Wikipedia embraces HTTPS

WikipediaWikipedia has announced in a blog post that it is switching its systems in order to deliver all of its content via encrypted HTTPS connections:

"The HTTPS protocol creates an encrypted connection between your computer and Wikimedia sites to ensure the security and integrity of data you transmit. Encryption makes it more difficult for governments and other third parties to monitor your traffic. It also makes it harder for Internet Service Providers (ISPs) to censor access to specific Wikipedia articles and other information."

In other words, you should start to see the little green padlock in your browser's address bar, confirming a secure connection is in place - and your browsing of Wikipedia articles cannot be snooped upon.

Wikipedia HTTPS

The world's biggest encyclopedia of knowledge (and nonsense) says that it has been working on the switch for some years, and that surfers have been able to manually choose https connections to Wikipedia for some time. But soon it sounds as if it will soon be the only way to access the site.

The only fly in the ointment is that parts of the world with lower-quality internet connections or where there are restrictions on freedom of information, may find their access to Wikipedia more challenging, in spite of "efforts to minimize negative impacts related to latency, page load times, and user experience."

Still, a strong message has been sent out. Encryption is the future.

"We believe encryption makes the web stronger for everyone. In a world where mass surveillance has become a serious threat to intellectual freedom, secure connections are essential for protecting users around the world. Without encryption, governments can more easily surveil sensitive information, creating a chilling effect, and deterring participation, or in extreme cases they can isolate or discipline citizens. Accounts may also be hijacked, pages may be censored, other security flaws could expose sensitive user information and communications. Because of these circumstances, we believe that the time for HTTPS for all Wikimedia traffic is now. We encourage others to join us as we move forward with this commitment."

Bravo to that!

Just last week I reported how all US .gov websites were being ordered to also go HTTPS-only... putting it in conflict with intelligence agencies who are arguing that encryption technology is hindering surveillance capabilities.

Well, yes. Encryption does hinder surveillance.

But that's not a good reason to weaken the security and privacy of the internet's vast majority of law-abiding users. We lose much more by weakening the security and privacy of the masses than we gain fighting the bad guys.

Encryption is a good thing. Well done to Wikipedia, one of the web's most popular sites, for sending such a clear message.

Tags: , ,

Smashing Security podcast
Check out "Smashing Security", the new weekly audio podcast, with Graham Cluley, Carole Theriault, and special guests from the world of information security.

"Three people having fun in an industry often focused on bad news" • "It's brilliant!" • "The Top Gear of computer security"

Latest episode:

, ,

2 Responses

  1. Daz

    June 17, 2015 at 2:01 pm #

    I'm not quite sure how this helps. Sure, the data is encrypted, but the URLs are not, so the Government or your ISP can still see where you've been, they just can't see what's been uploaded or downloaded. So, unless you're uploading something illegally or morally wrong, I don't see how this will help.

    • Coyote in reply to Daz.

      June 17, 2015 at 11:33 pm #

      It is the content that matters in the end; name isn't a 100% indication of content (and therefore legality)[1]. That being said, while encryption is important, the fact there are so many CAs (certificate authority, an important component of https) and that they're the (third party) entities that state whether the certificate is to be trusted or not, is also an issue. That isn't even including the issue for not for profits (and I'm afraid free certificates only adds fuel to the fire… because in the end the system has flaws; it all revolves around trusting an additional party as well as what makes a certificate 'legit'). Yet what else can be done? There are some other solutions but they aren't as widely supported (somewhat like DNSSEC; they are not widely deployed/supported and in fact one such method involves DNS: see https://en.wikipedia.org/wiki/DNS-based_Authentication_of_Named_Entities if you're curious).

      The issue, then, is this: there are problems on either end (the standards/rules themselves) and as a result there is less encryption everywhere. For the web it is most prevalent (and to the average user it is one of the only if not the only place it is problematic). For other services it is far less of an issue because you don't need a third party in the first place. The problem isn't encryption itself and that I feel is the point Graham is making: encryption is important (for everyone) and the more encryption the better.

      [1] If a website has a directory called 'illegal' it doesn't mean it has illegal content; it might have documents on legalities of something or many things (or personal views on laws that are stupid, harmful, outdated, etc.). It might even be a misdirection (and it might not; only the content can tell). Yet the directory is still part of a resource identifier.

Leave a Reply