Re: [Wikimedia-l] Blocking of HTTPS connection by China
On Fri, Jun 7, 2013 at 2:31 PM, Ryan Lane rl...@wikimedia.org wrote: A very small minority of users don't have HTTPS support, or their computers are so old that it makes the site unusably slow. That's a *very* small percentage of users, though. There's also the small issue of a billion people in China who can access our site by HTTP but not HTTPS. Making *.wikipedia.org unconditionally redirect from HTTP to HTTPS would have the effect of making it completely impossible for them to read anything, whereas currently, it is only difficult to read information on certain politically-sensitive topics. HTTPS would be useful for reducing government snooping in developed countries like the UK and Australia. But it's not a solution for China (because HTTPS is equivalent to null routing) or the US (because they can use court orders to accomplish whatever they want to achieve on the server side). -- Tim Starling ___ Wikimedia-l mailing list Wikimedia-l@lists.wikimedia.org Unsubscribe: https://lists.wikimedia.org/mailman/listinfo/wikimedia-l
Re: [Wikimedia-l] Blocking of HTTPS connection by China
This response seems to miss the fact that, in this particular case, censorship is being accomplished through eavesdropping. On Fri, Jun 7, 2013 at 6:24 PM, Matthew Roth mr...@wikimedia.org wrote: Hi all, I wanted to share a clarifying email from Ryan Lane in WMF Ops. He's working through the challenges of HTTPS from the Foundation's end. Please see below for more details: -Matthew On Fri, Jun 7, 2013 at 2:31 PM, Ryan Lane rl...@wikimedia.org wrote: How does it impact people? Short answer: it shouldn't. Long answer: It may make the site slightly slower due to increased network latency, and it is slightly more computationally expensive, which may make the site slower on computers that are underpowered. How does it impact the WMF? It depends. For enabling it for logged-in users, or for those that use HTTPS-anywhere? It doesn't affect us, because that's the state we're in right now. For making HTTPS the default for anonymous users? We need to change how our infrastructure works. We may need to buy additional hardware. We definitely need to do some engineering work. How does it impact the government's ability to apply censorship? Short answer: it doesn't. It affects their ability to eavesdrop on people. Long answer: It depends on how sophisticated the government's censorship program is. In some countries the government's censorship program can be totally bypassed using HTTPS. China's program is very sophisticated. The best HTTPS is going to help the Chinese is to give them a reasonable amount of protection against eavesdropping. It's still possible for China to eavesdrop, even when users are using HTTPS, if China has subverted any of the Certificate Authorities trusted by our browsers. Are there negative sides of each choice? Yes. Not providing HTTPS means that users will always be subject to eavesdropping, which in very authoritative countries could mean they are imprisoned or killed for reading or editing Wikipedia, depending on what they are reading or editing. Realistically not making HTTPS the default is similar to not providing it for all intents and purposes. Search engines will bring people to the HTTP version of the site, not the HTTPS version so the vast majority of users will still be able to be eavesdropped on. Making HTTPS the default also has negatives. A very small minority of users don't have HTTPS support, or their computers are so old that it makes the site unusably slow. That's a *very* small percentage of users, though. Additionally, it makes the site slower for everyone, which may cause a decrease in viewers and/or editors. This is likely the most non-technical way I can explain things. I hope it helps! On Fri, Jun 7, 2013 at 11:39 AM, Benjamin Chen bencmqw...@gmail.com wrote: On 8 Jun, 2013, at 12:24 AM, Matthew Roth mr...@wikimedia.org wrote: We have had contact with the authors of the blog and they have said they will publish our response to their article, though I'm not sure when or in what format. Great. That's really fast response. On the issue itself, we haven't seen any large scale blocks for years (around the time since last time Jimbo visited some Chinese official more than 4 or 5 years ago I think). The secure.wikimedia domain was blocked long ago, but they waited till now to block HTTPS, after 3 years? (I can't remember when it was enabled). I wonder how long it took for them to realise. It is suggested that this could be a long term block similar to how secure.wikimedia was blocked - for HTTPS they have no control over content, so they are simply blocking it all. For HTTP they are still performing deep package inspection (means content censoring), so since they can filter what the Chinese people can see, it's likely that they'll leave HTTP alone. Regards, Benjamin Chen / [[User:Bencmq]] ___ Wikimedia-l mailing list Wikimedia-l@lists.wikimedia.org Unsubscribe: https://lists.wikimedia.org/mailman/listinfo/wikimedia-l -- Matthew Roth Global Communications Manager Wikimedia Foundation +1.415.839.6885 ext 6635 www.wikimediafoundation.org *http://blog.wikimedia.org/* ___ Wikimedia-l mailing list Wikimedia-l@lists.wikimedia.org Unsubscribe: https://lists.wikimedia.org/mailman/listinfo/wikimedia-l ___ Wikimedia-l mailing list Wikimedia-l@lists.wikimedia.org Unsubscribe: https://lists.wikimedia.org/mailman/listinfo/wikimedia-l
Re: [Wikimedia-l] Blocking of HTTPS connection by China
What is this hard-enabled and soft-enabled? If the Chinese volunteer editor community requests that HTTPS be soft-enabled for them, and you do so, does that solve anything? On Fri, Jun 7, 2013 at 12:24 PM, Matthew Roth mr...@wikimedia.org wrote: We've also hard-enabled HTTPS on all of our private wikis and have soft-enabled HTTPS on a single wiki (Uzbek Wikipedia), when it was requested by the volunteer editor community there. ___ Wikimedia-l mailing list Wikimedia-l@lists.wikimedia.org Unsubscribe: https://lists.wikimedia.org/mailman/listinfo/wikimedia-l
Re: [Wikimedia-l] Blocking of HTTPS connection by China
On Fri, Jun 7, 2013 at 6:24 PM, Matthew Roth mr...@wikimedia.org wrote: We have had contact with the authors of the blog and they have said they will publish our response to their article, though I'm not sure when or in what format. This is the content of our response: The Wikimedia Foundation doesn’t hold any readers of our projects in any less regard than others. Our mission is to bring the knowledge contained in the Wikimedia projects to everyone on the planet. There is no strategic consideration around how we can make one or another language project more accessible or readable in one part of the world or another. We do not have control over how a national government operates its censorship system. We also do not work with any national censorship system to limit access to project knowledge in any way. It is worth noting the blog post makes some incorrect assumptions about Wikimedia culture - including incorrect titling of some Wikimedia Foundation staff (e.g. Sue Gardner is the Executive Director of the Wikimedia Foundation, the non-profit that operates Wikipedia -- Wikipedia is written by tens of thousands of volunteers and has no director and no hierarchy of editors). There is also an incorrect assertion that Jimmy Wales has a direct role in working with our staff in making changes to core infrastructure. Of course Jimmy plays a role in the conversation, but he is participating in the conversation along with anyone else from the volunteer editor community. On the larger topic, the implementation of HTTPS by default across all Wikimedia sites for all readers and users is non-trivial, and a conversation is ongoing within the Wikimedia Foundation and within the community about how we might make this possible. We do have plans to eventually enable HTTPS as the default, but it's difficult and we're taking steps toward this goal over time. Our first step is to force HTTPS for logged-in users. The next step will be to expand our SSL cluster and to do some testing on a wiki-by-wiki basis with anonymous HTTPS. At some point later we'll attempt to enable HTTPS for anons on all projects. Then we'll look at enabling HSTS, so that browsers know they should always use HTTPS to access our sites. We've only had proper native HTTPS for about a year and a half. We attempted to force HTTPS by default for logged-in users last month and rolled it back. We'll be attempting this again soon. So, it's something we're actively working on. We've also hard-enabled HTTPS on all of our private wikis and have soft-enabled HTTPS on a single wiki (Uzbek Wikipedia), when it was requested by the volunteer editor community there. Great response, which makes it clear that there is no politically biased motives here, just techinical issues. I hope they will be publishing it in some sort of decent form, though unfortunately the damage is generally never restored, it might go a long way. On a tiny side note: Is calling non logged in users on official communications a good idea? I've always found it to be sounding quite denigrating. On Fri, Jun 7, 2013 at 6:50 AM, shi zhao shiz...@gmail.com wrote: https://upload.wikimedia.org also blocked Chinese wikipedia: http://zh.wikipedia.org/ My blog: http://shizhao.org twitter: https://twitter.com/shizhao [[zh:User:Shizhao]] 2013/6/7 Benjamin Chen bencmqw...@gmail.com: Hi, Since 31 May, China's Great Firewall has blocked the HTTPS connection to all language versions of Wikipedia, by blocking port 443 on two of our IPs. I was also told that service to Wikimedia Commons may be affected. Other projects, such as en.wikisource are not affected by this block (but they may still be subjected to keyword censoring on HTTP). Compared to the previous short-lived half-day block, this time the block has been in place for a week and as usual no one knows if it will last for long. Here is an article that has some explanation, some comments, and (their) opinions and suggestions for the Foundation. https://en.greatfire.org/blog/2013/jun/wikipedia-drops-ball-china-not-too-late-make-amends Regards, Benjamin Chen / [[User:Bencmq]] ___ Wikimedia-l mailing list Wikimedia-l@lists.wikimedia.org Unsubscribe: https://lists.wikimedia.org/mailman/listinfo/wikimedia-l ___ Wikimedia-l mailing list Wikimedia-l@lists.wikimedia.org Unsubscribe: https://lists.wikimedia.org/mailman/listinfo/wikimedia-l -- Matthew Roth Global Communications Manager Wikimedia Foundation +1.415.839.6885 ext 6635 www.wikimediafoundation.org *http://blog.wikimedia.org/* ___ Wikimedia-l mailing list Wikimedia-l@lists.wikimedia.org Unsubscribe: https://lists.wikimedia.org/mailman/listinfo/wikimedia-l
Re: [Wikimedia-l] Blocking of HTTPS connection by China
On Sat, Jun 8, 2013 at 9:41 AM, Anthony wikim...@inbox.org wrote: What is this hard-enabled and soft-enabled? I hope someone will correct me if I'm wrong, but... I believe that soft-enabled means that https was set as the protocol in the canonical URLs for uzwiki. So search engines should start linking to the https URLs, and non-relative links generated by MediaWiki on WMF wikis would link to https rather than http. And, eventually, the links that people post to other places would start to be more often https too. But a visitor may still go to the http URL if they want to. Bug 43466[1] seems relevant, and links to other discussion. Hard-enabled, on the other hand, means that anyone fetching the http URL would be redirected to the corresponding https URL.[2] If this were somehow done now, then people in China would not be able to read Wikipedia at all because the http links would just redirect to https and then China's firewall would block the https request. The blog post mentioned earlier in this thread hopes that that would make China back down and unblock https to Wikipedia. [1]: https://bugzilla.wikimedia.org/show_bug.cgi?id=43466 [2]: With an HTTP 301 redirect, most likely. ___ Wikimedia-l mailing list Wikimedia-l@lists.wikimedia.org Unsubscribe: https://lists.wikimedia.org/mailman/listinfo/wikimedia-l
Re: [Wikimedia-l] Blocking of HTTPS connection by China
We have had contact with the authors of the blog and they have said they will publish our response to their article, though I'm not sure when or in what format. This is the content of our response: The Wikimedia Foundation doesn’t hold any readers of our projects in any less regard than others. Our mission is to bring the knowledge contained in the Wikimedia projects to everyone on the planet. There is no strategic consideration around how we can make one or another language project more accessible or readable in one part of the world or another. We do not have control over how a national government operates its censorship system. We also do not work with any national censorship system to limit access to project knowledge in any way. It is worth noting the blog post makes some incorrect assumptions about Wikimedia culture - including incorrect titling of some Wikimedia Foundation staff (e.g. Sue Gardner is the Executive Director of the Wikimedia Foundation, the non-profit that operates Wikipedia -- Wikipedia is written by tens of thousands of volunteers and has no director and no hierarchy of editors). There is also an incorrect assertion that Jimmy Wales has a direct role in working with our staff in making changes to core infrastructure. Of course Jimmy plays a role in the conversation, but he is participating in the conversation along with anyone else from the volunteer editor community. On the larger topic, the implementation of HTTPS by default across all Wikimedia sites for all readers and users is non-trivial, and a conversation is ongoing within the Wikimedia Foundation and within the community about how we might make this possible. We do have plans to eventually enable HTTPS as the default, but it's difficult and we're taking steps toward this goal over time. Our first step is to force HTTPS for logged-in users. The next step will be to expand our SSL cluster and to do some testing on a wiki-by-wiki basis with anonymous HTTPS. At some point later we'll attempt to enable HTTPS for anons on all projects. Then we'll look at enabling HSTS, so that browsers know they should always use HTTPS to access our sites. We've only had proper native HTTPS for about a year and a half. We attempted to force HTTPS by default for logged-in users last month and rolled it back. We'll be attempting this again soon. So, it's something we're actively working on. We've also hard-enabled HTTPS on all of our private wikis and have soft-enabled HTTPS on a single wiki (Uzbek Wikipedia), when it was requested by the volunteer editor community there. On Fri, Jun 7, 2013 at 6:50 AM, shi zhao shiz...@gmail.com wrote: https://upload.wikimedia.org also blocked Chinese wikipedia: http://zh.wikipedia.org/ My blog: http://shizhao.org twitter: https://twitter.com/shizhao [[zh:User:Shizhao]] 2013/6/7 Benjamin Chen bencmqw...@gmail.com: Hi, Since 31 May, China's Great Firewall has blocked the HTTPS connection to all language versions of Wikipedia, by blocking port 443 on two of our IPs. I was also told that service to Wikimedia Commons may be affected. Other projects, such as en.wikisource are not affected by this block (but they may still be subjected to keyword censoring on HTTP). Compared to the previous short-lived half-day block, this time the block has been in place for a week and as usual no one knows if it will last for long. Here is an article that has some explanation, some comments, and (their) opinions and suggestions for the Foundation. https://en.greatfire.org/blog/2013/jun/wikipedia-drops-ball-china-not-too-late-make-amends Regards, Benjamin Chen / [[User:Bencmq]] ___ Wikimedia-l mailing list Wikimedia-l@lists.wikimedia.org Unsubscribe: https://lists.wikimedia.org/mailman/listinfo/wikimedia-l ___ Wikimedia-l mailing list Wikimedia-l@lists.wikimedia.org Unsubscribe: https://lists.wikimedia.org/mailman/listinfo/wikimedia-l -- Matthew Roth Global Communications Manager Wikimedia Foundation +1.415.839.6885 ext 6635 www.wikimediafoundation.org *http://blog.wikimedia.org/* ___ Wikimedia-l mailing list Wikimedia-l@lists.wikimedia.org Unsubscribe: https://lists.wikimedia.org/mailman/listinfo/wikimedia-l
Re: [Wikimedia-l] Blocking of HTTPS connection by China
On 8 Jun, 2013, at 12:24 AM, Matthew Roth mr...@wikimedia.org wrote: We have had contact with the authors of the blog and they have said they will publish our response to their article, though I'm not sure when or in what format. Great. That's really fast response. On the issue itself, we haven't seen any large scale blocks for years (around the time since last time Jimbo visited some Chinese official more than 4 or 5 years ago I think). The secure.wikimedia domain was blocked long ago, but they waited till now to block HTTPS, after 3 years? (I can't remember when it was enabled). I wonder how long it took for them to realise. It is suggested that this could be a long term block similar to how secure.wikimedia was blocked - for HTTPS they have no control over content, so they are simply blocking it all. For HTTP they are still performing deep package inspection (means content censoring), so since they can filter what the Chinese people can see, it's likely that they'll leave HTTP alone. Regards, Benjamin Chen / [[User:Bencmq]] ___ Wikimedia-l mailing list Wikimedia-l@lists.wikimedia.org Unsubscribe: https://lists.wikimedia.org/mailman/listinfo/wikimedia-l
Re: [Wikimedia-l] Blocking of HTTPS connection by China
Hi all, I wanted to share a clarifying email from Ryan Lane in WMF Ops. He's working through the challenges of HTTPS from the Foundation's end. Please see below for more details: -Matthew On Fri, Jun 7, 2013 at 2:31 PM, Ryan Lane rl...@wikimedia.org wrote: How does it impact people? Short answer: it shouldn't. Long answer: It may make the site slightly slower due to increased network latency, and it is slightly more computationally expensive, which may make the site slower on computers that are underpowered. How does it impact the WMF? It depends. For enabling it for logged-in users, or for those that use HTTPS-anywhere? It doesn't affect us, because that's the state we're in right now. For making HTTPS the default for anonymous users? We need to change how our infrastructure works. We may need to buy additional hardware. We definitely need to do some engineering work. How does it impact the government's ability to apply censorship? Short answer: it doesn't. It affects their ability to eavesdrop on people. Long answer: It depends on how sophisticated the government's censorship program is. In some countries the government's censorship program can be totally bypassed using HTTPS. China's program is very sophisticated. The best HTTPS is going to help the Chinese is to give them a reasonable amount of protection against eavesdropping. It's still possible for China to eavesdrop, even when users are using HTTPS, if China has subverted any of the Certificate Authorities trusted by our browsers. Are there negative sides of each choice? Yes. Not providing HTTPS means that users will always be subject to eavesdropping, which in very authoritative countries could mean they are imprisoned or killed for reading or editing Wikipedia, depending on what they are reading or editing. Realistically not making HTTPS the default is similar to not providing it for all intents and purposes. Search engines will bring people to the HTTP version of the site, not the HTTPS version so the vast majority of users will still be able to be eavesdropped on. Making HTTPS the default also has negatives. A very small minority of users don't have HTTPS support, or their computers are so old that it makes the site unusably slow. That's a *very* small percentage of users, though. Additionally, it makes the site slower for everyone, which may cause a decrease in viewers and/or editors. This is likely the most non-technical way I can explain things. I hope it helps! On Fri, Jun 7, 2013 at 11:39 AM, Benjamin Chen bencmqw...@gmail.com wrote: On 8 Jun, 2013, at 12:24 AM, Matthew Roth mr...@wikimedia.org wrote: We have had contact with the authors of the blog and they have said they will publish our response to their article, though I'm not sure when or in what format. Great. That's really fast response. On the issue itself, we haven't seen any large scale blocks for years (around the time since last time Jimbo visited some Chinese official more than 4 or 5 years ago I think). The secure.wikimedia domain was blocked long ago, but they waited till now to block HTTPS, after 3 years? (I can't remember when it was enabled). I wonder how long it took for them to realise. It is suggested that this could be a long term block similar to how secure.wikimedia was blocked - for HTTPS they have no control over content, so they are simply blocking it all. For HTTP they are still performing deep package inspection (means content censoring), so since they can filter what the Chinese people can see, it's likely that they'll leave HTTP alone. Regards, Benjamin Chen / [[User:Bencmq]] ___ Wikimedia-l mailing list Wikimedia-l@lists.wikimedia.org Unsubscribe: https://lists.wikimedia.org/mailman/listinfo/wikimedia-l -- Matthew Roth Global Communications Manager Wikimedia Foundation +1.415.839.6885 ext 6635 www.wikimediafoundation.org *http://blog.wikimedia.org/* ___ Wikimedia-l mailing list Wikimedia-l@lists.wikimedia.org Unsubscribe: https://lists.wikimedia.org/mailman/listinfo/wikimedia-l
