Countdown to SSL for all sessions?

classic Classic list List threaded Threaded
23 messages Options
12
Reply | Threaded
Open this post in threaded view
|

Re: Countdown to SSL for all sessions?

Brion Vibber-4
Ok, so we should allow non-SSL so that in totalitarian countries with
internet snooping, people can contribute to a free encyclopedia that's
generally censored by totalitarian countries anyway, in a way that their
government can snoop on their connections and see exactly what they're
doing and so put them in jail?

Maybe we should be reconsidering how we deal with Tor to allow sane
HTTPS-over-Tor connections.

-- brion




On Tue, Apr 30, 2013 at 12:59 PM, Matthew Walker <[hidden email]>wrote:

> >
> > We enabled it for about an hour previously (before reverting due to
> > the centralauth bug), and the change was barely noticeable in ganglia.
>
>
> Do we have numbers on what this did to the number of active editors during
> that time period? Esp. broken down on a per country basis?
>
> I think I want to agree with Petr -- we should not be forcing SSL always;
> we should be respecting what the user requested. In that way if it ever
> becomes enforced by a government that SSL is disallowed users may still
> contribute to the site. (Remember we block things like Tor so they can't
> even proxy around it.)
>
> Perhaps we should just make it really obvious on the login page (e.g. big
> button to login via SSL, small button to not do so.)
>
> ~Matt Walker
> Wikimedia Foundation
> Fundraising Technology Team
>
>
> On Tue, Apr 30, 2013 at 12:21 PM, Chris Steipp <[hidden email]
> >wrote:
>
> > On Tue, Apr 30, 2013 at 12:00 PM, Faidon Liambotis <[hidden email]
> >
> > wrote:
> > > That being said, my gut tells me that making all the logins SSL-enabled
> > > is not going to make a significant difference compared to current
> usage,
> > > but I don't have any numbers to back this up right now. Maybe Ryan has
> > > them.
> >
> > We enabled it for about an hour previously (before reverting due to
> > the centralauth bug), and the change was barely noticeable in ganglia.
> >
> > _______________________________________________
> > Wikitech-l mailing list
> > [hidden email]
> > https://lists.wikimedia.org/mailman/listinfo/wikitech-l
> >
> _______________________________________________
> Wikitech-l mailing list
> [hidden email]
> https://lists.wikimedia.org/mailman/listinfo/wikitech-l
>
_______________________________________________
Wikitech-l mailing list
[hidden email]
https://lists.wikimedia.org/mailman/listinfo/wikitech-l
Reply | Threaded
Open this post in threaded view
|

Re: Countdown to SSL for all sessions?

Ryan Lane-2
In reply to this post by Matthew Walker
On Tue, Apr 30, 2013 at 2:59 PM, Matthew Walker <[hidden email]>wrote:

> >
> > We enabled it for about an hour previously (before reverting due to
> > the centralauth bug), and the change was barely noticeable in ganglia.
>
>
> Do we have numbers on what this did to the number of active editors during
> that time period? Esp. broken down on a per country basis?
>
> I think I want to agree with Petr -- we should not be forcing SSL always;
> we should be respecting what the user requested. In that way if it ever
> becomes enforced by a government that SSL is disallowed users may still
> contribute to the site. (Remember we block things like Tor so they can't
> even proxy around it.)
>
> Perhaps we should just make it really obvious on the login page (e.g. big
> button to login via SSL, small button to not do so.)
>
>
I know it's heretical to base what we do on more popular sites, especially
the great evil that is facebook, but let's assume they know what they are
doing. Visit facebook. Looks to me like it redirects to https even if you
specifically ask for http. Nowhere on the page does it give you an option
to switch to http. They have twice the number of users as us.

"Do we have numbers?" seems to be the death call of discussions on our
lists lately. We have examples we can look at to know what we're doing is
sensible.

- Ryan
_______________________________________________
Wikitech-l mailing list
[hidden email]
https://lists.wikimedia.org/mailman/listinfo/wikitech-l
Reply | Threaded
Open this post in threaded view
|

Re: Countdown to SSL for all sessions?

Tilman Bayer
In reply to this post by Matthew Walker
On Tue, Apr 30, 2013 at 12:59 PM, Matthew Walker <[hidden email]> wrote:

>>
>> We enabled it for about an hour previously (before reverting due to
>> the centralauth bug), and the change was barely noticeable in ganglia.
>
>
> Do we have numbers on what this did to the number of active editors during
> that time period? Esp. broken down on a per country basis?
>
> I think I want to agree with Petr -- we should not be forcing SSL always;
> we should be respecting what the user requested. In that way if it ever
> becomes enforced by a government that SSL is disallowed users may still
> contribute to the site. (Remember we block things like Tor so they can't
> even proxy around it.)
I don't want to drag this thread into politics, but the comparison
with blocking Tor is really not appropriate. Tor is blocked because it
would disrupt the work of the editing community, not to satisfy the
requirements of governments. And it would seem extremely weird to let
the current policies of the Iranian regime alongside a past measure of
the Belarusian one determine the default setup of Wikimedia sites.

>
> Perhaps we should just make it really obvious on the login page (e.g. big
> button to login via SSL, small button to not do so.)
>
> ~Matt Walker
> Wikimedia Foundation
> Fundraising Technology Team
>
>
> On Tue, Apr 30, 2013 at 12:21 PM, Chris Steipp <[hidden email]>wrote:
>
>> On Tue, Apr 30, 2013 at 12:00 PM, Faidon Liambotis <[hidden email]>
>> wrote:
>> > That being said, my gut tells me that making all the logins SSL-enabled
>> > is not going to make a significant difference compared to current usage,
>> > but I don't have any numbers to back this up right now. Maybe Ryan has
>> > them.
>>
>> We enabled it for about an hour previously (before reverting due to
>> the centralauth bug), and the change was barely noticeable in ganglia.
>>
>> _______________________________________________
>> Wikitech-l mailing list
>> [hidden email]
>> https://lists.wikimedia.org/mailman/listinfo/wikitech-l
>>
> _______________________________________________
> Wikitech-l mailing list
> [hidden email]
> https://lists.wikimedia.org/mailman/listinfo/wikitech-l



--
Tilman Bayer
Senior Operations Analyst (Movement Communications)
Wikimedia Foundation
IRC (Freenode): HaeB

_______________________________________________
Wikitech-l mailing list
[hidden email]
https://lists.wikimedia.org/mailman/listinfo/wikitech-l
12