[Wikimediach-l] Fwd: [Wikimedia-l] Wikimedia and the politics of encryption

[rupert THURNER]

Fyi
-- Weitergeleitete Nachricht --
Von: Erik Moeller e...@wikimedia.org
Datum: 31.08.2013 07:17
Betreff: [Wikimedia-l] Wikimedia and the politics of encryption
An: Wikimedia Mailing List wikimedi...@lists.wikimedia.org

Hi folks,

As many of you know, this week we enabled HTTPS for logged-in users of
Wikimedia projects. See:

https://blog.wikimedia.org/2013/08/28/https-default-logged-in-users-wikimedia-sites/

We have geographically exempted users geo-located to China or Iran
from this [1], because these countries mostly block HTTPS traffic and
requiring HTTPS for logged-in users would make it impossible for users
in these countries to log in.

Long term, we’d like to increase HTTPS coverage further, initially by
marking the HTTPS versions of our pages as canonical, which would
cause search engines to refer to them instead of the unencrypted
content. This would make issues with countries that block HTTPS
traffic even more complex to deal with.

HTTPS for editors is important because it is otherwise trivial to
sniff account credentials, especially when users use unencrypted
connections such as open wireless networks. This could potentially
enable an attacker to gain access to an account with significant
privileges, such as checkuser credentials. Beyond that, HTTPS makes it
harder for attackers (individuals, organizations, governments) to
monitor user behavior of readers and editors. It’s not perfect by any
means, but it’s a step towards more privacy and security.

There are many sites on the web now that use HTTPS for all
transactions. For example, Twitter and Facebook use HTTPS by default.
Both sites are also completely blocked in mainland China. [2]

Disabling HTTPS-by-default in regions where HTTPS is blocked for
political reasons of course also exposes affected users to monitoring
and credentials-theft -- which is likely part of the political
motivation for blocking it in the first place. Therefore, our current
exemption is an explicit choice to _not_ give users a degree of
security that we give to everyone else, for the simple reason that
their government would otherwise completely limit their access.

If they know how to make HTTPS work in their region, these users will
still be able to use it by explicitly visiting the HTTPS URLs or use
an extension such as HTTPSEverywhere to enforce HTTPS usage.

In the long term, the Wikimedia movement is faced with a choice, which
is inherently political: Should we indefinitely sustain security
exceptions for regions that prevent the use of encryption, or should
we shift to an alternative strategy? How do we answer that question?

We can, of course, ask users in the affected countries. Given that
this may lead to degradation or loss of access, users are likely to be
opposed, and indeed, when plans to expand HTTPS usage were announced,
a group of Chinese Wikipedians published an open letter asking for
exemptions to be implemented:

https://zh.wikipedia.org/wiki/Wikipedia:%E5%BC%BA%E5%88%B6%E5%8A%A0%E5%AF%86%E7%99%BB%E5%BD%95/openletter

This was a big part of what drove the decision to implement exemptions.

The bigger consideration here, however, is whether any such
accommodation achieves positive or negative long term effects. The
argument against it goes like this: If we accommodate the PRC’s or
Iran’s censorship practices, we are complicit in their attempts to
monitor and control their citizenry. If a privileged user’s
credentials (e.g. Checkuser) are misused by the government through
monitoring of unencrypted traffic, for example, this is an action that
would not have been possible without our exemption. This could
potentially expose even users not in the affected country to risks.

Moreover, Wikimedia is not just any website -- it’s a top 5 web
property, and the only non-profit organization among the top sites.
Our actions can have signalling effects on the rest of the web. By
exempting China and Iran from standard security measures, we are
treating them as part of the global web community. It could be argued
that it’s time to draw a line in the sand - if you’re prohibiting the
use of encryption, you’re effectively not part of the web. You’re
subverting basic web technologies.

Drawing this hard line clearly has negative near term effects on the
citizenry of affected countries. But the more the rest of the world
comes together in saying What you are doing is wrong. Stop it. - the
harder it will be for outlier countries to continue doing it.  Another
way to pose the question is: Would we be implementing these exemptions
if China had blocked HTTPS traffic well after we switched to HTTPS?

Moreover, we’re not helpless against censorship. There _are_ effective
tools that can be used to circumvent attempts to censor and control
the Internet. Perhaps it is time for WMF to ally with the
organizations that develop and promote such tools, rather than looking
for ways to guarantee basic site operation in hostile environments
even at the expense of 

Re: [Wikimediach-l] A few remakrs about the Wikimedia CH Summer Newsletter

[Nico Ray]

A quick comment from my side : would you need a French-speaking person 
to read and correct the newsletter **before** sending it, please do not 
hesitate to contact me...

Regards,
Nico

On 31.08.2013 22:55, Ilario Valdelli wrote:

Thanks for the comments.

About LabisAlps, at the moment I don't push a lot the templates of 
Wikimedia Switzerland because the work is on going. At the end of 2013 
the template will be in any article part of the project and there will 
be the rollout in other languages.


The De Re Metallica is uploaded from Archive.org because it has been 
the first test to upload ancient books. It wa simportant to avoid *any 
problem connected with the digitization* and to proceed with a book 
already in PDF.


Instead of fighting with books digitized from scracth, this book was 
already present in open source, so it has been uploaded in Wikisource.


The main job of Wikisource is the transcription and I can assure that 
that of De Re Metallica is really hard *and not adapt for people 
without a strong knowledge in Latin language*.


The remaiming books will be uploaded by Wikimedia CH as the first 
attempt has been done with success and with a good result.


Regards






On Sat, Aug 31, 2013 at 10:16 AM, Emmanuel Engelhart 
emmanuel.engelh...@wikimedia.ch 
mailto:emmanuel.engelh...@wikimedia.ch wrote:


Hi,

I have received yesterday the WMCH newsletter. This is great to
get some
news in that format, I guess this is the work of our new community
managers. Also the work of Manuel, it seems to me that this is the
first
newsletter sent by CiviCRM? So, congratulations to all the people who
have worked on it.

Here are a few remarks related to this mailing, the contents, and
others:

* Newsletters are elaborated on the wiki, you can help and find the
archive here: https://members.wikimedia.ch/Newsletters/
* I think the English version of this newsletter should be also posted
here, on this ML. It's primarily for members, but this could be also
interesting for others.
* Unsubscribe/re-subscribe procedure seems to work.
* How to change the recipient email address for this mailing? I have
tried the unsubscribe link and then tried to recover my password
with
my email address but this seems to fail (hostname
test.wikimedia.ch http://test.wikimedia.ch is
also strange)...

* In general, it's really great to see more activity on the
wiki... but
it's pretty difficult to be triggered about something new. The
only way
I know, is to use the atom/rss feed of the recent changes... and in my
case it does not work with my online aggregator (Netvibes). So
this is a
problem to be triggered about what happens and this looks to me to
be a
brake to get involved members.

* Do we have periodic reports about the LabisAlp project in English? I
can't find one neither on the Mailing-List nor in the wiki nor in the
GLAM working group report.
* LabiAlp project uploads (for example
http://it.wikisource.org/wiki/Indice:Labi_1996.djvu) should be
labelled
as sponsored by WMCH and categorized in a dedicated project category.
*
https://la.wikisource.org/wiki/Liber:Agricola_De_re_metallica.djvu was
scanned and uploaded to archive.org http://archive.org in 2008,
so I'm not sure to
understand the relation with the LabisAlp project.

* Do we have reports in English about the activity of the WIR?
* Nice to have the interview of Micha, I don't know if this one is old
or not, hope not so... I was not informed about its release.
* It was impossible to me to find the WIR interview on the WMCH
web site
(without having the direct link)

https://www.wikimedia.ch/%5Bi18n-termpath-raw%5D/wikipedian-residence-swiss-federal-archives
... I think this is linked nowhere in other pages and also the URL is
pretty strange (%5Bi18n-termpath-raw%5D)
* I feel somehow bad to read something like No, there are no such
specific targets of my residency from a WIR. Paying a WIR without
having many new interesting pictures in Commons is IMO a problem. It's
also a problem, because without these upload pictured, I don't really
see how to involve the community (also AFK) in this partnership. I
hope
the legal problems will be fixed soon @BAR.

Regards
Emmanuel

___
http://wikimedia.ch Wikimedia CH website
Wikimediach-l mailing list
https://lists.wikimedia.org/mailman/listinfo/wikimediach-l




--
Ilario Valdelli
Wikimedia CH
Verein zur Förderung Freien Wissens
Association pour l’avancement des connaissances libre
Associazione per il sostegno alla conoscenza libera
Switzerland - 8008 Zürich
Tel: +41764821371
http://www.wikimedia.ch http://www.wikimedia.ch/


___
http://wikimedia.ch Wikimedia CH website
Wikimediach-l