On 08/17/2013 06:47 AM, Faidon Liambotis wrote: > On Fri, Aug 16, 2013 at 08:04:24PM -0400, Zack Weinberg wrote: >> Hi, I'm a grad student at CMU studying network security in general >> and censorship / surveillance resistance in particular. I also used >> to work for Mozilla, some of you may remember me in that capacity. My >> friend Sumana Harihareswara asked me to comment on Wikimedia's plans >> for hardening the encyclopedia against state surveillance. >> <snip> > > First of all, thanks for your input. It's much appreciated. As I'm sure > Sumanah has already mentioned, all of our infrastructure is being > developed in the open using free software and we'd be also very happy to > accept contributions in code/infrastructure-as-code as well. > > That being said, literally everything in your mail has been already > considered and discussed multiple times :), plus a few others you didn't > mention (GCM ciphers, OCSP stapling, SNI & split certificates, > short-lived certificates, ECDSA certificates). A few have been > discussed on wikitech, others are under internal discussion & > investigation by some of us with findings to be posted here too when we > have something concrete. > > I don't mean this to sound rude, but I think you may be oversimplifying > the situation quite a bit.
Thanks to both of you, and to everyone on these threads, for thinking about and working on these issues. I apologize for not quite briefing Zack enough before asking him to share his thoughts -- I presumed that https://blog.wikimedia.org/2013/08/01/future-https-wikimedia-projects/ , http://www.gossamer-threads.com/lists/wiki/wikitech/378169 and http://www.gossamer-threads.com/lists/wiki/wikitech/378940 , and the "NSA" and "Disinformation regarding perfect forward secrecy for HTTPS" threads in http://lists.wikimedia.org/pipermail/wikimedia-l/2013-August/thread.html would be enough for him to get started with. I probably should have done more research. > We'll keep wikitech -and blog, where appropriate- up to date with our > plans as these evolve. I suggest that we also update either https://meta.wikimedia.org/wiki/HTTPS or a hub page on http://wikitech.wikimedia.org/ or https://www.mediawiki.org/wiki/Security_auditing_and_response with up-to-date plans, to make it easier for experts inside and outside the Wikimedia community to get up to speed and contribute. For topics under internal discussion and investigation, I would love a simple bullet point saying: "we're thinking about that, sorry nothing public or concrete yet, contact $person if you have experience to share." > In the meantime, feel free to dive in our puppet > repository and see our setup and make your suggestions :) You can browse that repository at https://git.wikimedia.org/summary/?r=operations/puppet.git and you can learn how to contribute a patch at https://wikitech.wikimedia.org/wiki/Puppet_coding (using Git and Gerrit the way we do per https://www.mediawiki.org/wiki/Gerrit/Tutorial ). > Best, > Faidon > (wmf ops) Thanks again! -- Sumana Harihareswara Engineering Community Manager Wikimedia Foundation _______________________________________________ Wikitech-l mailing list [email protected] https://lists.wikimedia.org/mailman/listinfo/wikitech-l
