I don’t see precisely how mandatory HTTPS could help spread the knowledge;
accordingly if users feel themselves spied and it prevent them to
contribute, yes, HTTPS helps; but if others feel cluttered by HTTPS (time
load, unfriendly firewalls, various problems), it could also lower the
number of editors.
On another side HTTPS is quite useless if users click-through any warning
("You are spied.": "Ok"/close me that ad → privacy education); anyway
encryption and code breaking is always a cat-and-mouse play, and we sould
have to carefully monitor state of the art if we really want to protect
the users; but imho it’s not our vision.
For HTTPS, I would like to see the users opt-in to the security they want:
e.g. if they write about intelligence, they probably know the dangers
about being spied and want minimize it as part of other means; if they
write about butterflies, perhaps they don’t matter about being spied. For
specific-rights editors security could be enforced, but possibly with
other means than encryption; e.g. if an oversight has to hide an article,
it is primarly needed to be sure the user has oversight rights
(authorisation), and it is not really useful to hide what article it is
(it was public). Accordingly for checkusers, we want the IPs stay private
(encrypted during the transport). This point is: HTTPS is not the solution
to all problems.
For HTTPS I see some security levels chosed by the users: no HTTPS at all
(Chinese users), equal HTTP/HTTPS (butterflies editor), prefered HTTPS
(privacy-conscious editor, but travelling to China regularly), always
HTTPS or nothing (intelligence editor). And this could be also implemented
for readers during their session. This option is politically neutral, it
just let the user choose.
Sébastien
Le Tue, 03 Sep 2013 21:38:36 +0200, Terry Chay <[email protected]> a
écrit:
This part of the discussion has strayed a bit far from the politics of
encryption. ;-)
Not that it doesn't have value, but if I can bring it back on-topic for
a moment…
The gist of the HTTPS issues is that it's simply not an engineering
discussion, it's a political one. The abuses recently revealed in the
United States is either orthogonal to the issue of the politics of
encryption (in that HTTPS encryption in China, Iran, and the future is
in discussion), or is the direct salient (in that it is a prime
motivator for accelerating HTTPS rollout which has triggered this issue).
I, for one, would like to see the discussion of what to do. I'm of the
believe that there is no simple engineering decision without introducing
practical, political, legal, and moral complications. I suspect that
even the more clever or complex ones also introduce these issues. It's
important to outline what our choices are and the consequences of those
choices, and derive consensus on what the right choice is going forward,
as it is clear what we have now[1] is a temporary band-aid.[2]
I'm less sanguine about Erik's suggestion that creating a deadline to
HTTP-canonical will actually get us to an adequate resolution. The
reason is simply—whatever I think of Google personally—I feel Google has
a highly-capable, highly-motivated, engineering-driven staff, and they
were unable to come up with a workable solution. Unlike Google, we have
a clear sense about what motivates us[3], so we need to figure out how
best to get there/interpret it.
[1]:
http://blog.wikimedia.org/2013/08/28/https-default-logged-in-users-wikimedia-sites/
[2]: Maybe start an RfC or other wiki page on Meta with a summary of the
discussion so far?
[3]: http://wikimediafoundation.org/wiki/Vision
Take care,
terry
On Sep 3, 2013, at 11:50 AM, Kirill Lokshin <[email protected]>
wrote:
The thing is, it's kind of a crapshoot anyways. You might see
something that you think might be classified and report it; but, unless
you actually have the corresponding clearance yourself, you have no way
of knowing for certain whether the material is in fact classified in
the first place. Conversely, anyone who does have that information is
unlikely to confirm it one way or the other, for obvious reasons.
To make things even more convoluted, reporting certain kinds of
material to the WMF could itself potentially be considered illegal in
some circumstances, since not everyone at the WMF is considered a "US
person" for ITAR purposes.
Kirill
On Sep 3, 2013, at 2:34 PM, "Fred Bauder" <[email protected]>
wrote:
To be fair, none of the people receiving requests through legal@ or
emergency@ have security clearances either.
Kirill
True, but there are not so many of them. I'm not sure if a request
about
a major matter has ever been made through any channel. In a way, that
is
kind of a dumb move.
Fred
_______________________________________________
Wikimedia-l mailing list
[email protected]
Unsubscribe: https://lists.wikimedia.org/mailman/listinfo/wikimedia-l,
<mailto:[email protected]?subject=unsubscribe>
_______________________________________________
Wikimedia-l mailing list
[email protected]
Unsubscribe: https://lists.wikimedia.org/mailman/listinfo/wikimedia-l,
<mailto:[email protected]?subject=unsubscribe>
