Wikimedia Plans To Beef Up Security Across Projects With HTTPS

Get the WebProNews Newsletter:

Wikimedia Plans To Beef Up Security Across Projects With HTTPS
[ Technology]

The Wikimedia Foundation is working on making its projects more secure to protect users’ privacy.

As one can imagine, there are plenty of technological obstacles that the foundation must overcome, so it’s going through the process a little at a time. The foundation has outlined its current roadmap in a blog post.

“The Wikimedia Foundation believes strongly in protecting the privacy of its readers and editors,” writes Wikimedia Foundation operations engineer Ryan Lane. “Recent leaks of the NSA’s XKeyscore program have prompted our community members to push for the use of HTTPS by default for the Wikimedia projects. Thankfully, this is already a project that was being considered for this year’s official roadmap and it has been on our unofficial roadmap since native HTTPS was enabled.”

“Our current architecture cannot handle HTTPS by default, but we’ve been incrementally making changes to make it possible. Since we appear to be specifically targeted by XKeyscore, we’ll be speeding up these efforts,” adds Lane.

First on the agenda is redirecting to HTTPS for log-in, and keeping logged-in users on HTTPS. The foundation intends to deploy this on August 21st.

Next, the foundation intends to expand the HTTPS infrastructure, moving the SSL terminators directly onto the frontend varnish caches and expanding the frontend caching clusters. Then, it will look to “more properly” distribute its SS load across the frontend caches.

Wikimedia will then slowly soft-enable HTTPS for anonymous users by default, starting with its smaller projects. It will do so by changing its rel=canonical links to point to the HTTPS version of pages, rather than the HTTP versions, which will cause search engines to return HTTPS results.

After that, the foundation will then consider enabling “perfect forward secrecy,” hard-enabling HTTPS (force redirecting users to HTTPS versions), and enabling HTTP Strict Transport Security to protect against SSL-stripping attacks.

Wikimedia doesn’t have eexact time frames associated with any of the changes other than the aforementioned August date for redirecting logged-in users.

Wikimedia Plans To Beef Up Security Across Projects With HTTPS
Top Rated White Papers and Resources
  • http://www.hermetic.ch/ Hermetic Systems

    Looks like Wikipedia is not the only place where HTTPS presents a bit of a problem. When we do “https://maps.google.com/maps” in Firefox (v.22.0) we get an “Untrusted Connection” screen which says “maps.google.com uses an invalid security certificate. The certificate is not trusted because it was issued by an invalid CA certificate. (Error code: sec_error_inadequate_key_usage)”.

    Curiously, this does not occur when we use the Opera browser (v.15.0) or IE. Does anyone else have this problem, or is it just our Firefox?

  • Join for Access to Our Exclusive Web Tools
  • Sidebar Top
  • Sidebar Middle
  • Sign Up For The Free Newsletter
  • Sidebar Bottom