Page MenuHomePhabricator
Create Task
Maniphest T102824

Clean up DNS/redirects for TLS
Closed, ResolvedPublic
Actions

Description

This is a meta-task to collect up all of the related tasks for dealing with various cases of legitimate, functional domainname endpoints that browsers can hit for insecure redirects currently, which do not match our SSL certs.

Related Objects
Search...

StatusSubtypeAssignedTask
 ResolvedBBlackT104681 HTTPS Plans (tracking / high-level info)
 ResolvedBBlackT102824 Clean up DNS/redirects for TLS
 ResolvedArielGlennT107575 download.wiki[mp]edia.org are using an invalid certificate
 ResolvedChmarkineT110511 sitemap.wikimedia.org uses invalid SSL certificate
 ResolvedBBlackT104244 Preload HSTS
 ResolvedBBlackT102814 Decom old multiple-subdomain wikis in wikipedia.org
 ResolvedBBlackT104942 TLS and *.wap/*.mobile multi-level subdomains of wikipedia.org
 ResolvedBBlackT102815 Decom www.$lang hostnames/redirects
 ResolvedBBlackT102826 Fix/decom multiple-subdomain wikis in wikimedia.org
 ResolvedBBlackT102827 Decide what to do with *.donate.wikimedia.org subdomain + TLS
 Resolved CCogdill_WMFT130414 delete links.email.donate.wikimedia.org (and all other email.donate.*?) from DNS
 DeclinedBBlackT111967 Preload HSTS for select hostnames within wikimedia.org
 DuplicateBBlackT111998 investigate/remove hostname login.m.wikimedia.org
 ResolvedBBlackT40516 Enable HSTS on Wikimedia sites
 ResolvedNoneT37313 SSL cert invalid for bugzilla.wikipedia.org redirect
 DeclinedKrinkleT38126 *.mobile.wikipedia.org domains are using invalid SSL certificate
 ResolvedJgreenT88199 Enable HSTS on https://payments.wikimedia.org
 ResolvedChmarkineT90527 Enable HSTS and point rel=canonical to HTTPS for all Russian Wikimedia projects
 ResolvedBBlackT132521 Enforce HTTPS+HSTS on remaining one-off sites in wikimedia.org that don't use standard cache cluster termination
 ResolvedKrenairT133360 Fix wikitech-static TLS config
 ResolvedJgreenT137161 Fix nits in HTTPS/HSTS configs in externally-hosted fundraising domains
 ResolvedRobHT170140 revoke benefactorevents.wikimedia.org SSL certificate
 DuplicateNoneT137915 stream.wikimedia.org doesn't redirect to HTTPS
 ResolvedBBlackT105905 Switch blog to HTTPS-only
 InvalidNoneT64488 Wikimedia blog has unsecured elements on https
 ResolvedBBlackT103919 let all services on misc-web enforce http->https redirects
 ResolvedDzahnT103773 check if services behind misc-web enforce http->https redirect or not
 Resolved ezachteT93702 Fix the mixed content issue on Wikimedia Statistics
 ResolvedBBlackT132459 HTTPS redirects for config-master.wikimedia.org
 ResolvedBBlackT132460 HTTPS redirects for git.wikimedia.org
 ResolvedBBlackT132461 HTTPS redirects for graphite.wikimedia.org
 ResolvedBBlackT132462 HTTPS redirects for parsoid-tests.wikimedia.org
 ResolvedBBlackT132463 HTTPS redirects for datasets.wikimedia.org
 ResolvedBBlackT132464 HTTPS redirects for transparency.wikimedia.org
 ResolvedBBlackT132465 HTTPS redirects for stats.wikimedia.org
 ResolvedDzahnT132543 enable HSTS on *.planet.wikimedia.org
 ResolvedBBlackT132452 HSTS preload for wmfusercontent.org
 ResolvedBBlackT132685 Preload STS for wikimedia.org
 ResolvedBBlackT34796 status.wikimedia.org has no (valid) HTTPS
 ResolvedBBlackT132450 enable https for (ubuntu|apt|mirrors).wikimedia.org
 ResolvedBBlackT132812 Sort out letsencrypt puppetization for simple public hosts

Event Timeline

BBlack created this task.Jun 17 2015, 3:19 PM
BBlack raised the priority of this task from to Needs Triage.
BBlack updated the task description. (Show Details)
BBlack added projects: acl*sre-team, Traffic.
BBlack subscribed.
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptJun 17 2015, 3:19 PM
BBlack added subtasks: T102814: Decom old multiple-subdomain wikis in wikipedia.org, T102815: Decom www.$lang hostnames/redirects.Jun 17 2015, 3:19 PM
Krenair subscribed.Jun 17 2015, 3:20 PM
BBlack added a subtask: T102826: Fix/decom multiple-subdomain wikis in wikimedia.org.Jun 17 2015, 3:24 PM
BBlack added a subtask: T102827: Decide what to do with *.donate.wikimedia.org subdomain + TLS.Jun 17 2015, 3:33 PM
BBlack added a subscriber: faidon.Jun 17 2015, 3:36 PM
Chmarkine subscribed.Jun 18 2015, 7:05 AM
Krenair added a comment.Jun 18 2015, 7:16 PM

I imagine https://gerrit.wikimedia.org/r/#/c/219228/1 is going to put us in a similar situation with T88731 (redirects in place, but invalid SSL certs getting in the way for encrypted requests)?

BBlack mentioned this in T104681: HTTPS Plans (tracking / high-level info).Jul 3 2015, 4:58 AM
BBlack added a parent task: T104681: HTTPS Plans (tracking / high-level info).Jul 3 2015, 5:00 AM
BBlack closed subtask T102815: Decom www.$lang hostnames/redirects as Resolved.Jul 6 2015, 5:27 PM
Restricted Application added a subscriber: Matanya. · View Herald TranscriptJul 6 2015, 5:27 PM
BBlack added a subtask: T104942: TLS and *.wap/*.mobile multi-level subdomains of wikipedia.org.Jul 7 2015, 5:35 AM
BBlack moved this task from Backlog to Traffic team actively servicing on the Traffic board.Jul 9 2015, 10:08 PM
Joe triaged this task as Medium priority.Jul 13 2015, 2:11 PM
Joe set Security to None.
BBlack closed subtask T104942: TLS and *.wap/*.mobile multi-level subdomains of wikipedia.org as Resolved.Jul 27 2015, 12:51 PM
BBlack removed a subtask: T102827: Decide what to do with *.donate.wikimedia.org subdomain + TLS.Jul 27 2015, 1:06 PM
BBlack removed a subtask: T104942: TLS and *.wap/*.mobile multi-level subdomains of wikipedia.org.
BBlack closed subtask T102814: Decom old multiple-subdomain wikis in wikipedia.org as Resolved.Jul 28 2015, 2:55 PM
BBlack added a parent task: T107236: Switch port 80 to nginx on primary clusters.Jul 29 2015, 1:41 AM
MZMcBride subscribed.Jul 29 2015, 2:41 AM
Chmarkine added a subtask: T107575: download.wiki[mp]edia.org are using an invalid certificate.Jul 31 2015, 2:33 PM
Chmarkine closed subtask T107575: download.wiki[mp]edia.org are using an invalid certificate as Resolved.Aug 26 2015, 12:12 AM
Chmarkine added a subtask: T110511: sitemap.wikimedia.org uses invalid SSL certificate.Aug 27 2015, 1:01 PM
Dzahn closed subtask T110511: sitemap.wikimedia.org uses invalid SSL certificate as Resolved.Sep 2 2015, 2:48 PM
BBlack closed subtask T102826: Fix/decom multiple-subdomain wikis in wikimedia.org as Resolved.Sep 15 2015, 1:03 AM
BBlack added a subtask: T102827: Decide what to do with *.donate.wikimedia.org subdomain + TLS.
BBlack closed subtask T102827: Decide what to do with *.donate.wikimedia.org subdomain + TLS as Resolved.Apr 12 2016, 3:58 PM
BBlack moved this task from Traffic team actively servicing to Upcoming on the Traffic board.May 9 2016, 6:45 PM
BBlack removed a parent task: T107236: Switch port 80 to nginx on primary clusters.Jun 15 2016, 6:54 PM
BBlack closed this task as Resolved.Jul 27 2016, 7:05 PM
BBlack claimed this task.

The title wording is unclear, which is perhaps why this ticket lingered open. However, from the subtasks it's clear this was about exception cases within our canonical second-level domainnames. Non-canonicals and the remaining non-standard one-off legitimate sites are all covered in other, open tickets.

Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL