Page MenuHomePhabricator
Projects HTTPS

HTTPSTag
ActivePublic
Watch Project

Members (3)

Watchers (5)

Details

Description

Issues about HTTPS and SSL encryption on Wikimedia servers. This includes, but is not limited to, certificates, bugs, validation issues, and enhancements.

Subproject: HTTPS-by-default.

Parent project: Traffic, SRE

Recent Activity
View All

Oct 22 2024

Diskdance updated the task description for T205378: Support ECH on Wikimedia servers.
Oct 22 2024, 12:52 PM · Traffic-Icebox, Upstream, HTTPS, SRE
Diskdance updated the task description for T205378: Support ECH on Wikimedia servers.
Oct 22 2024, 12:51 PM · Traffic-Icebox, Upstream, HTTPS, SRE
Diskdance added a comment to T205378: Support ECH on Wikimedia servers.

FWIW, Cloudflare has enabled ECH by default.

Oct 22 2024, 12:51 PM · Traffic-Icebox, Upstream, HTTPS, SRE

Jul 11 2024

FJoseph-WMF moved T368344: Proposal: fail explicitly and revoke relevant API keys over plain-text HTTP connection for all Wikimedia APIs from Incoming (Needs Triage) to Needs Further Discussion on the MW-Interfaces-Team board.
Jul 11 2024, 2:47 PM · Security, MW-Interfaces-Team, Traffic, HTTPS, Wikimedia Enterprise, RESTBase-API, MediaWiki-REST-API, MediaWiki-Action-API

Jul 9 2024

Tgr added a comment to T368344: Proposal: fail explicitly and revoke relevant API keys over plain-text HTTP connection for all Wikimedia APIs.

I think this wouldn't be very useful as a security measure:

  • When authenticating with cookies, all cookies use the Secure flag already, so a reasonable client would not send them over HTTP.
  • OAuth 1 is designed to be secure over HTTP.
  • The OAuth 2 spec forbids serving HTTP requests, so if we allow them currently, we should stop doing that. There is some value in key revocation but I'm not sure if it's worth the effort - you'd need to avoid write on GET, notify the user somehow, it's easy to cause mass breakage by revoking keys which don't need to be revoked (SSL is terminated way before the request reaches the appserver so MediaWiki can't directly check what protocol is being used), hard to do consistently (how would non-MediaWiki APIs revoke?).
Jul 9 2024, 9:27 PM · Security, MW-Interfaces-Team, Traffic, HTTPS, Wikimedia Enterprise, RESTBase-API, MediaWiki-REST-API, MediaWiki-Action-API
Tgr added a project to T368344: Proposal: fail explicitly and revoke relevant API keys over plain-text HTTP connection for all Wikimedia APIs: Security.
Jul 9 2024, 9:26 PM · Security, MW-Interfaces-Team, Traffic, HTTPS, Wikimedia Enterprise, RESTBase-API, MediaWiki-REST-API, MediaWiki-Action-API

Jul 8 2024

BCornwall moved T368344: Proposal: fail explicitly and revoke relevant API keys over plain-text HTTP connection for all Wikimedia APIs from Backlog to Radar/Not for service by Traffic on the Traffic board.
Jul 8 2024, 4:43 PM · Security, MW-Interfaces-Team, Traffic, HTTPS, Wikimedia Enterprise, RESTBase-API, MediaWiki-REST-API, MediaWiki-Action-API
pmiazga added a comment to T368344: Proposal: fail explicitly and revoke relevant API keys over plain-text HTTP connection for all Wikimedia APIs.

Tagging MW-Interfaces-Team as they are API owners.

Jul 8 2024, 2:01 PM · Security, MW-Interfaces-Team, Traffic, HTTPS, Wikimedia Enterprise, RESTBase-API, MediaWiki-REST-API, MediaWiki-Action-API
pmiazga added a project to T368344: Proposal: fail explicitly and revoke relevant API keys over plain-text HTTP connection for all Wikimedia APIs: MW-Interfaces-Team.
Jul 8 2024, 1:59 PM · Security, MW-Interfaces-Team, Traffic, HTTPS, Wikimedia Enterprise, RESTBase-API, MediaWiki-REST-API, MediaWiki-Action-API

Jun 25 2024

Pppery added a project to T368344: Proposal: fail explicitly and revoke relevant API keys over plain-text HTTP connection for all Wikimedia APIs: Traffic.
Jun 25 2024, 3:52 AM · Security, MW-Interfaces-Team, Traffic, HTTPS, Wikimedia Enterprise, RESTBase-API, MediaWiki-REST-API, MediaWiki-Action-API
Diskdance created T368344: Proposal: fail explicitly and revoke relevant API keys over plain-text HTTP connection for all Wikimedia APIs.
Jun 25 2024, 3:49 AM · Security, MW-Interfaces-Team, Traffic, HTTPS, Wikimedia Enterprise, RESTBase-API, MediaWiki-REST-API, MediaWiki-Action-API

May 16 2024

Aklapper placed T225096: Provide acme-chief/TLS SNI list support in compile_redirects() up for grabs.

@Vgutierrez: Removing task assignee as this open task has been assigned for more than two years - see the email sent to all task assignees on 2024-04-15.
Please assign this task to yourself again if you still realistically [plan to] work on this task - it would be welcome! :)
If this task has been resolved in the meantime, or should not be worked on by anybody ("declined"), please update its task status via "Add Action… 🡒 Change Status".
Also see https://www.mediawiki.org/wiki/Bug_management/Assignee_cleanup for tips how to best manage your individual work in Phabricator. Thanks!

May 16 2024, 5:09 PM · Patch-Needs-Improvement, Traffic-Icebox, HTTPS, SRE

Apr 12 2024

Aklapper edited projects for T225096: Provide acme-chief/TLS SNI list support in compile_redirects(), added: Patch-Needs-Improvement; removed Patch-For-Review.
Apr 12 2024, 11:14 AM · Patch-Needs-Improvement, Traffic-Icebox, HTTPS, SRE

Jan 5 2024

Diskdance updated the task description for T238034: Enable HTTP/3 (QUIC) support on Wikimedia servers.
Jan 5 2024, 7:44 AM · Wikimedia-Performance-recommendation, Traffic-Icebox, SRE, HTTPS
Diskdance updated the task description for T205378: Support ECH on Wikimedia servers.
Jan 5 2024, 7:19 AM · Traffic-Icebox, Upstream, HTTPS, SRE

Oct 13 2023

Diskdance updated the task description for T238034: Enable HTTP/3 (QUIC) support on Wikimedia servers.
Oct 13 2023, 10:35 AM · Wikimedia-Performance-recommendation, Traffic-Icebox, SRE, HTTPS
matmarex closed T94125: Central login notice appears on unencrypted API format=*fm pages, where reloading does not affect login status as Declined.

This only affects CentralAuth in a non-WMF configuration, which we don't support.

Oct 13 2023, 8:50 AM · MediaWiki-Action-API, HTTPS, MediaWiki-extensions-CentralAuth

Oct 4 2023

ssingh added a comment to T205378: Support ECH on Wikimedia servers.

Hi @DennisJJackson: Thanks for the question. We do plan to work on ECH and enable it for our sites and have had some discussions internally. There is no timeline yet as such, for a variety of reasons, the limited browser support being one, though that has clearly changed over the past few weeks. There are some other considerations here as well such as the lack of server-side options for turning it on but we are hoping the DEfO project will provide the much needed support there for HAProxy, which is what we use for TLS termination.

Oct 4 2023, 1:38 PM · Traffic-Icebox, Upstream, HTTPS, SRE
DennisJJackson added a comment to T205378: Support ECH on Wikimedia servers.

@Aklapper - It looks like this issue was originally raised several years ago and put in the icebox. I'm flagging that the situation around standardization and deployment of ECH has changed rather dramatically since then. This work would also be closely aligned with Wikimedia's recent work on hosting secure DNS.

Oct 4 2023, 1:23 PM · Traffic-Icebox, Upstream, HTTPS, SRE
Aklapper added a comment to T205378: Support ECH on Wikimedia servers.

@DennisJJackson Hi and welcome to Phabricator! What in this ticket led you to asking for "retriage" (and what does that mean)?

Oct 4 2023, 12:57 PM · Traffic-Icebox, Upstream, HTTPS, SRE
DennisJJackson added a comment to T205378: Support ECH on Wikimedia servers.

Mozilla have now launched ECH in Firefox. Cloudflare have also launched server side support globally. Chrome will be shipping ECH imminently.

Oct 4 2023, 12:43 PM · Traffic-Icebox, Upstream, HTTPS, SRE

Sep 1 2023

ssingh added a parent task for T205378: Support ECH on Wikimedia servers: T252132: Deploy Wikimedia DNS: DNS-over-HTTPS (DoH) and DNS-over-TLS (DoT) public resolver.
Sep 1 2023, 12:30 AM · Traffic-Icebox, Upstream, HTTPS, SRE

Aug 29 2023

TheDJ added a comment to T87276: Set an explicit "Origin When Cross-Origin" referer policy via the meta referrer tag.

Removal is already in progress via T338183

Aug 29 2023, 8:05 AM · User-notice-archive, SRE, Traffic, The-Wikipedia-Library, Security-General, Privacy, Research, WMF-General-or-Unknown, HTTPS
Xover added a comment to T87276: Set an explicit "Origin When Cross-Origin" referer policy via the meta referrer tag.
In T87276#8784283, @Xover wrote:

This is still spewing errors in the console for every page load in Safari due to the hyphenless keyword. But cf. T180921 and T178356, are there any still-supported UAs that need (and do something sensible with) the old version of the keyword? That actually support current SSL/TLS versions and options (i.e. can actually connect)? Can we get rid of it? (finally, after eight years)

Aug 29 2023, 7:50 AM · User-notice-archive, SRE, Traffic, The-Wikipedia-Library, Security-General, Privacy, Research, WMF-General-or-Unknown, HTTPS

Aug 18 2023

Krinkle moved T238034: Enable HTTP/3 (QUIC) support on Wikimedia servers from Watching to Perf recommendation on the Performance-Team (Radar) board.
Aug 18 2023, 8:03 PM · Wikimedia-Performance-recommendation, Traffic-Icebox, SRE, HTTPS

Jul 11 2023

Aklapper changed the edit policy for HTTPS.
Jul 11 2023, 6:00 PM

Jun 13 2023

AlexisJazz closed T293585: [epic] The SSL certificate for Beta cluster domains fails to properly renew & deploy as Resolved.
Jun 13 2023, 9:26 AM · User-AKlapper, Quality-and-Test-Engineering-Team, Epic, SRE, Traffic, HTTPS, Beta-Cluster-Infrastructure
AlexisJazz closed T337642: upload.wikimedia.beta.wmflabs.org certificate expired (May 2023), a subtask of T293585: [epic] The SSL certificate for Beta cluster domains fails to properly renew & deploy, as Resolved.
Jun 13 2023, 9:26 AM · User-AKlapper, Quality-and-Test-Engineering-Team, Epic, SRE, Traffic, HTTPS, Beta-Cluster-Infrastructure
AlexisJazz closed T337642: upload.wikimedia.beta.wmflabs.org certificate expired (May 2023) as Resolved.

Dunno how but it works again.

Jun 13 2023, 9:25 AM · SRE, HTTPS, Traffic, Beta-Cluster-Infrastructure

May 29 2023

Maintenance_bot added a project to T337642: upload.wikimedia.beta.wmflabs.org certificate expired (May 2023): SRE.
May 29 2023, 11:45 PM · SRE, HTTPS, Traffic, Beta-Cluster-Infrastructure
AlexisJazz added projects to T337642: upload.wikimedia.beta.wmflabs.org certificate expired (May 2023): Traffic, HTTPS.
May 29 2023, 11:30 PM · SRE, HTTPS, Traffic, Beta-Cluster-Infrastructure

May 28 2023

AlexisJazz added a subtask for T293585: [epic] The SSL certificate for Beta cluster domains fails to properly renew & deploy: T337642: upload.wikimedia.beta.wmflabs.org certificate expired (May 2023).
May 28 2023, 6:22 AM · User-AKlapper, Quality-and-Test-Engineering-Team, Epic, SRE, Traffic, HTTPS, Beta-Cluster-Infrastructure
AlexisJazz reopened T293585: [epic] The SSL certificate for Beta cluster domains fails to properly renew & deploy as "Open".

The certificate for upload.wikimedia.beta.wmflabs.org expired on May 17, 2023.

May 28 2023, 6:20 AM · User-AKlapper, Quality-and-Test-Engineering-Team, Epic, SRE, Traffic, HTTPS, Beta-Cluster-Infrastructure

May 10 2023

BCornwall closed T313227: Get new edge & internal HTTPS certificates expanded to add wikifunctions.org and *.wikifunctions.org as Resolved.

Resolving since it appears to be finished. Thanks all!

May 10 2023, 9:04 PM · SRE, Traffic, HTTPS, serviceops, Abstract Wikipedia team (Phase λ – Launch)

May 3 2023

Clement_Goubert added a comment to T313227: Get new edge & internal HTTPS certificates expanded to add wikifunctions.org and *.wikifunctions.org.

New internal certs now include wikifunctions.org and *.wikifunctions.org

May 3 2023, 8:15 AM · SRE, Traffic, HTTPS, serviceops, Abstract Wikipedia team (Phase λ – Launch)
Clement_Goubert updated the task description for T313227: Get new edge & internal HTTPS certificates expanded to add wikifunctions.org and *.wikifunctions.org.
May 3 2023, 8:14 AM · SRE, Traffic, HTTPS, serviceops, Abstract Wikipedia team (Phase λ – Launch)

May 2 2023

Maintenance_bot removed a project from T313227: Get new edge & internal HTTPS certificates expanded to add wikifunctions.org and *.wikifunctions.org: Patch-For-Review.
May 2 2023, 4:11 PM · SRE, Traffic, HTTPS, serviceops, Abstract Wikipedia team (Phase λ – Launch)
Stashbot added a comment to T313227: Get new edge & internal HTTPS certificates expanded to add wikifunctions.org and *.wikifunctions.org.

Mentioned in SAL (#wikimedia-operations) [2023-05-02T15:36:13Z] <claime> Re-running puppet on failed parse servers - T313227

May 2 2023, 3:36 PM · SRE, Traffic, HTTPS, serviceops, Abstract Wikipedia team (Phase λ – Launch)
gerritbot added a comment to T313227: Get new edge & internal HTTPS certificates expanded to add wikifunctions.org and *.wikifunctions.org.

Change 914357 merged by Clément Goubert:

[operations/puppet@production] ssl: Fix parsoid.svc.{codfw,eqiad} pubkeys

https://gerrit.wikimedia.org/r/914357

May 2 2023, 3:34 PM · SRE, Traffic, HTTPS, serviceops, Abstract Wikipedia team (Phase λ – Launch)
gerritbot added a project to T313227: Get new edge & internal HTTPS certificates expanded to add wikifunctions.org and *.wikifunctions.org: Patch-For-Review.
May 2 2023, 3:20 PM · SRE, Traffic, HTTPS, serviceops, Abstract Wikipedia team (Phase λ – Launch)
gerritbot added a comment to T313227: Get new edge & internal HTTPS certificates expanded to add wikifunctions.org and *.wikifunctions.org.

Change 914357 had a related patch set uploaded (by Clément Goubert; author: Clément Goubert):

[operations/puppet@production] ssl: Fix parsoid.svc.{codfw,eqiad} pubkeys

https://gerrit.wikimedia.org/r/914357

May 2 2023, 3:20 PM · SRE, Traffic, HTTPS, serviceops, Abstract Wikipedia team (Phase λ – Launch)
Maintenance_bot removed a project from T313227: Get new edge & internal HTTPS certificates expanded to add wikifunctions.org and *.wikifunctions.org: Patch-For-Review.
May 2 2023, 3:10 PM · SRE, Traffic, HTTPS, serviceops, Abstract Wikipedia team (Phase λ – Launch)
Stashbot added a comment to T313227: Get new edge & internal HTTPS certificates expanded to add wikifunctions.org and *.wikifunctions.org.

Mentioned in SAL (#wikimedia-operations) [2023-05-02T14:33:24Z] <claime> Merging new internal certs for api, jobrunner, appservers, parsoid - T313227

May 2 2023, 2:33 PM · SRE, Traffic, HTTPS, serviceops, Abstract Wikipedia team (Phase λ – Launch)
gerritbot added a comment to T313227: Get new edge & internal HTTPS certificates expanded to add wikifunctions.org and *.wikifunctions.org.

Change 914339 merged by Clément Goubert:

[operations/puppet@production] ssl: Update api,jobrunner,appservers,parsoid certs

https://gerrit.wikimedia.org/r/914339

May 2 2023, 2:32 PM · SRE, Traffic, HTTPS, serviceops, Abstract Wikipedia team (Phase λ – Launch)
Clement_Goubert changed the status of T313227: Get new edge & internal HTTPS certificates expanded to add wikifunctions.org and *.wikifunctions.org from Open to In Progress.
May 2 2023, 2:10 PM · SRE, Traffic, HTTPS, serviceops, Abstract Wikipedia team (Phase λ – Launch)
Clement_Goubert moved T313227: Get new edge & internal HTTPS certificates expanded to add wikifunctions.org and *.wikifunctions.org from 🙈🙉🙊Backlog to Doing 😎 on the serviceops board.
May 2 2023, 2:10 PM · SRE, Traffic, HTTPS, serviceops, Abstract Wikipedia team (Phase λ – Launch)
gerritbot added a project to T313227: Get new edge & internal HTTPS certificates expanded to add wikifunctions.org and *.wikifunctions.org: Patch-For-Review.
May 2 2023, 2:04 PM · SRE, Traffic, HTTPS, serviceops, Abstract Wikipedia team (Phase λ – Launch)
gerritbot added a comment to T313227: Get new edge & internal HTTPS certificates expanded to add wikifunctions.org and *.wikifunctions.org.

Change 914339 had a related patch set uploaded (by Clément Goubert; author: Clément Goubert):

[operations/puppet@production] ssl: Update api.svc, jobrunner.svc, and appservers.svc certs

https://gerrit.wikimedia.org/r/914339

May 2 2023, 2:04 PM · SRE, Traffic, HTTPS, serviceops, Abstract Wikipedia team (Phase λ – Launch)
Clement_Goubert claimed T313227: Get new edge & internal HTTPS certificates expanded to add wikifunctions.org and *.wikifunctions.org.
May 2 2023, 1:37 PM · SRE, Traffic, HTTPS, serviceops, Abstract Wikipedia team (Phase λ – Launch)
Joe updated the task description for T313227: Get new edge & internal HTTPS certificates expanded to add wikifunctions.org and *.wikifunctions.org.
May 2 2023, 7:13 AM · SRE, Traffic, HTTPS, serviceops, Abstract Wikipedia team (Phase λ – Launch)
Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL · Credits
  NODES
admin 2
Bugs 1
INTERN 20
Note 1
Project 15