>To be truly free, access to knowledge must be secure and uncensored. At the
>Wikimedia Foundation, we believe that you should be able to use Wikipedia
>and the Wikimedia sites without sacrificing privacy or safety.
>
>Today, we’re happy to announce that we are in the process of implementing
>HTTPS <https://en.wikipedia.org/wiki/HTTPS> to encrypt all Wikimedia
>traffic. We will also use HTTP Strict Transport Security
><https://en.wikipedia.org/wiki/HTTP_Strict_Transport_Security> (HSTS) to
>protect against efforts to ‘break’ HTTPS and intercept traffic. With this
>change, the nearly half a billion people who rely on Wikipedia and its
>sister projects every month will be able to share in the world’s knowledge
>more securely.

Well this is a great move, and I applaud it (About time :), until such
a time as IPSec is fully deployed, isn't that a little misleading as
to the actual security afforded by this change? There is quite a lot
of evidence that the NSA is slurping up data from unsecured inter data
centre links of other people [1], seems unlikely that they are
ignoring us.

I also think we should have a more balanced position on how much
privacy TLS actually provides in the context of Wikipedia, so that
users can be properly informed. Sure, TLS is a step in the right
direction, probably stops most less well funded adversaries, but its
not a panacea. In the case of Wikipedia, the content of every page is
not static, but it is totally public, so Wikipedia is probably the
ideal target of traffic analysis type attacks against SSL. That sort
of thing is almost certainly more expensive than just grepping
packets, but surely seems to be within the budget of the NSA to do,
even in a bulk manner (Assuming that non-targeted surveillance by a
state level adversary is the unspoken threat model we're trying to
defend against).

--
bawolff

[1] https://en.wikipedia.org/wiki/Muscular_%28surveillance_program%29

_______________________________________________
Wikimedia-l mailing list, guidelines at: 
https://meta.wikimedia.org/wiki/Mailing_lists/Guidelines
Wikimedia-l@lists.wikimedia.org
Unsubscribe: https://lists.wikimedia.org/mailman/listinfo/wikimedia-l, 
<mailto:wikimedia-l-requ...@lists.wikimedia.org?subject=unsubscribe>

Reply via email to