Page MenuHomePhabricator
Create Task
Maniphest T104681

HTTPS Plans (tracking / high-level info)
Closed, ResolvedPublic
Actions

Description

Some of the information out there about where we are and where we're going is a bit disparate and lost in the noise of many separate Tasks and impending gerrit commits. This is an attempt to bring together a coherent view of the current state of things, the next upcoming steps, etc. If you know information that isn't here (missing Task refs, etc) please feel free to correct it! The Description here will evolve as we go, use comments to discuss, etc.

  • Definitions
    • Canonical domains: wikipedia.org, wikimedia.org, wiktionary.org, wikiquote.org, wikibooks.org, wikisource.org, wikinews.org, wikiversity.org, wikidata.org, wikivoyage.org, wikimediafoundation.org, mediawiki.org, wmfusercontent.org, w.wiki.
    • Non-canonical domains: Anything not in the list above. These are generally redirect-only domains such as wikimedia.ee, wikizpravy.cz, wikimediacommons.jp.net, etc
    • Traffic Clusters: These are the text, upload, and misc traffic clusters which do standardized TLS termination for the bulk of all our HTTP[S] traffic to all of our domainnames.
    • One-off Services: These are individual internet-facing HTTP[S] services which are not terminated by one of the standard traffic clusters above and run their own independently-configured internet-facing server software (e.g. nginx or apache). They are in our control and hosted in our datacenters.
    • Third-party: These are HTTPS[S] service hostnames in our canonical domains which are hosted by a 3rd-party service for us.
  • Current State of Affairs - HTTPS, Redirects, and HSTS
    • Our desired state is:
      • Modern TLS (v1.2, FS/AEAD ciphers enabled, sane ordering, no publicly-known TLS flaws)
      • HTTP: 301 redirect of GET/HEAD to HTTPS, 403 denial of other methods.
      • HSTS with 1yr duration, preload, includeSub
      • All canonical domains (not individual service hostnames) submitted to the Chromium preload lists
    • Outstanding Exceptions:
      • Non-canonical domains (all are currently serviced by our Traffic Clusters): No valid certificates. Task to move these to a separate service with LetsEncrypt certs: T133548
      • Third-party: store.wikimedia.org HSTS issues - T128559
  • Current State of Affairs - Crypto Compatibility vs Security Tradeoffs
    • Dashboard for negotiated ciphers: https://grafana.wikimedia.org/#/dashboard/db/tls-ciphers
    • As a general rule, none of our HTTPS endpoints should support SSLv2 or SSLv3. I don't believe there are any exceptions to this today. The only client browser anyone cares much about which lacks TLSv1.0 (or higher) support and is blocked by this is IE6 on Windows XP (which, due to our redirects and lack of SSLv3 support, cannot access our HTTPS-redirected sites at all anymore).
    • We maintain explicit ciphersuite lists in our puppet repo that are intended to be shared by all TLS termination software for all cases. There are three choices a site/service can choose from at this time: strong, mid, and compat. See that file for the evolving details

Related Objects
Search...

StatusSubtypeAssignedTask
 ResolvedBBlackT104681 HTTPS Plans (tracking / high-level info)
 ResolvedBBlackT104281 Sort out DHE for Forward Secrecy w/ older clients
 ResolvedBBlackT86654 Switch to ECDSA hybrid certificates
 ResolvedBBlackT96850 Test then switch to openssl 1.0.2 + nginx 1.9.2
 ResolvedBBlackT104143 openssl 1.0.2 packaging for jessie
 ResolvedBBlackT102566 InstantCommons broken by switch to HTTPS
 ResolvedTgrT75199 PhpHttpRequest should not check host against CN x509 attribute
 ResolvedTgrT75203 PhpHttpRequest requires a certificate repository
 ResolvedBBlackT102824 Clean up DNS/redirects for TLS
 ResolvedArielGlennT107575 download.wiki[mp]edia.org are using an invalid certificate
 ResolvedChmarkineT110511 sitemap.wikimedia.org uses invalid SSL certificate
 ResolvedBBlackT104244 Preload HSTS
 ResolvedBBlackT102814 Decom old multiple-subdomain wikis in wikipedia.org
 ResolvedBBlackT104942 TLS and *.wap/*.mobile multi-level subdomains of wikipedia.org
 ResolvedBBlackT102815 Decom www.$lang hostnames/redirects
 ResolvedBBlackT102826 Fix/decom multiple-subdomain wikis in wikimedia.org
 ResolvedBBlackT102827 Decide what to do with *.donate.wikimedia.org subdomain + TLS
 Resolved CCogdill_WMFT130414 delete links.email.donate.wikimedia.org (and all other email.donate.*?) from DNS
 DeclinedBBlackT111967 Preload HSTS for select hostnames within wikimedia.org
 DuplicateBBlackT111998 investigate/remove hostname login.m.wikimedia.org
 ResolvedBBlackT40516 Enable HSTS on Wikimedia sites
 ResolvedNoneT37313 SSL cert invalid for bugzilla.wikipedia.org redirect
 DeclinedKrinkleT38126 *.mobile.wikipedia.org domains are using invalid SSL certificate
 ResolvedJgreenT88199 Enable HSTS on https://payments.wikimedia.org
 ResolvedChmarkineT90527 Enable HSTS and point rel=canonical to HTTPS for all Russian Wikimedia projects
 ResolvedBBlackT132521 Enforce HTTPS+HSTS on remaining one-off sites in wikimedia.org that don't use standard cache cluster termination
 ResolvedKrenairT133360 Fix wikitech-static TLS config
 ResolvedJgreenT137161 Fix nits in HTTPS/HSTS configs in externally-hosted fundraising domains
 ResolvedRobHT170140 revoke benefactorevents.wikimedia.org SSL certificate
 DuplicateNoneT137915 stream.wikimedia.org doesn't redirect to HTTPS
 ResolvedBBlackT105905 Switch blog to HTTPS-only
 InvalidNoneT64488 Wikimedia blog has unsecured elements on https
 ResolvedBBlackT103919 let all services on misc-web enforce http->https redirects
 ResolvedDzahnT103773 check if services behind misc-web enforce http->https redirect or not
 Resolved ezachteT93702 Fix the mixed content issue on Wikimedia Statistics
 ResolvedBBlackT132459 HTTPS redirects for config-master.wikimedia.org
 ResolvedBBlackT132460 HTTPS redirects for git.wikimedia.org
 ResolvedBBlackT132461 HTTPS redirects for graphite.wikimedia.org
 ResolvedBBlackT132462 HTTPS redirects for parsoid-tests.wikimedia.org
 ResolvedBBlackT132463 HTTPS redirects for datasets.wikimedia.org
 ResolvedBBlackT132464 HTTPS redirects for transparency.wikimedia.org
 ResolvedBBlackT132465 HTTPS redirects for stats.wikimedia.org
 ResolvedDzahnT132543 enable HSTS on *.planet.wikimedia.org
 ResolvedBBlackT132452 HSTS preload for wmfusercontent.org
 ResolvedBBlackT132685 Preload STS for wikimedia.org
 ResolvedBBlackT34796 status.wikimedia.org has no (valid) HTTPS
 ResolvedBBlackT132450 enable https for (ubuntu|apt|mirrors).wikimedia.org
 DuplicateNoneT105451 WMF-Last-Access cookies doesn't set Secure flag
 ResolvedBBlackT105794 Insecure POST traffic
 Resolved PcheloloT107030 Restbase insecure POST requests to MW api.php
 Resolved PcheloloT86737 Generalize request templating for service requests
 DeclinedvalhallaswT121020 Update Java 7 to Java 8
 Resolved Whatamidoing-WMFT136674 Help contact bot owners about the end of HTTP access to the API
 DeclinedoriT109029 Chrome on OS X 10.11 ("El Capitan") does not trust Wikimedia certificates
 ResolvedVgutierrezT133548 Create a secure redirect service for large count of non-canonical / junk domains
 ResolvedBBlackT132812 Sort out letsencrypt puppetization for simple public hosts
 ResolvedNoneT134447 letsencrypt puppetization: upgrade for scalability
 ResolvedNoneT141266 letsencrypt puppetization: add parallel rsa+ecdsa cert support
 DuplicateNoneT152622 Wikipedia.cz and other domains owned by WMCZ have invalid certificate
 ResolvedKrenairT194962 Create and deploy a centralized letsencrypt service
 ResolvedBBlackT194965 gdnsd plugin support for ACME DNS challenges
 ResolvedMarcoAurelioT198541 Set up CI for new repo operations/software/certcentral.git
 ResolvedKrenairT153577 Make standalone puppetmasters optionally use PuppetDB
 ResolvedscfcT154104 role::puppetmaster::puppetdb depends on Ganglia and cannot be used in Labs
 ResolvedVgutierrezT207476 Create production LE accounts
 ResolvedVgutierrezT220518 acme-chief: Validate that configured certificates can be actually issued
 ResolvedVgutierrezT224539 Provide nginx support in compile_redirects()
 OpenNoneT225096 Provide acme-chief/TLS SNI list support in compile_redirects()
 ResolvedVgutierrezT228382 Provide prometheus metrics for the ncredir service
 DeclinedNoneT140128 HTTPS-only for stream.wikimedia.org
 Resolved AlexMonk-WMFT145244 rcstream support defaults to stream.wikimedia.org:80
 ResolvedfaidonT102313 stream.wikimedia.org speaks http (not https) on port 443
 ResolvedBBlackT168919 stream.wikimedia.org: remove legacy rcstream/socket.io HTTPS redirect hole punches
 DeclinedBCornwallT128559 Enable HSTS on store.wikimedia.org for HTTPS
 ResolvedNoneT39790 shop.wikimedia.org should be HTTPS only
 ResolvedKrinkleT93959 Shop homepage on HTTPS loads insecure content
 ResolvedKrinkleT96818 Shop homepage on HTTPS contains insecure submission form
 ResolvedBBlackT131131 Canonical URL in Store points to HTTP address, should be HTTPS
 ResolvedVgutierrezT217002 Make sure that services available for NDA-only users are using strong TLS ciphersuites

Event Timeline

There are a very large number of changes, so older changes are hidden. Show Older Changes
BBlack updated the task description. (Show Details)Jul 4 2015, 8:20 PM
BBlack updated the task description. (Show Details)Jul 6 2015, 3:07 PM

Notable changes today:
Switch to compat-dhe: T104281 - pending gerrit commit to switch: https://gerrit.wikimedia.org/r/#/c/222023/ . Probably going out today (July 6).
Dashboard for negotiated protocols/ciphers: https://tessera.wikimedia.org/dashboards/6/tls

BBlack updated the task description. (Show Details)Jul 7 2015, 12:21 AM
BBlack closed subtask T104281: Sort out DHE for Forward Secrecy w/ older clients as Resolved.Jul 7 2015, 2:44 AM
BBlack updated the task description. (Show Details)Jul 7 2015, 5:23 AM
BBlack updated the task description. (Show Details)Jul 7 2015, 2:53 PM
Chmarkine added a subtask: T105451: WMF-Last-Access cookies doesn't set Secure flag.Jul 10 2015, 9:17 AM
BBlack closed subtask T86654: Switch to ECDSA hybrid certificates as Resolved.Jul 13 2015, 7:02 PM
BBlack updated the task description. (Show Details)Jul 14 2015, 12:11 AM
BBlack updated the task description. (Show Details)
BBlack updated the task description. (Show Details)Jul 14 2015, 12:13 AM
BBlack updated the task description. (Show Details)Jul 14 2015, 12:54 AM
BBlack updated the task description. (Show Details)Jul 14 2015, 2:58 PM
BBlack updated the task description. (Show Details)
BBlack updated the task description. (Show Details)Jul 14 2015, 4:12 PM
BBlack updated the task description. (Show Details)
BBlack updated the task description. (Show Details)Jul 28 2015, 6:07 PM
ori added a comment.Jul 28 2015, 6:13 PM

submitted to the Chromium HSTS Preload list

The Chromium project indicates that they are willing to special-case certain requests, and that petitioners should write to Adam Langley <agl@google.com>. Maybe they could accelerate our inclusion in the list?

BBlack added a comment.Jul 28 2015, 6:35 PM

I think that's mostly about agl special-casing exemptions to the list of rules for automatic inclusion to the master list in git (the ones about restrictions on implementation details), not about accelerating the process for getting the updated list into browsers faster. The list gets fairly regularly batch-updated in git, and then I imagine that factors into merging into release branches for Chrom(e|ium) or pulls into remote release branches for FF/IE/Safari at regular intervals. agl actually checks and commits the list updates himself, I'm sure he's noticed our submission if that has any bearing on anything :)

BBlack added a subtask: T105794: Insecure POST traffic.Jul 29 2015, 1:41 AM
MZMcBride subscribed.Jul 29 2015, 2:42 AM
Tony_Tan_98 subscribed.Aug 1 2015, 6:35 PM
BBlack removed a project: HTTPS-by-default.Aug 7 2015, 4:08 PM
ori added a subtask: T109029: Chrome on OS X 10.11 ("El Capitan") does not trust Wikimedia certificates.Aug 14 2015, 12:52 AM
ori closed subtask T109029: Chrome on OS X 10.11 ("El Capitan") does not trust Wikimedia certificates as Declined.Aug 14 2015, 4:39 AM
greg updated the task description. (Show Details)Aug 27 2015, 4:13 AM
BBlack updated the task description. (Show Details)Sep 9 2015, 3:46 PM
konklone awarded a token.Sep 9 2015, 4:07 PM
Umherirrender closed subtask T102566: InstantCommons broken by switch to HTTPS as Resolved.Oct 16 2015, 8:26 PM
BBlack reopened subtask T102566: InstantCommons broken by switch to HTTPS as Open.Oct 16 2015, 10:47 PM
BBlack closed subtask T102566: InstantCommons broken by switch to HTTPS as Resolved.Nov 5 2015, 5:24 PM
Dzahn moved this task from Backlog to Big Picture on the HTTPS board.Dec 4 2015, 8:45 PM
BBlack updated the task description. (Show Details)Apr 12 2016, 11:33 AM
BBlack updated the task description. (Show Details)Apr 12 2016, 4:28 PM
BBlack updated the task description. (Show Details)Apr 13 2016, 6:21 PM
BBlack closed subtask T103919: let all services on misc-web enforce http->https redirects as Resolved.Apr 13 2016, 6:49 PM
BBlack added a subtask: T132521: Enforce HTTPS+HSTS on remaining one-off sites in wikimedia.org that don't use standard cache cluster termination.Apr 14 2016, 1:25 PM
BBlack updated the task description. (Show Details)Apr 15 2016, 10:42 AM
Krinkle unsubscribed.Apr 16 2016, 1:03 AM
BBlack updated the task description. (Show Details)Apr 21 2016, 9:31 PM
BBlack updated the task description. (Show Details)Apr 25 2016, 3:28 PM
BBlack added a subtask: T133548: Create a secure redirect service for large count of non-canonical / junk domains.
BBlack removed a subtask: T101048: Policy decisions for new (and current) DNS domains registered to the WMF.
Danny_B added a project: Tracking-Neverending.May 5 2016, 7:21 PM
BBlack closed subtask T104244: Preload HSTS as Resolved.Jun 6 2016, 10:55 PM
BBlack updated the task description. (Show Details)Jun 6 2016, 10:57 PM
BBlack closed subtask T105794: Insecure POST traffic as Resolved.Jul 19 2016, 10:27 PM
BBlack updated the task description. (Show Details)Jul 19 2016, 10:29 PM
BBlack added a subtask: T140128: HTTPS-only for stream.wikimedia.org.Jul 20 2016, 12:28 AM
Boshomi subscribed.Jul 20 2016, 6:59 PM
BBlack closed subtask T102824: Clean up DNS/redirects for TLS as Resolved.Jul 27 2016, 7:05 PM
BBlack updated the task description. (Show Details)Jul 27 2016, 7:44 PM
BBlack updated the task description. (Show Details)Jul 27 2016, 9:32 PM
BBlack moved this task from Traffic team actively servicing to Backlog on the Traffic board.Sep 30 2016, 1:20 PM
BBlack moved this task from Backlog to TLS on the Traffic board.Sep 30 2016, 1:51 PM
elukey subscribed.Oct 14 2016, 10:19 AM
BBlack closed subtask T140128: HTTPS-only for stream.wikimedia.org as Declined.Dec 19 2016, 4:18 PM
BBlack updated the task description. (Show Details)Dec 19 2016, 4:33 PM
Esc3300 added a subtask: T153563: Consider switching to HTTPS for Wikidata query service links.Dec 23 2016, 10:32 AM
Liuxinyu970226 subscribed.Dec 23 2016, 11:56 AM
BBlack added a subtask: T168919: stream.wikimedia.org: remove legacy rcstream/socket.io HTTPS redirect hole punches.Jun 26 2017, 11:02 PM
BBlack added a comment.EditedJun 26 2017, 11:06 PM

The original point of this (now ~2 years old) tracking task was to track the very long tail of known but relatively-minor issues preventing us from reaching a full transition to modern HTTPS-only for all public-facing production things that the Foundation has control over, in the wake the transition for our major public hostnames announced in https://blog.wikimedia.org/2015/06/12/securing-wikimedia-sites-with-https/ . This ticket has a danger of becoming an undead meta-task as more sub-tasks might topically accrete to it over time. It's not intended to replace the idea of a tag or a workboard column, after all, and we have such a thing in the TLS column of the Traffic workboard for tracking all other ongoing TLS improvements. The remaining set of valid open tasks is fairly small at this point and a few of them are near closing, so we're going to try to wind this ticket down completely over the next several months, and I'm going to unlink a few on categorical grounds today.

Remaining open tasks directly linked into here which need work before this closes:

  • T132521 Enforce HTTPS+HSTS on remaining one-off sites in wikimedia.org that don't use standard cache cluster termination - still valid due to a couple of relevant subtasks:
    • T128559 store.wikimedia.org HTTPS issues - Still outstanding on the HSTS issue here
    • T137161 Fix nits in HTTPS/HSTS configs in externally-hosted fundraising domains - Looks due to close any day now, hopefully
  • T133548 Create a secure redirect service for large count of non-canonical / junk domains - Still relevant, hoping to close this out in the latter half of 2017
  • T168919 stream.wikimedia.org: remove legacy rcstream/socket.io HTTPS redirect hole punches - Relevant and newly-added (was missing)

Stuff I'm unlinking today as categorically inappropriate or unnecessary in the view of the original transition's long tail:

  • T92002 implement Public Key Pinning (HPKP) for Wikimedia domains - Unlinking, this is just a general improvement we'd like to have, but not required to close this IMHO (similar to other issues like CAA support, etc)
  • T153563 Consider switching to HTTPS for Wikidata query service links - Unlinking, as this is categorically an application-layer issue, and WDQS's actual basic TLS termination is standard and acceptable.
BBlack removed a subtask: T92002: implement Public Key Pinning (HPKP) for Wikimedia domains.Jun 26 2017, 11:07 PM
BBlack removed a subtask: T153563: Consider switching to HTTPS for Wikidata query service links.
BBlack updated the task description. (Show Details)Jun 26 2017, 11:12 PM
BBlack updated the task description. (Show Details)Jun 26 2017, 11:25 PM
BBlack updated the task description. (Show Details)
BBlack updated the task description. (Show Details)
BBlack closed subtask T168919: stream.wikimedia.org: remove legacy rcstream/socket.io HTTPS redirect hole punches as Resolved.Jul 11 2017, 12:58 AM
BBlack added a subtask: T128559: Enable HSTS on store.wikimedia.org for HTTPS.Jul 11 2017, 5:11 PM
BBlack closed subtask T132521: Enforce HTTPS+HSTS on remaining one-off sites in wikimedia.org that don't use standard cache cluster termination as Resolved.
BBlack added a comment.Jul 11 2017, 5:14 PM

So with these changes and cleanups in the past few weeks, we're basically down to two outstanding issues here from the original context:

  • T133548 - Create a secure redirect service for large count of non-canonical / junk domains - Still relevant, there's some subtasks underneath about LE scaling, hoping to close this out in the latter half of 2017
  • T128559 - store.wikimedia.org HTTPS issues - Still outstanding on the HSTS issue here, no response lately...
BBlack updated the task description. (Show Details)Jul 11 2017, 5:15 PM
BBlack updated the task description. (Show Details)
BBlack updated the task description. (Show Details)Jul 11 2017, 5:19 PM
Phabricator_maintenance moved this task from Backlog to Acknowledged on the SRE board.Jan 26 2019, 8:11 PM
Restricted Application added a subscriber: Urbanecm. · View Herald TranscriptJan 26 2019, 8:11 PM
Vgutierrez closed subtask T217002: Make sure that services available for NDA-only users are using strong TLS ciphersuites as Resolved.Apr 8 2019, 2:00 PM
Chmarkine unsubscribed.Apr 8 2019, 10:38 PM
greg unsubscribed.Apr 11 2019, 9:37 PM
RobH unsubscribed.Mar 3 2020, 6:04 PM
BBlack closed this task as Resolved.Mar 18 2020, 6:54 PM

Resolving this, since it has become an undead tracker for too long. There are still two trailing issues, but having this over-arching tracking task above them isn't accomplishing anything:

T133548 - Create a secure redirect service for large count of non-canonical / junk domains - The various sub-tickets here have had lots of progress recently, and we're nearly to the finish-line for handling all non-canonicals, and this is all still on-track to complete.
T128559 - store.wikimedia.org HTTPS issues - HSTS still lacks preload/includesub, but after being unable to fix one header for 4 years here, I don't know if this will ever be fixed.

Aklapper closed subtask T133548: Create a secure redirect service for large count of non-canonical / junk domains as Resolved.Jun 17 2021, 9:30 PM
BCornwall changed the status of subtask T128559: Enable HSTS on store.wikimedia.org for HTTPS from Open to Stalled.Feb 3 2023, 5:39 PM
BCornwall changed the status of subtask T128559: Enable HSTS on store.wikimedia.org for HTTPS from Stalled to In Progress.Feb 8 2023, 6:40 PM
BCornwall changed the status of subtask T128559: Enable HSTS on store.wikimedia.org for HTTPS from In Progress to Stalled.Mar 24 2023, 10:45 PM
BCornwall closed subtask T128559: Enable HSTS on store.wikimedia.org for HTTPS as Declined.Mar 30 2023, 6:05 PM
Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL