Login | Register For Free | Help
Search for: (Advanced)

Mailing List Archive: Wikipedia: Wikitech

secure.wikimedia.org is no more

 

 

Wikipedia wikitech RSS feed   Index | Next | Previous | View Threaded


faidon at wikimedia

Nov 14, 2012, 8:25 AM

Post #1 of 13 (1416 views)
Permalink
secure.wikimedia.org is no more

Hi,

Following last year's Native HTTPS efforts╣, I've pushed a change▓ today
that redirects all the old secure.wikimedia.org URLs to the respective
native HTTPS ones, e.g.
https://secure.wikimedia.org/wikipedia/en/wiki/Main_Page gets redirected to
https://en.wikipedia.org/wiki/Main_Page

The redirects are HTTP temporary redirects (302) for now. I'll soon
switch them to permanent (301), please do let me know if you see any
breakage in the meantime.

Regards,
Faidon

╣: http://blog.wikimedia.org/2011/10/03/native-https-support-enabled-for-all-wikimedia-foundation-wikis/
▓: https://gerrit.wikimedia.org/r/#/c/13429/

_______________________________________________
Wikitech-l mailing list
Wikitech-l [at] lists
https://lists.wikimedia.org/mailman/listinfo/wikitech-l


innocentkiller at gmail

Nov 14, 2012, 10:47 AM

Post #2 of 13 (1377 views)
Permalink
Re: secure.wikimedia.org is no more [In reply to]

On Wed, Nov 14, 2012 at 10:48 AM, Derric Atzrott
<datzrott [at] alizeepathology> wrote:
>>Following last year's Native HTTPS efforts┬╣, I've pushed a change┬▓ today
>>that redirects all the old secure.wikimedia.org URLs to the respective
>>native HTTPS ones, e.g.
>> https://secure.wikimedia.org/wikipedia/en/wiki/Main_Page gets redirected to
>> https://en.wikipedia.org/wiki/Main_Page
>>
>
> Does anyone know if EFF's HTTPS Everywhere extension is set up to redirect to
> secure.wikimedia.org? If so, someone might want to let them know that we've
> made this change.
>
> I'll volunteer to do so if no one else wishes to.
>

HTTPS Everywhere should've been updated some time ago to use
the native https urls.

-Chad

_______________________________________________
Wikitech-l mailing list
Wikitech-l [at] lists
https://lists.wikimedia.org/mailman/listinfo/wikitech-l


datzrott at alizeepathology

Nov 14, 2012, 10:48 AM

Post #3 of 13 (1374 views)
Permalink
Re: secure.wikimedia.org is no more [In reply to]

>Following last year's Native HTTPS efforts╣, I've pushed a change▓ today
>that redirects all the old secure.wikimedia.org URLs to the respective
>native HTTPS ones, e.g.
> https://secure.wikimedia.org/wikipedia/en/wiki/Main_Page gets redirected to
> https://en.wikipedia.org/wiki/Main_Page
>

Does anyone know if EFF's HTTPS Everywhere extension is set up to redirect to
secure.wikimedia.org? If so, someone might want to let them know that we've
made this change.

I'll volunteer to do so if no one else wishes to.

>The redirects are HTTP temporary redirects (302) for now. I'll soon
>switch them to permanent (301), please do let me know if you see any
>breakage in the meantime.




_______________________________________________
Wikitech-l mailing list
Wikitech-l [at] lists
https://lists.wikimedia.org/mailman/listinfo/wikitech-l


faidon at wikimedia

Nov 14, 2012, 11:16 AM

Post #4 of 13 (1383 views)
Permalink
Re: secure.wikimedia.org is no more [In reply to]

On Wed, Nov 14, 2012 at 01:48:27PM -0500, Derric Atzrott wrote:
> >Following last year's Native HTTPS efforts╣, I've pushed a change▓ today
> >that redirects all the old secure.wikimedia.org URLs to the respective
> >native HTTPS ones, e.g.
> > https://secure.wikimedia.org/wikipedia/en/wiki/Main_Page gets redirected to
> > https://en.wikipedia.org/wiki/Main_Page
>
> Does anyone know if EFF's HTTPS Everywhere extension is set up to redirect to
> secure.wikimedia.org? If so, someone might want to let them know that we've
> made this change.
>
> I'll volunteer to do so if no one else wishes to.

HTTPS Everywhere is currently set up to redirect using the native HTTPS
support (http://en.wp -> https://en.wp); it used to support redirects to
secure.wikimedia.org, but Roan Kattouw and Sam Reed updated it quite a
while ago. secure.wm.org never supported HTTP and secure.wm.org HTTPS
gets redirected by our redirects without any privacy loss, so there's
nothing to add to HTTPS Everywhere that I can see.

Thanks for the offer though.

Regards,
Faidon

PS. Fun fact: HTTPS Everywhere's git master already has rules for
Wikidata & Wikivoyage, thanks to the always awesome Reedy.

_______________________________________________
Wikitech-l mailing list
Wikitech-l [at] lists
https://lists.wikimedia.org/mailman/listinfo/wikitech-l


z at mzmcbride

Nov 14, 2012, 2:56 PM

Post #5 of 13 (1365 views)
Permalink
Re: secure.wikimedia.org is no more [In reply to]

Faidon Liambotis wrote:
> Following last year's Native HTTPS efforts╣, I've pushed a change▓ today
> that redirects all the old secure.wikimedia.org URLs to the respective
> native HTTPS ones, e.g.
> https://secure.wikimedia.org/wikipedia/en/wiki/Main_Page gets redirected to
> https://en.wikipedia.org/wiki/Main_Page

This is great. Thank you for your work on this. :-)

MZMcBride



_______________________________________________
Wikitech-l mailing list
Wikitech-l [at] lists
https://lists.wikimedia.org/mailman/listinfo/wikitech-l


william.allen.simpson at gmail

Nov 15, 2012, 4:25 PM

Post #6 of 13 (1359 views)
Permalink
Re: secure.wikimedia.org is no more [In reply to]

On 11/14/12 5:56 PM, MZMcBride wrote:
> Faidon Liambotis wrote:
>> Following last year's Native HTTPS efforts╣, I've pushed a change▓ today
>> that redirects all the old secure.wikimedia.org URLs to the respective
>> native HTTPS ones, e.g.
>> https://secure.wikimedia.org/wikipedia/en/wiki/Main_Page gets redirected to
>> https://en.wikipedia.org/wiki/Main_Page
>
> This is great. Thank you for your work on this. :-)
>
Cool. Tested and works fine with HTTPS Everywhere. And thanks for all the
helpful https work in the past few years!


_______________________________________________
Wikitech-l mailing list
Wikitech-l [at] lists
https://lists.wikimedia.org/mailman/listinfo/wikitech-l


brion at pobox

Nov 16, 2012, 1:04 PM

Post #7 of 13 (1347 views)
Permalink
Re: secure.wikimedia.org is no more [In reply to]

On Wed, Nov 14, 2012 at 8:25 AM, Faidon Liambotis <faidon [at] wikimedia>wrote:

> Following last year's Native HTTPS efforts┬╣, I've pushed a change┬▓ today
> that redirects all the old secure.wikimedia.org URLs to the respective
> native HTTPS ones, e.g.
> https://secure.wikimedia.org/wikipedia/en/wiki/Main_Page gets redirected
> to
> https://en.wikipedia.org/wiki/Main_Page
>

Awesome! Another old hack swept away. :D

Do we have a timetable for migrating all login sessions to HTTPS yet? I
love that we've got a clean HTTPS option available, but it really skeezes
me out that we still allow logins and passwords over plain HTTP.

-- brion
_______________________________________________
Wikitech-l mailing list
Wikitech-l [at] lists
https://lists.wikimedia.org/mailman/listinfo/wikitech-l


Platonides at gmail

Nov 17, 2012, 9:32 AM

Post #8 of 13 (1347 views)
Permalink
Re: secure.wikimedia.org is no more [In reply to]

On 16/11/12 22:04, Brion Vibber wrote:
> Awesome! Another old hack swept away. :D
>
> Do we have a timetable for migrating all login sessions to HTTPS yet? I
> love that we've got a clean HTTPS option available, but it really skeezes
> me out that we still allow logins and passwords over plain HTTP.

We have self-signed certificates, too... (bug 27291).


_______________________________________________
Wikitech-l mailing list
Wikitech-l [at] lists
https://lists.wikimedia.org/mailman/listinfo/wikitech-l


hashar+wmf at free

Nov 17, 2012, 10:02 AM

Post #9 of 13 (1343 views)
Permalink
Re: secure.wikimedia.org is no more [In reply to]

Le 16/11/12 22:04, Brion Vibber a ├ęcrit :
<snip>
> Do we have a timetable for migrating all login sessions to HTTPS yet? I
> love that we've got a clean HTTPS option available, but it really skeezes
> me out that we still allow logins and passwords over plain HTTP.
>
> -- brion

I guess it is all about enabling $wgSecureLogin [1] which would force
the login form to use HTTPS for its POST. I speedy hacked it two years
ago and Chris Steipp has fixed it a few weeks ago.

Maybe we could enable it on test first and see how it goes?


[1] http://www.mediawiki.org/wiki/Manual:$wgSecureLogin

--
Antoine "hashar" Musso


_______________________________________________
Wikitech-l mailing list
Wikitech-l [at] lists
https://lists.wikimedia.org/mailman/listinfo/wikitech-l


tylerromeo at gmail

Nov 17, 2012, 10:10 AM

Post #10 of 13 (1346 views)
Permalink
Re: secure.wikimedia.org is no more [In reply to]

wgSecureLogin works. I patched the broken version of it not too long ago.
Now I'm just waiting on my patch in Gerrit to turn on wgSecureLogin on WMF
wikis.
On Nov 17, 2012 1:03 PM, "Antoine Musso" <hashar+wmf [at] free> wrote:

> Le 16/11/12 22:04, Brion Vibber a ├ęcrit :
> <snip>
> > Do we have a timetable for migrating all login sessions to HTTPS yet? I
> > love that we've got a clean HTTPS option available, but it really skeezes
> > me out that we still allow logins and passwords over plain HTTP.
> >
> > -- brion
>
> I guess it is all about enabling $wgSecureLogin [1] which would force
> the login form to use HTTPS for its POST. I speedy hacked it two years
> ago and Chris Steipp has fixed it a few weeks ago.
>
> Maybe we could enable it on test first and see how it goes?
>
>
> [1] http://www.mediawiki.org/wiki/Manual:$wgSecureLogin
>
> --
> Antoine "hashar" Musso
>
>
> _______________________________________________
> Wikitech-l mailing list
> Wikitech-l [at] lists
> https://lists.wikimedia.org/mailman/listinfo/wikitech-l
_______________________________________________
Wikitech-l mailing list
Wikitech-l [at] lists
https://lists.wikimedia.org/mailman/listinfo/wikitech-l


csteipp at wikimedia

Nov 17, 2012, 11:57 AM

Post #11 of 13 (1346 views)
Permalink
Re: secure.wikimedia.org is no more [In reply to]

There is one more bug I'd like to fix before turning wgSecurelogin on.. I'm
going to get it into wmf5, and then we can turn it on.
On Nov 17, 2012 10:03 AM, "Antoine Musso" <hashar+wmf [at] free> wrote:

> Le 16/11/12 22:04, Brion Vibber a ├ęcrit :
> <snip>
> > Do we have a timetable for migrating all login sessions to HTTPS yet? I
> > love that we've got a clean HTTPS option available, but it really skeezes
> > me out that we still allow logins and passwords over plain HTTP.
> >
> > -- brion
>
> I guess it is all about enabling $wgSecureLogin [1] which would force
> the login form to use HTTPS for its POST. I speedy hacked it two years
> ago and Chris Steipp has fixed it a few weeks ago.
>
> Maybe we could enable it on test first and see how it goes?
>
>
> [1] http://www.mediawiki.org/wiki/Manual:$wgSecureLogin
>
> --
> Antoine "hashar" Musso
>
>
> _______________________________________________
> Wikitech-l mailing list
> Wikitech-l [at] lists
> https://lists.wikimedia.org/mailman/listinfo/wikitech-l
_______________________________________________
Wikitech-l mailing list
Wikitech-l [at] lists
https://lists.wikimedia.org/mailman/listinfo/wikitech-l


tylerromeo at gmail

Nov 17, 2012, 12:37 PM

Post #12 of 13 (1341 views)
Permalink
Re: secure.wikimedia.org is no more [In reply to]

Which bug is that? If there's not a patch I'll work on it ASAP. ;)

*--*
*Tyler Romeo*
Stevens Institute of Technology, Class of 2015
Major in Computer Science
www.whizkidztech.com | tylerromeo [at] gmail



On Sat, Nov 17, 2012 at 2:57 PM, Chris Steipp <csteipp [at] wikimedia> wrote:

> There is one more bug I'd like to fix before turning wgSecurelogin on.. I'm
> going to get it into wmf5, and then we can turn it on.
> On Nov 17, 2012 10:03 AM, "Antoine Musso" <hashar+wmf [at] free> wrote:
>
> > Le 16/11/12 22:04, Brion Vibber a ├ęcrit :
> > <snip>
> > > Do we have a timetable for migrating all login sessions to HTTPS yet? I
> > > love that we've got a clean HTTPS option available, but it really
> skeezes
> > > me out that we still allow logins and passwords over plain HTTP.
> > >
> > > -- brion
> >
> > I guess it is all about enabling $wgSecureLogin [1] which would force
> > the login form to use HTTPS for its POST. I speedy hacked it two years
> > ago and Chris Steipp has fixed it a few weeks ago.
> >
> > Maybe we could enable it on test first and see how it goes?
> >
> >
> > [1] http://www.mediawiki.org/wiki/Manual:$wgSecureLogin
> >
> > --
> > Antoine "hashar" Musso
> >
> >
> > _______________________________________________
> > Wikitech-l mailing list
> > Wikitech-l [at] lists
> > https://lists.wikimedia.org/mailman/listinfo/wikitech-l
> _______________________________________________
> Wikitech-l mailing list
> Wikitech-l [at] lists
> https://lists.wikimedia.org/mailman/listinfo/wikitech-l
>
_______________________________________________
Wikitech-l mailing list
Wikitech-l [at] lists
https://lists.wikimedia.org/mailman/listinfo/wikitech-l


rlane32 at gmail

Nov 17, 2012, 8:25 PM

Post #13 of 13 (1346 views)
Permalink
Re: secure.wikimedia.org is no more [In reply to]

On Sat, Nov 17, 2012 at 9:32 AM, Platonides <Platonides [at] gmail> wrote:
> On 16/11/12 22:04, Brion Vibber wrote:
>> Awesome! Another old hack swept away. :D
>>
>> Do we have a timetable for migrating all login sessions to HTTPS yet? I
>> love that we've got a clean HTTPS option available, but it really skeezes
>> me out that we still allow logins and passwords over plain HTTP.
>
> We have self-signed certificates, too... (bug 27291).
>

Correction: a self-signed certificate on a portion of our
infrastructure we don't want as part of the cluster, where we don't
trust our star certificates to live, and where we plan on completely
changing how this works, possibly with a different hostname. All of
this is mentioned in the bug and none of it has changed. That bug has
nothing to do with this discussion.

- Ryan

_______________________________________________
Wikitech-l mailing list
Wikitech-l [at] lists
https://lists.wikimedia.org/mailman/listinfo/wikitech-l

Wikipedia wikitech RSS feed   Index | Next | Previous | View Threaded
 
 


Interested in having your list archived? Contact Gossamer Threads
 
  Web Applications & Managed Hosting Powered by Gossamer Threads Inc.