V Nerds

Guns always win, in the end.

Re:All these attacks to freedom will end

Mesh networks only work when everyone gets along. What happens if you are a black person in a white neighborhood and everyone within range is a racist who refuses to peer with you?

  When there is no law, there is no uniform behavior or rule of law.

Re:All these attacks to freedom will end

http://en.wikipedia.org/wiki/Straw#Uses

Your strawman just used up all the straw. Bastard.

Re:All these attacks to freedom will end

[TheRealGrogan]

That's "https://en.wikipedia.org/wiki/Straw#Uses" you clod. Oh wait... it's only a threat. :-)

cryptoparties

[SgtChaireBourne]

Yes. We (and Wikipedia) should be encrypting our communications from the start. A lot has been written about why we should use encryption, some of it from around 20 years ago. It's an uphill fight still these days and many won't become interested until it is too late. If you haven't already, consider throwing your own cryptoparty.

Re:Shouldn't Jimmy Wales be more concerned

Shouldn't Jimmy Wales be more concerned with how he's going to keep scamming users for more money with his stupid "pledge drives"? Seems like Wales is trying to be another boneheaded Assange-like figure and make up wild accusations just to try and get a media spotlight.

You know most of the time I disagree with down-modding people. I prefer to call them out instead, tell them why they're wrong and why their reason is faulty. I think that's more useful for the rest of the readers even if the asshat in question is too stubborn to admit obvious fault. Obvious fault like "it's a voluntary donation, why shouldn't people be free to make a gift when they want to", etc.

But you, sir, are making me reconsider that point of view. There's no reasoning with people like you. You don't like Wikipedia, its administration, or anything about it, that's fine, don't use it. No one is going to force you to access the site. But that's not good enough, no not for you. You can't stand that other people derive value from it and want to see it prosper, and some of those people are willing to back that up by putting their money where their mouth is. You call this a "scam".

Naturally everyone who disagrees with you is "stupid". If I like a beer you don't like then clearly I have substandard taste. If I like a song you don't like then obviously I know nothing about music. If I use an OS you don't use then of course I am a brainwashed fanboy. Yeah, I know how you think. There's lots of people like you. I wish there were other habitable planets our technology could reach, so then the rest of us can leave all of you to your own devices instead of having to partake of the taint you promote on this planet.

Euphemism

"Jimmies" is a euphemism for balls, so it shouldn't be a surprise.

Re:Euphemism

[NonUniqueNickname]

Also, his last name is Wales, so it's not surprising he enjoys sticking it to the English.

I'm doing my part.

[L4t3r4lu5]

I run a Tor relay and an I2P node 24/7. Both can be configured to only use a certain amount of bandwidth over a certain amount of time, for those on metered connections.

Re:I'm doing my part.

You are an example of a good Netcitizen...if only there were more of you.

A personal appeal

[ultrasawblade]

A personal appeal by Wikipedia founder, Jimmy Wales

  mQGiBEe68W8RBACVuFuv4d+roDSCdRO1SuO8dQwds4VTjVOqgVKQtq6+8Fe95RY8
  BAf1IyLj4bxvWPhr0wZdVwTosD/sFoPtdCyhVcF932nP0GLHsTEeVwSz9mid22HI
  O4Kmwj2kE+I+C9QdzAg0zaWQnVaF9UC7pIdMR6tEnADI8nkVDdZ+zb2ziwCg6Yqu
  tk3KAzKRT1SNUzTE/n9y2PED/1tIWiXfGBGzseX0W/e1G+MjuolWOXv4BXeiFGmn
  8wnHsQ4Z4Tzk+ag0k+6pZZXjcL6Le486wpZ9MAe6LM31XDpQDVtyCL8t63nvQpB8
  TUimbseBZMb3TytCubNLGFe5FnNLGDciElcD09d2xC6Xv6zE2jj4GtBW1bXqYWtl
  jm0PA/4u6av6o6pIgLRfAawspr8kaeZ8+FU4NbIiS6xZmBUEQ/o7q95VKGgFVKBi
  ugDOlnbgSzBIwSlsRVT2ivu/XVWnhQaRCotSm3AzOc2XecqrJ6F1gqk0n+yP/1h1
  yeTvvfS5zgqNTG2UmovjVsKFzaDqmsYZ+sYfwc209z9PY+6FuLQnQXBhY2hlVGVz
  dCAoVGVzdGluZykgPGFwYWNoZUBsb2NhbGhvc3Q+iF4EExECAB4FAke68W8CGwMG
  CwkIBwMCAxUCAwMWAgECHgECF4AACgkQJE9COu2PFIEGDwCglArzAza13xjbdR04
  DQ1U9FWQhMYAnRrWQeGTRm+BYm6SghNpDOKcmMqruQENBEe68XAQBADPIO+JFe5t
  BQmI4l60bNMNSUqsL0TtIP8G6Bpd8q2xBOemHCLfGT9Y5DN6k0nneBQxajSfWBQ5
  ZdKFwV5ezICz9fnGisEf9LPSwctfUIcvumbcPPsrUOUZX7BuCHrcfy1nebS3myO/
  ScTKpW8Wz8AjpKTBG55DMkXSvnx+hS+PEwADBQP/dNnVlKYdNKA70B4QTEzfvF+E
  5lyiauyT41SQoheTMhrs/3RIqUy7WWn3B20aTutHWWYXdYV+E85/CarhUmLNZGA2
  tml1Mgl6F2myQ/+MiKi/aj9NVhcuz38OK/IAze7kNJJqK+UEWblB2Wfa31/9nNzv
  ewVHa1xHtUyVDaewAACISQQYEQIACQUCR7rxcAIbDAAKCRAkT0I67Y8UgRwEAKDT
  L6DwyEZGLTpAqy2OLUH7SFKm2ACgr3tnPuPFlBtHx0OqY4gGiNMJHXE=

Re:A personal appeal

ApacheTest (Testing) apache@localhost

Re:A personal appeal

What is this??
Runnning it through `base64 -i -d` results in a lot of (non-printable) garbage around "ApacheTest (Testing) ".
What is the rest supposed to mean?

Re:A personal appeal

[Jouster]

What is this??
Runnning it through `base64 -i -d` results in a lot of (non-printable) garbage around "ApacheTest (Testing) ".
What is the rest supposed to mean?

$ base64 -id sd.txt | file -
/dev/stdin: GPG key public ring
$ base64 -id sd.txt | gpg -
pub 1024D/ED8F1481 2008-02-19 ApacheTest (Testing)
sub 1024g/BD0FBA96 2008-02-19

He should

[andrew2325]

There are a good number of Christians and other peaceful groups in the UK that are discriminated against for various reasons. I think he should. More power to Mr. Wales.

I have a dream

[CuteSteveJobs]

A dream that all web sites use https for everything. Why do so many web sites still not use https? Do they *like* third-parties being able to snoop on their visitors?

https://www.eff.org/https-everywhere/faq
https://httpsnow.org/
http://arstechnica.com/business/2011/03/https-is-more-secure-so-why-isnt-the-web-using-it/
http://arstechnica.com/business/2011/03/https-is-great-here-is-why-everyone-needs-to-use-it-so-ars-can-too/
http://serverfault.com/questions/161854/how-to-set-up-https-without-paying-anything-anywhere-but-with-no-warnings-from

Re:I have a dream

Cost. Money rules the internet now that short sighted corporations make up the majority of providers. They don't realize that restricting the internet, fracturing it and refusing to give anything back to the once open creation will make it whither and die in its intended form. Think of it like a bad relationship where one person does nothing but take and take.

Re:I have a dream

[cpghost]

To use HTTPS, you need a certificate from a CA. What kind of CA that is recognized by the browser vendors do you suggest for small website owners, whose certificates don't cost an arm and a leg, year after year after year?

Re:I have a dream

[Dwedit]

I use HTTPS everywhere.
Sometimes I have to turn remove a site from the list because the https:/// version does not load at all, but the http:/// version loads fine. So that's the only problem with that extensions, often the https:/// versions of a site simply don't work at all.

Re:I have a dream

[Fuzion]

StartSSL provides free SSL certificates.

Re:I have a dream

[marka63]

No you don't. See The DNS-Based Authentication of Named Entities (DANE) Transport Layer Security (TLS) Protocol: TLSA.

SSL Certificate

Wait... hold the press.. Wikipedia is now almost 13 years old, and Jimmy's considering pulling out his creditcard to purchase a SSL Certificate!

Wow, this should be on the front page of CNN and all major news papers!

Re:SSL Certificate

[marka63]

No, he is thinking about adding a redirect to the *existing* HTTPS instances for everyone he can identify as coming from the UK.

Decentralized Internet created ... decades ago

[davidwr]

In principle - and in practice prior to commercialization - the Internet worked fine without a "central service provider."

Central service providers DO provide several key services, but these can be done without a central authority. These include:

* blessing protocols as "standards," especially routing protocols between "autonomous" addressing zones.
* preventing or at least defining the behavior of namespace collisions, especially addressing-namespaces.

In theory, instead of a central authority, you can have a "first to reserve the name gets it, anyone who wants to fight over it can use outside channels like lawsuits, payoffs, assassination, war, etc. to get what they want, anyone who makes mischief by stomping on a reserved name or implementing protocols that disrupt others' ability to communicate between each other risks lawsuits, disconnection, shunning, assassination, war, etc." system. When scaled up to "world" scales, such a system is usually called "a gentleman's agreement," "might makes right," or "anarchy," depending on whether people are behaving like gentlemen and if not, whether a "strongman" emerges.

Re:Decentralized Internet created ... decades ago

[dwye]

In principle - and in practice prior to commercialization - the Internet worked fine without a "central service provider."

What? When was this? Before Jon Postel started doing this on a volunteer basis, or before sri.nic? The only time that I can think of is during those days of yore when the DARPANet was limited to less than 255 hosts by its design, and IP, UDP, and TCP were bare glints in people's eyes. And only in the earliest part of those days (probably the first couple months, at most).

Sorry, this is the reason that the polis became obsolete, that voting is no longer by clashing swords on shields, and laws are written down rather than remembered by the Elders. Gentlemen's Agreements always break down when the number of "gentlemen" exceeds a very small number.

Thank Goodness

[sfhock]

that snooping stuff could NEVER happen here in the U.S.! Whew!

Re:Thank Goodness

Say hi to the AT&T backroom 641A

Re:Thank Goodness

Say hi to the AT&T backroom 641A

Oddly enough, there is a Wikipedia page that can help you.

Self-signed, published in British papers

[davidwr]

Bonus points if the Foundation publishes a picture of WikiMedia Foundation officers holding up a clearly-legible copy of the certificate along with yesterday's copy of The Times in every major British newspaper.

That way people can verify for themselves that the self-signed certificate is legit.

Well, they can if they have faith that Photoshop, er, I mean an open-source photo-manipulation program wasn't involved.

Re:Shouldn't Jimmy Wales be more concerned

[dyingtolive]

Nah, because he's relying on ad homarus attacks.

(...cause like, he seems a little crabby.)

Not really

[oGMo]

Well, he could act. And then make the press release. To me, that's the better course of action. It would prove he means business.

You're missing the point. Action is undesirable. Threat of action means that people scratch their heads and wonder what it means, what the fallout could be, if their political careers might be impacted. Possibly unrealistic worst cases are made. If not, an ultimatum ("next friday") is delivered. Stirs things up, gets people wondering and talking (like this!).

Action, on the other hand, leads only to the question "is there a major outcry, and how long will it last?" Most people don't notice unless they can't access the site. Doesn't actually accomplish much, unless outcry can be sustained for a considerable period of time, which would require a lot more than "we're going SSL-only" ... like UK-wide wikipedia blackout. And that hurts more than it helps.

Re:Not really

[Nkwe]

Well, he could act. And then make the press release. To me, that's the better course of action. It would prove he means business.

You're missing the point. Action is undesirable. Threat of action means that people scratch their heads and wonder what it means, what the fallout could be, if their political careers might be impacted.

Also you can only take a given action once. Once you have forced SSL, you don't get to force SSL again. If on the other hand you threaten action and you get what you want, you can threaten action again in the future. Sure it is possible that someone may call your bluff and if you threaten action too many times without following through you will be dismissed as "crying wolf", but you at least get a couple of chances.

Explain me? SSL is not sufficient?

[JcMorin]

Yes, a good gesture indeed. However, encrypting the packets will not prevent traffic analysis by the UK government. To avoid that, individual users will have to take their own security measures (such as using Tor).

I'm not sure to understand, if I'm using SSL, my ISP or any computer between me and the web site doesn't know the url I'm requested, he only know the IP address and the size of the file. Tor is a good way for surfing non SSL web site but I think if every web site would be encrypted the web would safe from snooping.

Re:Explain me? SSL is not sufficient?

[bWareiWare.co.uk]

Even the IP and size of the file may be enough to prosecute some things (say a given image was deemed illegal, but happens to be the only image roughly* a given size on Wikipedia at the time you accessed it). A much bigger problem is that if the page (or worse search results) that linked to the forbidden page are not using SSL, the fact that your next hop is to the SSL server is itself fairly incriminating. (A lot of the UK's thought crime stuff is about 'anti-terrorism' stuff were they don't need to prove anything).
If every site as you suggest was using SSL this would prevent the second case, but with sites smaller then Wikipedia the first point gets dramatically worse.

Frankly I SERIOUSLY doubt the UK are the first with this sort of tracking (just the first dumb enough to tell everyone). Anyone not already using at least SSL obviously doesn't really care.

*Actually the size of the file is really hard on SSL with pipelining etc.

Re:Explain me? SSL is not sufficient?

[VTI9600]

Traffic analysis does not require decryption. Someone watching the traffic can still see that you are on Wikipedia, what time you were on the site, how long, and the approximate size of the content you downloaded...or uploaded for that matter.

Say you submitted a post; even encrypted its still possible to see that more bytes were sent than in a normal GET request. Even if your IP is hidden behind your WP login, it is feasibly possible that the timestamp combined with the approximate byte count could be used to identify you. Of course, HTTP keepalives would make this more difficult, but other tricks like checking the referrer header when clicking off to another site could betray you. Even if you are just clicking around, it could be possible to establish a fingerprint of your traffic pattern, using things like byte counts, number of concurrent connections (to identify the number of images on the page perhaps?), etc. that could be used to identify the pages you visited.

Re:Explain me? SSL is not sufficient?

[zlives]

people with more knowledge please correct me...

from my understanding your ISP can use a transparent proxy (so without your knowledge, or actually make you use a web proxy) and be able to see your data even in SSL. This is how websense gateway product works. they actually use it as a selling point to be able to scan ssl based web email that may include confidential documents as attachments.

Re:Explain me? SSL is not sufficient?

A SSL/HTTPS (transparent) proxy can only do a man-in-the-middle attack if you install the proxy-server's private CA (certificate authority) certificate in your browser. At your work place, IT may have installed one of those CA certificates for their own proxy in the browser on every computer they manage.

Basically for every website you try to access, the proxy becomes the end-point for the website, and then the proxy make its own fake-certificate for the website signed with its CA certificate. The browser checks the fake-certificate with the fake-CA-certificate and thinks everything is fine.

Governments can also transparent proxy specific websites which they have a fake-certificate for which was signed by a hacked real CA. Like what happened with a dutch CA diginotar.nl, which was used to create certificates for google.com and Facebook.com by hackers from Iran, if I remember correctly.

Re:Explain me? SSL is not sufficient?

[icebike]

Wait, the size of a given file can not reliably be determined by the packet stream when the stream is encrypted. All sorts of "white space" can be added to files on the fly.

Further, there is not that much on Wiki that would trigger an arrest anyway.

Re:Explain me? SSL is not sufficient?

[Jawnn]

I think we're missing the point here. Wales is threatening to make a statement, one that will demonstrate the stupidity of the bill. The simple measure he proposes will immediately mask the content of all traffic between wikipedia servers and their users. Yes, there's still a record that a user visited this or that IP address, but the point being made is that technology should, can, and will easily bypass ill-conceived government moves like this.

Re:Explain me? SSL is not sufficient?

Surfing TOR without SSL is a very bad idea. Being a TOR exit node puts "me" in a place of power, and if you don't browse with SSL, I can change anything I want.

Re:Explain me? SSL is not sufficient?

Further, there is not that much on Wiki that would trigger an arrest anyway.

Is there actually something on Wikipedia that would trigger an arrest? That sounds absurd, so it just might be true.

Re:Explain me? SSL is not sufficient?

The proxies at work attempt that. However, they neglected to install their own CA certs, so it leads to a big certificate warning whenever they try.

Unless ISPs can get their customers to install their CA certs (or the UK somehow forces browsers to include one mandated by law), consumers will get nothing but an error when MITM is attempted against SSL.

Re:Explain me? SSL is not sufficient?

[reub2000]

Well there is the image on the Virgin Killer article.

Re:Explain me? SSL is not sufficient?

[EETech1]

One of my past employers had internet explorer configured that way. When traveling you had to VPN in to use their proxy server to get to the Internet (:via the Internet:) DNS, everything came through their proxy servers all the time so it was just like back at the office, but
Slowwwww...

The guy that did the desktop IT support was a good friend of mine, and I asked him why they did that, and after that he used to poke fun at me that they could read my encrypted web mail and web browsing (unless I encrypted it elsewhere and just sent cyphertext!) It's not just protect me from malware!

They did that to everyone, to 'verify' ALL the traffic from every single one of their laptops.

Cheers

Re:Explain me? SSL is not sufficient?

[xelah]

Maybe it's hard to imagine something that leads to an arrest in itself....but consider articles on explosives, drugs or poisons that might be either additional evidence or trigger monitoring of an individual. I'd be more worried about the latter (because of the lack of some other evidence).....the UK police have not been above, for example, putting car number plates on a 'stop this whenever you see it' list because they've been seen at demonstrations.

Re:Explain me? SSL is not sufficient?

I had an interview at BlueCoat something like 5-8 years ago. I was applying for management (tech) on their firewall/router hardware boxes. The manager at the time was proud to show me how they could fake ssl by being MITM. He was proud of that. I was sickened. I did not take the job and did not want any part of that fucked up company!

I told people about the MITM and they all laughed and said it would either be impossible OR they'd have to preinstall certs on all your computers.

Well, if you are using a company provided system, you have to assume you are being tracked and spied on.

After that, I never again trusted corporate LANs.

You may really want to re-think using company networks for even reading your 'ssl gmail'. Unless you have build and installed all the software on your pc yourself.

Communications white paper 2000

[Martin+S.]

In 2000 the previous government tried something similar with the Communications white paper that would require every ISP and data carrier to keep every byte of data carried for eight years.

At the time I worked for a small subsidiary of a local telco, our Chairman of our Board was well connected member of the House of Lords. I prepared a position paper for him pointing out that our division alone would need as much storage as was sold annually in the UK to fulfil our obligation.

IT Professional the country over lobbied against RIPA like this behind the scenes and the worst was quietly dropped.

Time to do the same again. Checkout out your companies boards and non-execs for Lords and member of the establishment and point out the stupidity and competitively crippling the current proposals are to UK Business.

Re:Communications white paper 2000

[mrbester]

That's the thing though. On one hand you have the Govt. passing a law that means you have to declare what tracking you do via cookies (and Silktide have just said "go ahead and sue us for not doing so") while they are proposing to pass a law that requires ISPs to route via a black box that performs MITM SSL interception to track ALL visits to ANY site, regardless of security *and not tell anyone*

Re:Communications white paper 2000

That would fall foul of their commitments about monitoring only the communications data not actual content, which doing SSL MITM allows. Not only that but it would most likely lead to EU breathing down their necks forcing them to back off.

Re:Communications white paper 2000

[marka63]

There are options that allow you to detect MiTM SSL interception attacks by allowing you to verify the CERT being returned by a path that is not vulnerable. See: DANE.

Charge for governmental use

[Peter+(Professor)+Fo]

The national, local and various agencies of the UK government could be charged say 1p (or 5p etc) per view. That would bring in many £000. It should be easy to see the domain of ...gov.uk in the logs and send a bill each week. (Obviously it doesn't address the original issue but it does send a message that wealthy organisations should support a socially useful resource instead of just leaching.)

Each Of US

I think if we all send a bit of heavily encrypted messages back and fourth to friends that the expense of decoding traffic would become so great that governments would shy away from the notion of that kind of spying.
                But really, there is the very real question as to whether we are better off with communications being studied. That is not a simple issue at all. If it could save us from a major terrorist strike or breaks up a lot of criminal activity we could learn to love governmental snooping. I wonder how many groups or gifted hackers have in mind some computer stunt designed to bring chaos and ruin to the US.

Encrypt anyway

Not sure why Wikipedia doesn't encrypt all connections anyway.

I see an issue:

[SuricouRaven]

A lot of censorware setups block all HTTPS traffic by default, as the censor-proxy can't see what is being sent without relying on a fiddley-and-expensive MITM attack. If wikipedia moves to HTTPS by default, it'll suddenly become impossible to access from within many schools.

Re:I see an issue:

[6031769]

So it will become evident to everyone that the censorware serves no useful purpose and will be binned. Double bonus.

Re:I see an issue:

[Arker]

Sounds more like an incentive to fix an issue to me.

Where will Wikipedia buy their SSL certificates...

[gshegosh]

...I wonder. So there's no risk that private cert leaks out and government can do a man-in-the-middle attack easily.

Re:Shouldn't Jimmy Wales be more concerned

[lightBearer]

AC, I wish I knew who you were so I could praise you properly. Instead, I can just say, "Fuck Yes."

Corporations abusing their power!

[khallow]

Here, we have a prime example of a multinational corporation using its immense power to control a large national government. Let's cut them off at the knees before they enslave us all!

So..

[crossmr]

When is the US going to invade England and restore freedom?

Re:So..

Not a chance - all the Oil is in Scottish Waters.

Re:So..

[TheGratefulNet]

heard from a horseman, riding thru town:

"the blue-packets are coming! the blue packets are coming!!"

history repeats itself, with some minor variations ;)

Re:Shouldn't Jimmy Wales be more concerned

[causality]

AC, I wish I knew who you were so I could praise you properly. Instead, I can just say, "Fuck Yes."

I ended up using my mod points elsewhere, so I'm willing to identify myself.

That was me. I was actually wondering if the writing style was going to be a give-away, or perhaps the fact that the mentality he showed is the kind of thing I often speak against.

The unfortunate fact is that it's very important to many people to have some reason to look down their nose at another person and judge them as inferior in some way. This particularly happens to people who are noble and display virtue, or to people who accomplish things (like J. Wales), or who display advanced intellect and reasoning skills. Their unusual qualities make them stand out as targets for this kind of treatment. It makes them a special prize.

You can see easily how absurd this one was. If the guy seriously believes that Wales is running a scam, why hasn't he approached his local police department and demanded an investigation? Oh yeah, because the police want evidence, that's why. Since Wikipedia is not a scam, there is of course no evidence.

The world is full of immature, insecure little busybodies who remain that way because all of their energies are poured into various attempts to control others or to take them down a peg or two, even if only in their own small minds. When they start to occupy multiple key positions of power and people tolerate this (usually by making an excuse to cover it), your nation's viability is questionable to put it mildly. Fascists and Communists everywhere have always exploited this tendency of the small-minded, typically by providing a scapegoat or other form of national enemy to consolidate their power. That's the large-scale, fully developed form.

The small-scale personal form is someone with nothing to contribute so they try to tear down. They don't plan this deliberately and intentionally. Very little of what they do is deliberate and driven by reason or design. It's impulsive and driven by emotion; nonetheless there is a distinct pattern to it. I consider it a benchmark of our decadence that most people have become this way. It's the result of viewing virtue as an inconvenient list of rules and not as self-evident truth that is a joy to observe.

Why smaller sites might not use HTTPS at all

[tepples]

It's also worth pointing out HTTPS Finder which will work for the random sites you visit that aren't in HTTPS Everywhere's default list.

So what do you recommend for smaller sites that don't use HTTPS because they don't have their own IPv4 address? HTTPS needs a dedicated IP address per domain if the site has any visitors using IE on Windows XP or Android Browser on Android 2.x because these browsers lack support for SNI, the TLS extension that makes name-based virtual hosting possible over SSL. These browsers will throw a certificate domain mismatch error for any site on an IP address other than the first site. A lot of hobbyists running these sites aren't necessarily willing to pay twice what they currently pay per month to upgrade to a hosting plan with its own IPv4 address.

HTTP keep-alive

[tepples]

I'll grant that the first request is likely to be slower for HTTPS. But after that, how many TCP + SSL handshakes does a browser have to make for subsequent requests using HTTP keep-alive?

Re:HTTP keep-alive

[TheLink]

I'm willing to wait for https, but it's still noticeably slower. You can try it yourself. Find high(er) latency sites (different country/continent) that support both http and https and serve up the same content.

Then use Google Chrome. Type ctrl-shift-I. Click on "Network". Load the http page. Repeat the same thing for https. Repeat a few times. Ensure that about the same content is being loaded. Compare the load times and latency of the various items.

Nowadays many sites will also put stuff in different domains for various reasons. For each of these the browser will have to make a separate TCP and TLS connection. And this typically can only happen AFTER the main page has loaded partially (browser won't know the URL till then).

Default browsers of XP and Android 2 lack SNI

[tepples]

Give me a SINGLE valid reason for preferring http over https (from a normal user's perspective).

The following doesn't apply to a site as big as Wikipedia, but it applies to a lot of sites operated by hobbyists. HTTP allows more than one web site to share the same IP address. HTTPS does not unless the browser supports the the SNI extension, and IE on Windows XP and Android Browser do not. So the valid reason to use HTTP from the viewer's perspective is that it allows the viewer to see web sites operated by hobbyists that don't have a dedicated IPv4 address without a certificate domain mismatch error.

Re:Default browsers of XP and Android 2 lack SNI

[DarwinSurvivor]

That's from the server's perspective, not the user's perspective. I was specifically calling GP on making it opt-in for the USERS.

The only time the TLS is removed

[tepples]

It's still not legacy, as it's unencrypted HTTP as soon as the SSL/TLS layer is removed.

Try this: "Unencrypted HTTP over a public network is on its way to becomming a legacy protocol." The only time the TLS is removed is behind the front-end proxies.

Re:The only time the TLS is removed

[X0563511]

No.

But what you are describing is becoming a legacy practice.

Customers are untrustworthy

[tepples]

And if the mainstream (that is, non-free) entertainment industry is to be believed, the third most untrustworthy party is the customers themselves.

No SNI in IE on XP

[tepples]

Why do so many web sites still not use https?

Cost.

If multiple HTTPS sites share one IP address, Microsoft Internet Explorer on Windows XP and Android Browser on Android 2.x can't see any certificate other than that of the first site. Some shared hosting providers are known to routinely put upwards of a thousand different domains of shared hosting customers on one IPv4 address. Hosting with a dedicated IPv4 address costs substantially more for a relatively small web site run by a hobbyist.

The user has a larger selection of sites to view

[tepples]

From the user's perspective, the lack of a requirement of HTTPS means that the user has a larger selection of sites to view.

Re:The user has a larger selection of sites to vie

[DarwinSurvivor]

Sites that can't afford SSL simply won't use it. You still have not shown 1 single reason why a person would not want to use HTTPS on a site that offers it (thus the opt-in argument).