The future of HTTPS on Wikimedia projects – Diff

The future of HTTPS on Wikimedia projects – Diff
Skip to content
The Wikimedia Foundation believes strongly in protecting the privacy of its readers and editors. Recent leaks of the
NSA’s XKeyscore program
have prompted our community members to push for the use of
HTTPS
by default for the Wikimedia projects. Thankfully, this is already a project that was being considered for this year’s official roadmap and it has been on our unofficial roadmap since
native HTTPS was enabled
Our current architecture cannot handle HTTPS by default, but we’ve been incrementally making changes to make it possible. Since we appear to be specifically targeted by XKeyscore, we’ll be speeding up these efforts. Here’s our current internal roadmap:
Redirect to HTTPS for log-in, and keep logged-in users on HTTPS.
This change is scheduled to be deployed on August 21, at 16:00 UTC.
Update as of 21 August
: we have delayed this change and will now deploy it on Wednesday, August 28 at 20:00 UTC/1pm PT.
Expand the HTTPS infrastructure: Move the
SSL terminators
directly onto the frontend varnish caches, and expand the frontend caching clusters as necessitated by increased load.
Put in engineering effort to more properly distribute our SSL load across the frontend caches. In our current architecture, we’re using a
source hashing based load balancer
to allow for SSL session resumption. We’ll switch to an SSL terminator that supports a distributed SSL cache, or we’ll add one to our current solution. Doing so will allow us to switch to a
weighted round-robin load balancer
and will result in a more efficient SSL cache.
Starting with smaller projects, slowly soft-enable HTTPS for anonymous users by default, gradually moving toward soft-enabling it on the larger projects as well. By soft-enable we mean changing our
rel=canonical links
in the head section of our pages to point to the HTTPS version of pages, rather than the HTTP versions. This will cause search engines to return HTTPS results, rather than HTTP results.
Consider enabling
perfect forward secrecy
. Enabling perfect forward secrecy is only useful if we also eliminate
the threat of traffic analysis of HTTPS
, which can be used to detect a user’s browsing activity, even when using HTTPS.
Consider doing a hard-enable of HTTPS. By hard-enable we mean force redirecting users from HTTP pages to the HTTPS versions of those pages. A number of countries, China being the largest example, completely block HTTPS to Wikimedia projects, so doing a hard-enable of HTTPS would probably block large numbers of users from accessing our projects at all. Because of this, we feel this action would probably do more harm than good, but we’ll continue to evaluate our options here.
Consider enabling
HTTP Strict Transport Security (HSTS)
to protect against SSL-stripping man-in-the-middle attacks. Implementing HSTS could also lead to our projects being inaccessible for large numbers of users as it forces a browser to use HTTPS. If a country blocks HTTPS, then every user in the country that received an HSTS header would effectively be blocked from the projects.
Currently we don’t have time frames associated with any change other than redirecting logged-in users to HTTPS, but we will be making time frames internally and will update this post at that point.
Until HTTPS is enabled by default, we urge privacy-conscious users to use
HTTPS Everywhere
or
Tor
[1].
Ryan Lane
Operations Engineer, Wikimedia Foundation
[1]: There are restrictions with Tor;
see Wikipedia’s information on this
Share this:
Share on Mastodon (Opens in new window)
Mastodon
Share on Bluesky (Opens in new window)
Bluesky
Archive notice:
This is an archived post from blog.wikimedia.org, which operated under different editorial and content guidelines than Diff.
Can you help us translate this article?
In order for this article to reach as many people as possible we would like your help. Can you translate this article to get the message out?
Start translation
Related
Related
Welcome to Diff
Welcome to Diff, a community blog by – and for – the Wikimedia movement. Join Diff today to share stories from your community and comment on articles. We want to hear your voice!
Subscribe to Diff via Email
Wikimedia News
Wikimedia Foundation News
“Cinematic intensity”: The winners of Wiki Loves Earth 2025
2 March 2026
by Wikimedia Foundation
Wikimedia Technology Blog
A Tech Blog Diff
24 February 2026
by LGoto
Down the Rabbit Hole
Announcing Wikipedia’s top 25 most-read articles of 2025
2 December 2025
by Wikimedia
Report this comment
wpDiscuz
You are going to send email to
Move Comment