Wikipedia's Switch To HTTPS Has Successfully Fought Government Censorship

Determining how to prevent acts of censorship has long been a priority for the non-profit Wikimedia Foundation, and thanks to new research from the Harvard Center for Internet and Society, the foundation seems to have found a solution: encryption. From a report: HTTPS prevents governments and others from seeing the specific page users are visiting. For example, a government could tell that a user is browsing Wikipedia, but couldn't tell that the user is specifically reading the page about Tiananmen Square. Up until 2015, Wikipedia offered its service using both HTTP and HTTPS, which meant that when countries like Pakistan or Iran blocked the certain articles on the HTTP version of Wikipedia, the full version would still be available using HTTPS. But in June 2015, Wikipedia decided to axe HTTP access and only offer access to its site with HTTPS. [...] The Harvard researchers began by deploying an algorithm which detected unusual changes in Wikipedia's global server traffic for a year beginning in May 2015. This data was then combined with a historical analysis of the daily request histories for some 1.7 million articles in 286 different languages from 2011 to 2016 in order to determine possible censorship events. [...] After a painstakingly long process of manual analysis of potential censorship events, the researchers found that, globally, Wikipedia's switch to HTTPS had a positive effect on the number censorship events by comparing server traffic from before and after the switch in June of 2015.

Delusional

[gravewax]

It is completely delusional to think this effectively prevents government censorship as if they can't selectively block content they simply take the sledgehammer approach and ban the site altogether.

Re: Delusional

It's a little worse than that. Because the url's are different, the Chinese government has blocked the zh.wikipedia.org but not the en.wikipedia.org, presumably because most Chinese people can not read English too a high enough level. They should move the language into the end part of the URL i.e. wikipedia.org/en/some-article

Re:Delusional

any decent overlord is using SSL inspection (seemlessly via compromised root certs), so this is a non-issue

Re:Delusional

[aaarrrgggh]

Pretty much. It makes https trivially easy to attack.

Re:Delusional

[swillden]

any decent overlord is using SSL inspection (seemlessly via compromised root certs)

Cite?

There have been occasional instances of compromised root certs, which have fairly quickly been removed from default trust stores, but I see no evidence of ongoing vulnerability -- excepting when the overlord controls the trust store. That is common in corporate scenarios but not really possible without removing admin rights from users' computers, which is hard for any nation other than North Korea to do.

Re:Delusional

[swillden]

Also except for the fact that ISP can see your destination AND the url request... Yep they can not see it at all.

No. The ISP, etc., can see the hostname in the DNS request and they can see the IP address of the server you connect to, but that's all. The first messages exchanged with the server establish the encrypted channel and then the GET (or similar) request that specifies everything after the hostname in the URL is inside the secure channel. They cannot see the URL.

Governments that wish to censor HTTPS sites with proper TLS configurations and decent CAs really have only one option: to block the sites entirely. The only thin exception to this is if they can inject their own CA certificates in the TLS trust stores. That enables a man in the middle attack. Doing that is easy for corporations on corporate-owned and controlled machines, but harder for governments to do at scale, since it essentially requires taking away the ability to install arbitrary software on the end-user machine.

Re: Delusional

It's a lot worse than that. Governments as powerful as the U.S. and China have a dozen different ways to snoop on what citizens are ingesting. Remember that snowden slide about "we unencrypt and reencrypt ssl here" bit? Now yes, ssl is like, the first obvious step towards doing things the right way. But Snowden revealed to us that several not so completely trustworthy governments are a dozen steps ahead of that and have been for many years. Time has since revealed that the situation isn't getting better. Now if in 2014 Amazon had gone https only, I might have the faintest hope that we have a realistic chance of seeing a decent path in our lifetimes. But here it is in 2017, and the Amazon quasi-monopoly (AWS holy shit) is cementing the expectation of lack of privacy of much of our purchasing logs. Remember that biblical bit about the number of the beast, it had more than a passing reference to commerce tracking the likes of which we've been living with for many years now.

For a few moments we had hope that someone like Snowden could legitimately turn things around. Now I'm quite convinced it's going to take another Holocaust. No joke. And even then it's not going to get better, it will just regress to something much different with new possible directions for the long term, and perhaps hope that people then will have better learned the lessons of history.

Wikipedia is definitely part of the problem as well as Amazon. There is no good reason why they need to have a centralized infrastructure that NO DOUBT is being tracked WHOLESALE by at least the U.S., Russia, and China. Censorship of the sort this summary talks about is a red herring. China after getting the U.S. to help whitewash the Tiananmen Square Massacre in '89 has so much power over their citizens that they can go ahead and let people have unfettered access to information. People learn that it's smarter not to go choosing to ingest the 'wrong' type of information. The government is quite effective at educating the people over their lifetimes as to what the 'wrong' types of information are.

It's so much worse than you think.

Re:Delusional

[AHuxley]

Re Cite
Project Bullrun, Cheesy Name, Edgehill
"Revealed: how US and UK spy agencies defeat internet privacy and security" (6 September 2013)
https://www.theguardian.com/wo...
".. agency has capabilities against widely used online protocols, such as HTTPS, voice-over-IP and Secure Sockets Layer (SSL), used to protect online shopping and banking."

Re:Delusional

How would you ever know if the US government went to Verisign and ordered them to create a valid cert for any domain? If you didn't have some form of client cert pinning you would never know.

Even if they could have a duplicate created and signed by Verisign, the public and private key pair would necessarily be different because these are generated at the time of certificate creation using a cryptographically strong random prime number pair generator. Thus, the signature on the certificate would be different than the one that Verisign previously generated for the original recipient. So, even though the new certificate would be "trusted", because it was issued by Verisign, the signature hashes would be different so a sharp user or a browser that queried a database of known public hashes would be able to spot the discrepancy and warn the user that the certificate is fishy. Remember, these certificates were designed to prevent precisely the sort of behavior that you're suggesting, namely creating identical forged copies of originally issued certificates.

Re:Delusional

[swillden]

You're likely delusional to believe that there are no CA Root or Intermediate certificates in possession of various governments of the world.

I wouldn't claim there are none, but we have pretty strong evidence that if there are any, they're used sparingly and in a very targeted way. If such unauthorized keys were being used broadly, someone would notice that the public key certificates received by end users are not the same ones being served by the sites.

Re: Delusional

[fuzzyfuzzyfungus]

Nothing Snowden released was unsuspected; but there is a fair difference between "Yeah, I strongly suspect that my TLAs have some scary capabilities and enjoy using them." and actually seeing the slide decks outlining the 'and this is how we capture a genuinely impressive percentage of traffic; including more flavors of VPN and the like than you might hope."

Even when history gives one little reason to trust the spooks; the kooks always have a bad time getting taken seriously, even when they have good evidence; and much more so when they can only speculate.

Re:Delusional

[heypete]

An individual user affected by a one-time event probably won't know, but depending on the remote site and browser used by the user, it may be still be detectable, particularly if used on a larger scale.

For example, Chrome comes with information about authorized CAs and intermediates used by Google baked-into the browser itself, and has since 2011. It will refuse to connect to a "Google" site using an unauthorized certificate (unless manually added by an administrator, for things like SSL interceptors used at businesses, but unlikely in use on a wide scale on the general internet). It sends telemetry back to Google about any bad certs that it sees for Google properties (that's one of the ways they learned about the DigiNotar compromise), and I wouldn't be surprised if such information was also checked for other major sites.

Many CAs also submit records to public Certificate Transparency logs. Google, in particular, uses its standard web crawlers to feed data about certificates it sees into CT logs and has been strongly encouraging (and requiring, in some cases) CAs to submit data to CT logs. This makes detection of falsely-issued certificates quite easy. Perhaps not detectable fast enough to stop an individual, targeted attack, but it should be enough to detect any medium-scale attack on the public internet.

That's nice so are they going to work on

[NotSoHeavyD3]

censorship from the Wikipedia "mods" who've decided which pages are "theirs" and only they are allowed to update them?

Re:That's nice so are they going to work on

[aevan]

If you search for "irony" on wikipedia, you're redirected to the main page.

Re:Govt can have machine make own request

[jonwil]

Except the whole point of HTTPS is that the government only knows you visited https://example.com/ and not which page on example.com you visited.

Ah cool - left and right -- what a simple world!

Ah cool - left and right -- what a simple world!

Sounds like the Donnie Dark "LOVE or FEAR" measuring stick.

The free market probably was once a "liberal" idea, back in the days of Dukes and Lords who wanted to control all commerce. Segregation is making a huge comeback, is the idea of segregation supposed to be a "left" or "right" idea ... if so why is "the left" pushing it.

So is Smokey The Bear not wanting you to litter a "left thing" ("the environment") or a "right thing" ("use a trash can, lazy ass")? Is wanting fuel efficiency a "left thing" ("air quality") or a "right thing" ("use your resources efficiently").

Left and right is so various knuckleheads can argue with each other and navel gaze and repeat arguments someone else told to them on the television.

Re:Wrong Direction

Why are you so negative?

I'm trying to provide some counter-balance to unconscious positivity.

More seriously the religious conservatives in those countries who are employing censorship to "protect public morals" (or whatever they imagine themselves doing) do not regard the successful circumvention of censorship as positive. To call an objectively negative effect on a number 'positive,' betrays the tacit liberal ideological bias of the author. Better to call a spade a spade and allow the reader to draw her own conclusions as to the desirability of the outcome.

Re:Who is responsible for censorship?

Most censorship actually comes from leftists ...

Wrong. Most censorship actually comes from "countries like Pakistan or Iran", that is to say, from religious conservatives.

Only a temporary solution

[PAjamian]

The only reason this is working for now is because the censoring governments haven't implemented a workaround for it yet. There are various ways they can still censor Wikipedia:

They can use their own CA (don't even think that a country like China doesn't have access to be able to generate certs for any hostnames they want from a trusted CA) to generate a wikipedia.com cert and proxy wikipedia traffic through their own servers censoring it in the process.

They can proxy traffic from http to https and locally block the https traffic so the people in their country are foced to use the http version which is censored.

They can block Wikipedia alltogether by various different means.

Re:Only a temporary solution

[fulldecent]

If a trusted CA ever creates a fake certificate so that a party may perform MITM then will leave a positive artifact.

If you can ever find this artifact, then post in on Slashdot and I guarantee it will be first page and it will also result in at least one browser revoking that CA.

Re:Only a temporary solution

[PAjamian]

When China provides not only the browser, but the entire OS that the majority of people there run, don't you think they can insert their own trusted CA into the mix? How hard is it for a country to require users to access essential government services online, and oh look, they might just have their own trusted CA that you have to accept. If the certs are only presented to connections in their own country it becomes that much harder for security researchers to detect. There are so many ways to pull this off it's ridiculous, and countries that can't can still use one of the other methods I outlined.

Hard to believe.

[BitterOak]

The article makes the following claim:

For example, a government could tell that a user is browsing Wikipedia, but couldn't tell that the user is specifically reading the page about Tiananmen Square.

This is hard to believe. The vast majority of Wikipedia pages contain several images and the file sizes for each of these images is different. When you load a page, the browser first loads the text of the page, then in separate https requests, it loads each of the images, usually in the order listed in the page's HTML. Each page then has a unique signature: the size of the text, and the sizes of each of the images in order. It would be very easy for an adversary to build up a database of these signatures, simply by analyzing their own traffic when they examine various pages. Even if the traffic is encrypted, by looking at the amount of data transferred and the timing, it seems it would be almost trivial to figure out which pages a user was visiting.

Re:Hard to believe.

[PAjamian]

The web client will reuse the connection to the server, and to a 3rd-party observer it will all look like one massive blob of data so that all they could really get out of it is the content length of the whole thing, which due to gzip compression (which is enabled for Wikipedia, I checked), caching of resources, etc, means it will vary considerably from one fetch of a given page to the next.

If that isn't enough, http servers and TLS ciphers themselves actively hide the length of the content they transmit with techniques such as padding and adding additional random bytes to the beginning or end of a HTTPS transmission.

All up, I'd say this vector would be pretty much impossible to exploit.

Re:Who is responsible for censorship?

[ZorinLynx]

No. Wrong!

Most censorship comes from *AUTHORITARIANS*. From both sides of the aisle. By their very nature authoritarians want to control what you can do, and that includes what you can read. Regardless of which way someone leans politically, if they are more libertarian they will be against censorship, and/or pretty much telling people how to live their lives. If they are authoritarian, they will want to meddle, and that includes censorship.

Authoritarian left, authoritarian right; they BOTH suck. No matter how you lean politically the most important thing is to remember that we shouldn't be telling people how to live their lives.

Re:Who is responsible for censorship?

[AHuxley]

In the USA?
Countering Foreign Propaganda and Disinformation Act (2016)
https://en.wikipedia.org/wiki/...

Real world effects

[Dunbal]

Of course countries simply respond by censoring ALL of Wikipedia.