HTTPS - Meta-Wiki
Jump to content
From Meta, a Wikimedia project coordination wiki
In other languages:
العربية
(ar)
(en)
(es)
فارسی
(fa)
(fr)
italiano
(it)
(ja)
Nederlands
(nl)
português
(pt)
русский
(ru)
edit
This page is about the 2013 and 2015 changes to Wikimedia servers to require HTTPS. Unencrypted access with HTTP is no longer possible.
HTTPS
(Hypertext Transfer Protocol Secure)
is a web protocol that improves the security of communication between the user and the server. With it enabled:
you can be sure the content you are viewing has not been modified by any intermediary such as an ISP or government system;
it makes it much more difficult (but not impossible) for a third party to determine what article you are viewing,
you can be sure nobody can change the content of your edits during their transport to the Wikimedia servers, and
you can be sure that nobody can take over your account by stealing your password or session cookie.
The continued work to improve the security and privacy of Wikimedia project users is a stated goal of the Wikimedia Foundation. This work has been escalated in prominence by the United States
National Security Agency (NSA)
domestic spying scandal revealed by
Edward Snowden
in the summer of 2013. The Wikipedia project was referenced in several documents as a specific source for tracking users’ behavior online.
Browsing the web via the insecure HTTP protocol allows third-parties to track what pages you view and information you send online.
Wikimedia used to have a dedicated secure server (secure.wikimedia.org) for HTTPS connections.
Now, all connections to Wikimedia projects are encrypted, and unencrypted access is no longer possible
, and the URL above redirects to the appropriate Wikimedia project.
What this means for you
edit
In addition to the previous improvements to privacy and security on Wikimedia sites (see below), on Wednesday, August 28, 2013, at 1 pm PDT, the Wikimedia Foundation defaulted to HTTPS for all logged-in users. How this works is simple: If a user wants to log in, the login will happen over HTTPS (thus keeping their username and password secure), and after they are logged in they stay on the HTTPS version of the Wikimedia site they are using.
Proxies
edit
If you are behind a proxy, for instance, a caching proxy to improve web experience in a place with bad networking, and the proxy prevents you from using Wikimedia sites over HTTPS, please contact the maintainers of the proxy and ask them if they can fix it, and if not why.
In limited, controlled environments like schools and corporations, where the entity also controls the browsers/devices, they can technically proxy cache HTTPS. There are commercial solutions to do so which rely on, basically, installing a fake root certificate into the browsers/OSes, which their proxy cache uses to generate fake SSL certs for the sites being proxied, etc.
Help! My code is broken!
edit
Are you a bot maintainer or Gadget author and you're seeing weird or broken behavior after this switch? Hopefully, you can fix that easily.
For Gadget authors, simply modifying any hardcoded URLs from "http://..." to "//..." should fix the issue (this is called using "protocol relative URLs").
For bot maintainers, you have a couple of choices. Either login as the bot and select the preference to not use HTTPS for that account, or update your code to use SSL instead. If you use Pywikibot, please update to the latest version (More technical details:
[1]
[2]
) and read
this
mailing list post for more information.
Various problems
edit
Redirects to sec-warning
edit
When Wikimedia is deprecating outdated security protocols, users may be redirected increasingly often to a page titled:
Your Browser's Connection Security is Outdated
. This means that you should update your browser
Browser and/or Operating System
because otherwise you will soon not be able to connect to Wikimedia websites.
Autocomplete no longer working
edit
Users of Internet Explorer 8, 9 and 10 report that auto-complete of the edit summary field no longer works under HTTPS. This issue can be fixed by upgrading to Internet Explorer 11.
Bots
edit
API requests are now being forced redirected to HTTPS on some languages. On most bot frameworks, this should just work, but a few bot maintainers have reported problems. If your bot has problems, make sure that the library you are using supports HTTPS, and has access to appropriate root certificates.
Missing images
edit
If images are missing, check if you can see for instance
this thumb image from Commons
. If you get a certificate warning please see the
next section about this
Missing scripts
edit
If you had custom scripts that you retrieved by calling a function
loadJS
or
importScriptUri
, you should change the function or the syntax to call scripts with
"http
://..."
or better yet, with protocol-relative URL's like this,
"//..."
without the
http:
or
https:
. In any case, there is a generic function in the
MediaWiki:Common.js
of your wiki that is preferable to a custom function.
If you are still using syntax like
document
write
''
);
replace it immediately with
mw.loader.load
, because the
document.write
methodology can easily break in certain browsers.
Certificate error or warning
edit
If your browser silently removes the safe in the address bar (or bottom of your browser) or explicitly issues a warning:
you can check if your computer clock is up-to-date: since the HTTPS certificate is valid during a specific time range (January 2012-January 2016 for Wikimedia projects), any bad clock will generate a warning;
you can check whether you have the authority certificate with the following explanations; if you don’t find it, please report in the
talk page
Firefox: go to Edit > Preferences > Advanced > Encryption > View Certificates > Authorities and you should find the certificate "Digicert Inc" > "DigiCert High Assurance EV Root CA";
Opera: go to Tools > Preferences > Advanced > Security > Manage Certificates > Authorities and you should find the certificate "DigiCert High Assurance EV Root CA";
check the site you are visiting is really Wikipedia or a Wikimedia project: the address bar should be
or the exact name of your project; if there are strange characters in the address bar (dashes in the project name, unusual slashes, etc.) this is possibly a fake website, please report it in the talk page
check if you also have a certificate error in the domains
upload.wikimedia.org
and
bits.wikimedia.org
report it in the
talk page
and specify your browser, your browser version (generally in the browser menu Help > About), your operating system and its version.
Effect on unregistered contributors
edit
Switching completely to HTTPS makes the connection permanent—you won't be able to disable it. This mandatory change is essential because it stops hackers from using an SSL-stripping attack to make your connection insecure.
History of HTTPS at WMF
edit
Initial activation in 2005
edit
HTTPS was first activated on the Wikimedia projects
by Brion in December 2005
, although it was on special URLs of the form
and it was quite slow and unscalable (one single server for this task), making it unsuitable for everyone’s use.
Large-scale deployment in 2011
edit
HTTPS with canonical URLs
http
://en.wikipedia.org/wiki/Main_Page
was activated in
October 2011
, after months of effort to make it work in a cache-friendly manner. This meant that
protocol-relative links
could be used, to avoid caching two versions of the same page;
correctly setting up servers and caching to handle HTTPS; and
ensuring that all resources were served using the same protocol, either HTTP or HTTPS, to avoid mixed content on the page (mixed content negates the secure state of the page).
This deployment of HTTPS was described in
Wikimedia engineering reports
from
May 2011
to
December 2011
August 28, 2013 - Secure log-in, with secure browsing and editing for logged in users
edit
Per the plan laid out in the blog post titled "
The future of HTTPS on Wikimedia Projects
", as of Wednesday, August 28, 2013 at 1pm PDT (that's 20:00 UTC), logging in will be done using HTTPS for the majority of editors and projects. (We originally announced that the change would take place on August 21st; we've pushed that date one week back.
) Logged-in users will browse and edit using HTTPS by default.
2015
edit
In June 2015, the WMF
announced
the ongoing transition of all of the Wikimedia wikis to HTTPS, without an ability to opt out.
All wikis are now converted to HTTPS-only. Converting to HTTPS-only entails the following:
The HTML
tag is set to HTTPS. This tells search engines to return the HTTPS version in search results.
8f99d5f4a5009b4a
When visiting the http project in question, the web browser receives a redirect (
HTTP 301
). This tells the web browser that the website has permanently moved to the HTTPS version.
cfc9dbe40323b3157
HSTS
headers are enabled. This tells the web browser that once it has visited the website over HTTPS once, it must always use HTTPS in the future. This prevents people from "opting-out" of HTTPS, but is required to prevent certain attacks on HTTPS where a malicious person could trick the browser into loading the unsecured HTTP version (and then hijack the page) even if the user would normally use HTTPS.
c8d38e4aabb327273de
Later on, long-term (1 year) HSTS was enabled, and Wikimedia projects were added to browser HSTS pre-load lists.
Rolling improvements
edit
Wikimedia routinely increases security by removing support for older security algorithms and protocols, following the advice and progress of the major browser vendors and the global security community. Users affected by such removals will gradually see increasing occurrences of being redirected to the
sec-warning page
, until they will no longer be able to reach Wikimedia websites altogether. The policy for this is documented on
wikitech:HTTPS
2021
edit
HTTPS/2021 Let's Encrypt root expiry
Links
edit
General links:
Wikipedia:Secure server
on the English Wikipedia
HTTP Secure (HTTPS)
article on the English Wikipedia
HTTPS/Discussions
: subpage with topics around HTTPS and past discussions
HTTPS/Beta program
: A signup page for projects wishing to join the HTTPS beta program
History:
Activation of the experimental HTTPS server in 2005
Activation of the canonical HTTPS in October 2011
The future of HTTPS on Wikimedia projects
(English, 中文) (
Operations:
phabricator:tag/https-by-default/
Tracking bug about HTTPS
Https on wikitech wiki
Initial wikitech discussion on implementation next steps
References
edit
Jimmy Wales’ tweet
, see the linked image leaked from a "top secret" document.
"Wikitech-l: HTTPS for logged in users delayed. New date: August 28"
See also
edit
Persian Wikipedia stance
Retrieved from "
Category
Wikimedia Foundation technical notices
HTTPS
Add topic
US