Page MenuHomePhabricator
Create Task
Maniphest T240813

HTTPS/Browser Recommendations page on Wikitech is outdated
Closed, ResolvedPublic
Actions

Description

https://wikitech.wikimedia.org/wiki/HTTPS/Browser_Recommendations is linked from https://en.wikipedia.org/sec-warning It included this text:

This means that if you use an old web browser, you can still read pages on Wikipedia, but your browsing activity cannot always be encrypted in a secure way.

I take it this referred to an earlier set of updates, but it's no longer accurate, so I've removed it. The remaining paragraphs should probably be reworked too, though, since the future they describe is now reality. :-)

Related Objects
Search...

Event Timeline

Emufarmers created this task.Dec 16 2019, 3:27 AM
Emufarmers added a parent task: T96844: Update TLS/HTTP documentation on wikitech.Dec 16 2019, 3:55 AM
ema moved this task from Backlog to TLS on the Traffic board.Dec 16 2019, 8:06 AM
BBlack added a comment.Dec 18 2019, 3:59 PM

The wording issues here are actually a bit tricky. We've done several TLS standards upgrades over time, and there are still a few to go:

Done sometime in the past:

  • HTTPS enforcement with 301s
  • HSTS lock-on
  • SSLv3 removal
  • 3DES support removed (and there were a few others like this of less note)
  • Forward-secrecy enforcement

Doing now:

  • Removing TLSv1.0 and TLSv1.1

Known things coming in the future

  • Removing DHE support
  • Requiring AEAD ciphers
  • Much more distant: removing TLSv1.2 support (sometime long after we've added 1.3!)

So the general language issues around relative levels of security, and more security to come down the line, are still as relevant today as they were back then. The browser/OS version standards and upgrade recommendations are meant to cover at least up through the future DHE and AEAD changes, but obviously enforcing TLSv1.3-only, which is pretty far off in the future and would require even higher minimum version levels. Perhaps we should at least further re-word the parts about IE11 to favor edge more, since IE11 doesn't do 1.2 by default (as noted).

CDanis subscribed.Dec 18 2019, 4:01 PM
ema triaged this task as Medium priority.Dec 20 2019, 12:36 PM
BBlack edited projects, added Traffic-Icebox; removed Traffic.Sep 1 2021, 11:21 PM

The swap of Traffic for Traffic-Icebox in this ticket's set of tags was based on a bulk action for all such tickets that haven't been updated in 6 months or more. This does not imply any human judgement about the validity or importance of the task, and is simply the first step in a larger task cleanup effort. Further manual triage and/or requests for updates will happen this month for all such tickets. For more detail, have a look at the extended explanation on the main page of Traffic-Icebox . Thank you!

Volker_E subscribed.Dec 9 2021, 7:44 AM
BBlack moved this task from Backlog to Close or Untag? on the Traffic-Icebox board.Apr 7 2022, 9:34 PM
BCornwall claimed this task.Jan 17 2023, 5:51 PM
BCornwall closed this task as Resolved.Jan 17 2023, 7:02 PM

I've updated the page a little further to reflect the Windows 8/8.1 EOL (just a few days ago!) and made some of the wording more vague so it can instead point to the base [[HTTPS]] page for more detailed technical bits. This should keep updating the documentation DRY going forward. It seems pretty clear and updated now!

BCornwall mentioned this in T96844: Update TLS/HTTP documentation on wikitech.Jan 17 2023, 7:09 PM
Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL