Re: [Wikimedia-l] Universal forced HTTPS backdoor in Kazakhstan

2019-07-23 Thread Yury Bulka 
Honestly, I am not sure what actions would be appropriate.

My initial reaction was - Wikipedia (and all Wikimedia sites) is
HTTPS-only, and this undermines HTTPS as such.

So if Wikipedia should only be accessible over (real, no
man-in-the-middle) HTTPS, perhaps requests that don't meet this criteria
should not be allowed. (Maybe a landing page displayed explaining the
security implications).

Another thought that poped up in my mind was to make it read-only over
unsecure connections.

I'm not very familiar with the circumstances of the 2015 decision to
move to mandatory HTTPS and if that implied being blocked or
inaccessible in whole countries as a consequence of this policy. But if
that was the case, Kazakhstan perhaps falls into a similar category?

The technical difference (no HTTPS vs a HTTPS only if users allow
government man-in-the-middle) is just a technical detail in my opinion,
as the effects are the same as if Wikipedia was made only accessible
over unencrypted HTTP in Kazakhstan.

Showing warnings is of course an option, but I am not sure if this is an
effective security measure if users are forced by the goverment to
install a backdoor.

Maybe it's better if Wikipedia would only be accessible over VPN or Tor
if direct HTTPS is undermined this way. This would of course only work
if users can have a secure connection to a VPN...

Hopefully, browsers do blacklist the certificate. And hopefully, they
will not start a cat-and-mouse game by rotating their certificate...

rupert THURNER  writes:

> displaying a warning that there is a MITM which reads all passwords and
> banking information sounds nice, yuri. there even seems to be ways to
> detect this client-server side:
> https://www.reddit.com/r/javascript/comments/7ldypq/is_it_possible_to_detect_mitm_by_javascript_in_a/
> -
> you mean something like this would do, yury?
>
> george, the trusted root certificates would be configurable, usually, like
> for chrome here:
> https://support.securly.com/hc/en-us/articles/206081828-How-to-manually-install-the-Securly-SSL-certificate-in-Chrome
> companies pay money to get into this list, so they can easier sell their
> website certificates. closing down the list for sure leads to some
> anti-trust legal action in other countries.
>
> btw, recently there was a blog post from a developer in iran, saying the
> same :
> https://shahinsorkh.ir/2019/07/20/how-is-it-like-to-be-a-dev-in-iran
>
> this had an even more surprising aspect - not only would the country block
> access to some site - but sites itself decided to remove users having a
> relationship with that country:
> "Slack team, decided to join the sanctions. They simply deleted every
> single user who they found out is Iranian! With no real prior notices! Many
> people has lost their data on Slack and no one was going to do anything!"
>
> rupert
>
>
> On Mon, Jul 22, 2019 at 7:05 PM George Herbert 
> wrote:
>
>> Browser vendors could revoke the root that Kazakh authorities are using for
>> the scheme.
>>
>> On Mon, Jul 22, 2019 at 5:35 AM Yuri Astrakhan 
>> wrote:
>>
>> > I don't think browser vendors will block the ability to install a custom
>> > root certificate because some corp clients may use it for exactly the
>> same
>> > reason -- creating an HTTPS proxy with fake certs in order to analyze
>> > internal traffic (in the name of monitoring/security).
>> >
>> > Browser vendors could make it more difficult to install, so that it would
>> > require the corp IT department to do some magic, or even release two
>> > versions of the browser - corp and general (with blocked uncertified root
>> > certs), but at the end of the day those could be worked around.
>> >
>> > The biggest deterrent in my opinion is to educating the users of the
>> > dangers such certs would do (i.e. all your passwords and bank info will
>> be
>> > viewable by ISPs) - thus it would be social rather than purely technical
>> > solution.
>> >
>> > On Mon, Jul 22, 2019 at 1:33 PM Steinsplitter Wiki <
>> > steinsplit...@wikipedia.de> wrote:
>> >
>> > > That's shocking...
>> > >
>> > > >> I think this has serious implications for Wikipedia & Wikimedia, as
>> > not
>> > > >> only they would be easily able to see which articles people read,
>> but
>> > > >> also steal login credentials, depseudonymize people and even hijack
>> > > >> admin accounts.
>> > >
>> > > Yes, they can de-crypt the traffic. Hopefully browser vendors will
>> > > disallow the root certificate.
>> > > IMHO there isn't much WP can do, expect showing a warning if somebody
>> is
>> > > trying to login
>> > > from the country in question.
>> > >
>> > > --Steinsplitter
>> > >
>> > > 
>> > > Von: Wikimedia-l  im Auftrag
>> > von
>> > > Yury Bulka 
>> > > Gesendet: Sonntag, 21. Juli 2019 12:36
>> > > An: wikimedia-l@lists.wikimedia.org 
>> > > Betreff: [Wikimedia-l] Universal forced HTTPS backdoor in Kazakhstan
>> > >
>> > > I'm sure many have heard about this:
>> > >
>> > >
>> >
>> https:

Re: [Wikimedia-l] Universal forced HTTPS backdoor in Kazakhstan

2019-07-23 Thread Thomas Townsend 
Yury

What is the position of the Kazakhstan chapter on this?

The Turnip

On Sun, 21 Jul 2019 at 11:36, Yury Bulka
 wrote:
>
> I'm sure many have heard about this:
> https://thehackernews.com/2019/07/kazakhstan-https-security-certificate.html
>
> Essentially, the government in Kazakhstan started forcing citizens into
> installing a root TLS certificate on their devices that would allow the
> government to intercept, decrypt and manipulate all HTTPS traffic.
>
> Without the centificate, it seems, citizens can't access HTTPS pages (at
> least on some ISPs).
>
> I think this has serious implications for Wikipedia & Wikimedia, as not
> only they would be easily able to see which articles people read, but
> also steal login credentials, depseudonymize people and even hijack
> admin accounts.
>
> Another danger is that if this effort by Kazakhstan will succeed, other
> governments may start doing the same.
>
> I wonder if WMF has any position on this yet?
>
> Best,
> Yury.
>
> ___
> Wikimedia-l mailing list, guidelines at: 
> https://meta.wikimedia.org/wiki/Mailing_lists/Guidelines and 
> https://meta.wikimedia.org/wiki/Wikimedia-l
> New messages to: Wikimedia-l@lists.wikimedia.org
> Unsubscribe: https://lists.wikimedia.org/mailman/listinfo/wikimedia-l, 
> 

___
Wikimedia-l mailing list, guidelines at: 
https://meta.wikimedia.org/wiki/Mailing_lists/Guidelines and 
https://meta.wikimedia.org/wiki/Wikimedia-l
New messages to: Wikimedia-l@lists.wikimedia.org
Unsubscribe: https://lists.wikimedia.org/mailman/listinfo/wikimedia-l,

Re: [Wikimedia-l] Universal forced HTTPS backdoor in Kazakhstan

2019-07-23 Thread Yaroslav Blanter 
I do not think Kazakhstan has a chapter. In the past, some Kazakh
Wikimedians enjoyed close collaboration with the government (for example,
the Kazakhstani Encyclopedia has been released under a free license and
verbatim copied to the Kazakh Wikipedia, so that I do not expect much.

Cheers
Yaroslav

On Tue, Jul 23, 2019 at 12:45 PM Thomas Townsend 
wrote:

> Yury
>
> What is the position of the Kazakhstan chapter on this?
>
> The Turnip
>
> On Sun, 21 Jul 2019 at 11:36, Yury Bulka
>  wrote:
> >
> > I'm sure many have heard about this:
> >
> https://thehackernews.com/2019/07/kazakhstan-https-security-certificate.html
> >
> > Essentially, the government in Kazakhstan started forcing citizens into
> > installing a root TLS certificate on their devices that would allow the
> > government to intercept, decrypt and manipulate all HTTPS traffic.
> >
> > Without the centificate, it seems, citizens can't access HTTPS pages (at
> > least on some ISPs).
> >
> > I think this has serious implications for Wikipedia & Wikimedia, as not
> > only they would be easily able to see which articles people read, but
> > also steal login credentials, depseudonymize people and even hijack
> > admin accounts.
> >
> > Another danger is that if this effort by Kazakhstan will succeed, other
> > governments may start doing the same.
> >
> > I wonder if WMF has any position on this yet?
> >
> > Best,
> > Yury.
> >
> > ___
> > Wikimedia-l mailing list, guidelines at:
> https://meta.wikimedia.org/wiki/Mailing_lists/Guidelines and
> https://meta.wikimedia.org/wiki/Wikimedia-l
> > New messages to: Wikimedia-l@lists.wikimedia.org
> > Unsubscribe: https://lists.wikimedia.org/mailman/listinfo/wikimedia-l,
> 
>
> ___
> Wikimedia-l mailing list, guidelines at:
> https://meta.wikimedia.org/wiki/Mailing_lists/Guidelines and
> https://meta.wikimedia.org/wiki/Wikimedia-l
> New messages to: Wikimedia-l@lists.wikimedia.org
> Unsubscribe: https://lists.wikimedia.org/mailman/listinfo/wikimedia-l,
> 
___
Wikimedia-l mailing list, guidelines at: 
https://meta.wikimedia.org/wiki/Mailing_lists/Guidelines and 
https://meta.wikimedia.org/wiki/Wikimedia-l
New messages to: Wikimedia-l@lists.wikimedia.org
Unsubscribe: https://lists.wikimedia.org/mailman/listinfo/wikimedia-l,

Re: [Wikimedia-l] Universal forced HTTPS backdoor in Kazakhstan

2019-07-23 Thread Yury Bulka 
I'm not in Kazakhstan and am not in directly touch with any of
wikimedians there, so I don't know their position.

However, I'm not sure how much freedom they have in expressing their
honest opinion about this publicly. Simply because it is always a
pros-and-cons calculation to criticise your local goverment in such
situations.

Yaroslav Blanter  writes:

> I do not think Kazakhstan has a chapter. In the past, some Kazakh
> Wikimedians enjoyed close collaboration with the government (for example,
> the Kazakhstani Encyclopedia has been released under a free license and
> verbatim copied to the Kazakh Wikipedia, so that I do not expect much.
>
> Cheers
> Yaroslav
>
> On Tue, Jul 23, 2019 at 12:45 PM Thomas Townsend 
> wrote:
>
>> Yury
>>
>> What is the position of the Kazakhstan chapter on this?
>>
>> The Turnip
>>
>> On Sun, 21 Jul 2019 at 11:36, Yury Bulka
>>  wrote:
>> >
>> > I'm sure many have heard about this:
>> >
>> https://thehackernews.com/2019/07/kazakhstan-https-security-certificate.html
>> >
>> > Essentially, the government in Kazakhstan started forcing citizens into
>> > installing a root TLS certificate on their devices that would allow the
>> > government to intercept, decrypt and manipulate all HTTPS traffic.
>> >
>> > Without the centificate, it seems, citizens can't access HTTPS pages (at
>> > least on some ISPs).
>> >
>> > I think this has serious implications for Wikipedia & Wikimedia, as not
>> > only they would be easily able to see which articles people read, but
>> > also steal login credentials, depseudonymize people and even hijack
>> > admin accounts.
>> >
>> > Another danger is that if this effort by Kazakhstan will succeed, other
>> > governments may start doing the same.
>> >
>> > I wonder if WMF has any position on this yet?
>> >
>> > Best,
>> > Yury.
>> >
>> > ___
>> > Wikimedia-l mailing list, guidelines at:
>> https://meta.wikimedia.org/wiki/Mailing_lists/Guidelines and
>> https://meta.wikimedia.org/wiki/Wikimedia-l
>> > New messages to: Wikimedia-l@lists.wikimedia.org
>> > Unsubscribe: https://lists.wikimedia.org/mailman/listinfo/wikimedia-l,
>> 
>>
>> ___
>> Wikimedia-l mailing list, guidelines at:
>> https://meta.wikimedia.org/wiki/Mailing_lists/Guidelines and
>> https://meta.wikimedia.org/wiki/Wikimedia-l
>> New messages to: Wikimedia-l@lists.wikimedia.org
>> Unsubscribe: https://lists.wikimedia.org/mailman/listinfo/wikimedia-l,
>> 
> ___
> Wikimedia-l mailing list, guidelines at: 
> https://meta.wikimedia.org/wiki/Mailing_lists/Guidelines and 
> https://meta.wikimedia.org/wiki/Wikimedia-l
> New messages to: Wikimedia-l@lists.wikimedia.org
> Unsubscribe: https://lists.wikimedia.org/mailman/listinfo/wikimedia-l, 
> 

___
Wikimedia-l mailing list, guidelines at: 
https://meta.wikimedia.org/wiki/Mailing_lists/Guidelines and 
https://meta.wikimedia.org/wiki/Wikimedia-l
New messages to: Wikimedia-l@lists.wikimedia.org
Unsubscribe: https://lists.wikimedia.org/mailman/listinfo/wikimedia-l,

[Wikimedia-l] [Wikimedia Announcements] Wikimedia Foundation's final Medium Term Plan and FY2019-2020 Annual Plan

2019-07-23 Thread Maria Cruz 
Hello everyone,

After opening a community comment period in early April this year,
collecting and incorporating that feedback, we are happy to announce that
the Wikimedia Foundation Board of Trustees has approved our Medium Term
Plan for 2019-2023! You can view the final version here:
https://meta.wikimedia.org/wiki/Wikimedia_Foundation_Medium-term_plan_2019

This process wouldn’t have been possible without communities’
participation, and we want to thank each of you for taking the time away
from doing your favorite thing on the wikis to comment on our
organization’s plan for the next 5 years. This new process, which we
implemented for the first time this year, allows us to plan for a longer
time frame  It also gives us a more flexible structure for annual planning
that allows us to incorporate recommendations from the movement strategy.

Today, we are publishing both the Wikimedia Foundation’s Medium-term Plan
and our annual budget and plan for the fiscal year 2019-20. This 2019-20
plan is the first instance in this new planning process, and over the next
5 years, we will continue to create plans that focus on the priorities we
identified. We will review the progress towards our annual goals on a
quarterly basis, and continue to share these reports publicly.

We hope to continue these conversations and collaboration as we work
towards our strategic direction.

Cheers,


*María Cruz * \\  Communications and Outreach manager, Community Engagement
\\ Wikimedia Foundation, Inc.
mc...@wikimedia.org  |  Twitter:  @marianarra_

___
Please note: all replies sent to this mailing list will be immediately directed 
to Wikimedia-l, the public mailing list of the Wikimedia community. For more 
information about Wikimedia-l:
https://lists.wikimedia.org/mailman/listinfo/wikimedia-l
___
WikimediaAnnounce-l mailing list
wikimediaannounc...@lists.wikimedia.org
https://lists.wikimedia.org/mailman/listinfo/wikimediaannounce-l
___
Wikimedia-l mailing list, guidelines at: 
https://meta.wikimedia.org/wiki/Mailing_lists/Guidelines and 
https://meta.wikimedia.org/wiki/Wikimedia-l
New messages to: Wikimedia-l@lists.wikimedia.org
Unsubscribe: https://lists.wikimedia.org/mailman/listinfo/wikimedia-l,

[Wikimedia-l] Invitation to the July 2019 Wikimedia Monthly Activities Meeting: Thursday, July 25th, 18:00 UTC

2019-07-23 Thread Sasha Redkina 
Hello everyone,
The next Wikimedia Monthly Activities meeting will take place on Thursday,
July 25th, 2019 at 18:00  UTC (11 AM PDT). The IRC channel is
#wikimedia-office on https://webchat.freenode.net, and the meeting will be
broadcast as a live YouTube stream:
https://www.youtube.com/watch?v=kHnso8LvL_Q
We’ll post the video recording publicly after the meeting.

Agenda

Facilitator: TBA

   - Welcome and introduction to agenda - 2 minutes
   - Movement update - 3 minutes
   - Talk Pages Consultation presentation - 10 minutes
   - Wikimedia Foundation updated website design demonstration - 10 minutes
   - Wikimedia movement strategy update - 15 minutes
   - Questions and discussion - 10 minutes
   - Wikilove - 5 minutes



Please review the meeting's Meta-Wiki page for further information about
the meeting and how to participate:
https://meta.wikimedia.org/wiki/Wikimedia_monthly_activities_meetings



Thank you!
Sasha Redkina
Front Office Coordinator
*The Wikimedia Foundation*
www.wikimediafoundation.org
___
Wikimedia-l mailing list, guidelines at: 
https://meta.wikimedia.org/wiki/Mailing_lists/Guidelines and 
https://meta.wikimedia.org/wiki/Wikimedia-l
New messages to: Wikimedia-l@lists.wikimedia.org
Unsubscribe: https://lists.wikimedia.org/mailman/listinfo/wikimedia-l,