I don’t see precisely how mandatory HTTPS could help spread the knowledge;
accordingly if users feel themselves spied and it prevent them to
contribute, yes, HTTPS helps; but if others feel cluttered by HTTPS (time
load, unfriendly firewalls, various problems), it could also lower the
number of editors.

On another side HTTPS is quite useless if users click-through any warning
("You are spied.": "Ok"/close me that ad → privacy education); anyway
encryption and code breaking is always a cat-and-mouse play, and we sould
have to carefully monitor state of the art if we really want to protect
the users; but imho it’s not our vision.

For HTTPS, I would like to see the users opt-in to the security they want:
e.g. if they write about intelligence, they probably know the dangers
about being spied and want minimize it as part of other means; if they
write about butterflies, perhaps they don’t matter about being spied. For
specific-rights editors security could be enforced, but possibly with
other means than encryption; e.g. if an oversight has to hide an article,
it is primarly needed to be sure the user has oversight rights
(authorisation), and it is not really useful to hide what article it is
(it was public). Accordingly for checkusers, we want the IPs stay private
(encrypted during the transport). This point is: HTTPS is not the solution
to all problems.

For HTTPS I see some security levels chosed by the users: no HTTPS at all
(Chinese users), equal HTTP/HTTPS (butterflies editor), prefered HTTPS
(privacy-conscious editor, but travelling to China regularly), always
HTTPS or nothing (intelligence editor). And this could be also implemented
for readers during their session. This option is politically neutral, it
just let the user choose.

Sébastien


Le Tue, 03 Sep 2013 21:38:36 +0200, Terry Chay <tc...@wikimedia.org> a
écrit:
This part of the discussion has strayed a bit far from the politics of encryption. ;-)

Not that it doesn't have value, but if I can bring it back on-topic for a moment…

The gist of the HTTPS issues is that it's simply not an engineering discussion, it's a political one. The abuses recently revealed in the United States is either orthogonal to the issue of the politics of encryption (in that HTTPS encryption in China, Iran, and the future is in discussion), or is the direct salient (in that it is a prime motivator for accelerating HTTPS rollout which has triggered this issue).

I, for one, would like to see the discussion of what to do. I'm of the believe that there is no simple engineering decision without introducing practical, political, legal, and moral complications. I suspect that even the more clever or complex ones also introduce these issues. It's important to outline what our choices are and the consequences of those choices, and derive consensus on what the right choice is going forward, as it is clear what we have now[1] is a temporary band-aid.[2]

I'm less sanguine about Erik's suggestion that creating a deadline to HTTP-canonical will actually get us to an adequate resolution. The reason is simply—whatever I think of Google personally—I feel Google has a highly-capable, highly-motivated, engineering-driven staff, and they were unable to come up with a workable solution. Unlike Google, we have a clear sense about what motivates us[3], so we need to figure out how best to get there/interpret it.

[1]: http://blog.wikimedia.org/2013/08/28/https-default-logged-in-users-wikimedia-sites/ [2]: Maybe start an RfC or other wiki page on Meta with a summary of the discussion so far?
[3]: http://wikimediafoundation.org/wiki/Vision

Take care,

terry

On Sep 3, 2013, at 11:50 AM, Kirill Lokshin <kirill.loks...@gmail.com> wrote:

The thing is, it's kind of a crapshoot anyways. You might see something that you think might be classified and report it; but, unless you actually have the corresponding clearance yourself, you have no way of knowing for certain whether the material is in fact classified in the first place. Conversely, anyone who does have that information is unlikely to confirm it one way or the other, for obvious reasons.

To make things even more convoluted, reporting certain kinds of material to the WMF could itself potentially be considered illegal in some circumstances, since not everyone at the WMF is considered a "US person" for ITAR purposes.

Kirill

On Sep 3, 2013, at 2:34 PM, "Fred Bauder" <fredb...@fairpoint.net> wrote:

To be fair, none of the people receiving requests through legal@ or
emergency@ have security clearances either.

Kirill

True, but there are not so many of them. I'm not sure if a request about a major matter has ever been made through any channel. In a way, that is
kind of a dumb move.

Fred



_______________________________________________
Wikimedia-l mailing list
Wikimedia-l@lists.wikimedia.org
Unsubscribe: https://lists.wikimedia.org/mailman/listinfo/wikimedia-l, <mailto:wikimedia-l-requ...@lists.wikimedia.org?subject=unsubscribe>

_______________________________________________
Wikimedia-l mailing list
Wikimedia-l@lists.wikimedia.org
Unsubscribe: https://lists.wikimedia.org/mailman/listinfo/wikimedia-l, 
<mailto:wikimedia-l-requ...@lists.wikimedia.org?subject=unsubscribe>

Reply via email to