There are really two arguments here. 1. TLSv1.0 is insecure and should never be used in an HTTPS scenario - cant argue with this 2. Alot of static content sites are forcing HTTPS even though “technically” there is nothing that needs to be secured in transit - this is where the argument lies. Why does access to wikipedia need to go over https? There is no login, no credit card or SSNs being transferred, etc.,. Part of the blame is google, they started penalize sites in their index if they didn’t do https, as a result, almost every website now does ssl - everything from allrecipes.com <http://allrecipes.com/> to a mommy blog, literally you cant find a non-ssl website anymore, everybody wants the better google rank, so they all gave in and went 100% ssl. There is a reason however for search engines to enforce https, its a privacy issue, everyone is snooping on you, so if you dont want your ISP knowing what your searching for (http://search.com/?q=looking+for+a+divorce+lawyer) and then selling that info to advertisers, you need https - and yes Wiki is sort of search engine. What I foresee happening is people will come up with a 3rd party solution, basically, you’ll start seeing people offer http->https proxy services, it will be interesting to see if the content source providers try to clamp down on this or let it happen… -John
On Dec 31, 2019, at 11:11 AM, Royce Williams <royce@techsolvency.com> wrote:
On Tue, Dec 31, 2019 at 6:12 AM Seth Mattinen <sethm@rollernet.us <mailto:sethm@rollernet.us>> wrote: On 12/31/19 12:50 AM, Ryan Hamel wrote:
Just let the old platforms ride off into the sunset as originally planned like the SSL implementations in older JRE installs, XP, etc. You shouldn't be holding onto the past.
Because poor people anywhere on earth that might not have access to the newer technology don't deserve access to Wikipedia, right? Gotta make sure information is only accessible to those with means to keep "lesser" people out.
This.
I visited a rural school in South Africa around 2008.
For many things - such as using their cellphone provider's billing infrastructure to pay for third-party services via SMS - a switch to TLS 1.2 only would probably have no impact.
But for educational purposes, their reliance on Wikipedia was dramatic - and they could *only* get to it from outdated phones that had been donated, scavenged, or cobbled together from parts.
In the intervening years, the disposable-electronics culture has probably been a great boon to them, bringing better and more tech - but much of it is probably still pre Android 4.4.2
But perhaps Wikipedia's decision is based on actual data. I'd love to see percentages of their negotiated TLS ciphers, per country and per client type. Back in 2015, you could see them as discussed here:
https://news.ycombinator.com/item?id=10194258 <https://news.ycombinator.com/item?id=10194258>
... but I'm not sure where the equivalent data would be in the new Grafana data:
https://grafana.wikimedia.org/?orgId=1 <https://grafana.wikimedia.org/?orgId=1>
Royce