Wikipedia embraces HTTPS

Graham Cluley

WikipediaWikipedia has announced in a blog post that it is switching its systems in order to deliver all of its content via encrypted HTTPS connections:

“The HTTPS protocol creates an encrypted connection between your computer and Wikimedia sites to ensure the security and integrity of data you transmit. Encryption makes it more difficult for governments and other third parties to monitor your traffic. It also makes it harder for Internet Service Providers (ISPs) to censor access to specific Wikipedia articles and other information.”

In other words, you should start to see the little green padlock in your browser’s address bar, confirming a secure connection is in place – and your browsing of Wikipedia articles cannot be snooped upon.

Wikipedia HTTPS

The world’s biggest encyclopedia of knowledge (and nonsense) says that it has been working on the switch for some years, and that surfers have been able to manually choose https connections to Wikipedia for some time. But soon it sounds as if it will soon be the only way to access the site.

The only fly in the ointment is that parts of the world with lower-quality internet connections or where there are restrictions on freedom of information, may find their access to Wikipedia more challenging, in spite of “efforts to minimize negative impacts related to latency, page load times, and user experience.”

Still, a strong message has been sent out. Encryption is the future.

“We believe encryption makes the web stronger for everyone. In a world where mass surveillance has become a serious threat to intellectual freedom, secure connections are essential for protecting users around the world. Without encryption, governments can more easily surveil sensitive information, creating a chilling effect, and deterring participation, or in extreme cases they can isolate or discipline citizens. Accounts may also be hijacked, pages may be censored, other security flaws could expose sensitive user information and communications. Because of these circumstances, we believe that the time for HTTPS for all Wikimedia traffic is now. We encourage others to join us as we move forward with this commitment.”

Bravo to that!

Just last week I reported how all US .gov websites were being ordered to also go HTTPS-only… putting it in conflict with intelligence agencies who are arguing that encryption technology is hindering surveillance capabilities.

Well, yes. Encryption does hinder surveillance.

But that’s not a good reason to weaken the security and privacy of the internet’s vast majority of law-abiding users. We lose much more by weakening the security and privacy of the masses than we gain fighting the bad guys.

Encryption is a good thing. Well done to Wikipedia, one of the web’s most popular sites, for sending such a clear message.

Graham Cluley Graham Cluley is a veteran of the anti-virus industry having worked for a number of security companies since the early 1990s when he wrote the first ever version of Dr Solomon's Anti-Virus Toolkit for Windows. Now an independent security analyst, he regularly makes media appearances and is an international public speaker on the topic of computer security, hackers, and online privacy. Follow him on Twitter at @gcluley, or drop him an email.

2 Replies to “Wikipedia embraces HTTPS”

  1. I'm not quite sure how this helps. Sure, the data is encrypted, but the URLs are not, so the Government or your ISP can still see where you've been, they just can't see what's been uploaded or downloaded. So, unless you're uploading something illegally or morally wrong, I don't see how this will help.

    1. It is the content that matters in the end; name isn't a 100% indication of content (and therefore legality)[1]. That being said, while encryption is important, the fact there are so many CAs (certificate authority, an important component of https) and that they're the (third party) entities that state whether the certificate is to be trusted or not, is also an issue. That isn't even including the issue for not for profits (and I'm afraid free certificates only adds fuel to the fire… because in the end the system has flaws; it all revolves around trusting an additional party as well as what makes a certificate 'legit'). Yet what else can be done? There are some other solutions but they aren't as widely supported (somewhat like DNSSEC; they are not widely deployed/supported and in fact one such method involves DNS: see https://en.wikipedia.org/wiki/DNS-based_Authentication_of_Named_Entities if you're curious).

      The issue, then, is this: there are problems on either end (the standards/rules themselves) and as a result there is less encryption everywhere. For the web it is most prevalent (and to the average user it is one of the only if not the only place it is problematic). For other services it is far less of an issue because you don't need a third party in the first place. The problem isn't encryption itself and that I feel is the point Graham is making: encryption is important (for everyone) and the more encryption the better.

      [1] If a website has a directory called 'illegal' it doesn't mean it has illegal content; it might have documents on legalities of something or many things (or personal views on laws that are stupid, harmful, outdated, etc.). It might even be a misdirection (and it might not; only the content can tell). Yet the directory is still part of a resource identifier.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Never miss a thing. Sign up for the free GCHQ newsletter from Graham Cluley.
GET EMAIL UPDATES