HTTPS Plans (tracking / high-level info)
Open, NormalPublic

Description

Some of the information out there about where we are and where we're going is a bit disparate and lost in the noise of many separate Tasks and impending gerrit commits. This is an attempt to bring together a coherent view of the current state of things, the next upcoming steps, etc. If you know information that isn't here (missing Task refs, etc) please feel free to correct it! The Description here will evolve as we go, use comments to discuss, etc.

  • Definitions
    • Canonical domains: wikipedia.org, wikimedia.org, wiktionary.org, wikiquote.org, wikibooks.org, wikisource.org, wikinews.org, wikiversity.org, wikidata.org, wikivoyage.org, wikimediafoundation.org, mediawiki.org, wmfusercontent.org, w.wiki.
    • Non-canonical domains: Anything not in the list above. These are generally redirect-only domains such as wikimedia.ee, wikizpravy.cz, wikimediacommons.jp.net, etc
    • Traffic Clusters: These are the text, upload, and misc traffic clusters which do standardized TLS termination for the bulk of all our HTTP[S] traffic to all of our domainnames.
    • One-off Services: These are individual internet-facing HTTP[S] services which are not terminated by one of the standard traffic clusters above and run their own independently-configured internet-facing server software (e.g. nginx or apache). They are in our control and hosted in our datacenters.
    • Third-party: These are HTTPS[S] service hostnames in our canonical domains which are hosted by a 3rd-party service for us.
  • Current State of Affairs - HTTPS, Redirects, and HSTS
    • Our desired state is:
      • Modern TLS (v1.2, FS/AEAD ciphers enabled, sane ordering, no publicly-known TLS flaws)
      • HTTP: 301 redirect of GET/HEAD to HTTPS, 403 denial of other methods.
      • HSTS with 1yr duration, preload, includeSub
      • All canonical domains (not individual service hostnames) submitted to the Chromium preload lists
    • Outstanding Exceptions:
      • Non-canonical domains (all are currently serviced by our Traffic Clusters): No valid certificates. Task to move these to a separate service with LetsEncrypt certs: T133548
      • Third-party: store.wikimedia.org HSTS issues - T128559
  • Current State of Affairs - Crypto Compatibility vs Security Tradeoffs
    • Dashboard for negotiated ciphers: https://grafana.wikimedia.org/#/dashboard/db/tls-ciphers
    • As a general rule, none of our HTTPS endpoints should support SSLv2 or SSLv3. I don't believe there are any exceptions to this today. The only client browser anyone cares much about which lacks TLSv1.0 (or higher) support and is blocked by this is IE6 on Windows XP (which, due to our redirects and lack of SSLv3 support, cannot access our HTTPS-redirected sites at all anymore).
    • We maintain explicit ciphersuite lists in our puppet repo that are intended to be shared by all TLS termination software for all cases. There are three choices a site/service can choose from at this time: strong, mid, and compat. See that file for the evolving details

Related Objects

StatusAssignedTask
OpenBBlack
ResolvedBBlack
ResolvedBBlack
ResolvedBBlack
ResolvedBBlack
ResolvedBBlack
ResolvedTgr
ResolvedTgr
ResolvedBBlack
ResolvedArielGlenn
ResolvedChmarkine
ResolvedBBlack
ResolvedBBlack
ResolvedBBlack
ResolvedBBlack
ResolvedBBlack
ResolvedBBlack
ResolvedCCogdill_WMF
DeclinedBBlack
DuplicateBBlack
ResolvedBBlack
ResolvedNone
DeclinedKrinkle
ResolvedJgreen
ResolvedChmarkine
ResolvedBBlack
ResolvedKrenair
ResolvedJgreen
ResolvedRobH
DuplicateNone
ResolvedBBlack
InvalidNone
ResolvedBBlack
ResolvedDzahn
Resolvedezachte
ResolvedBBlack
ResolvedBBlack
ResolvedBBlack
ResolvedBBlack
ResolvedBBlack
ResolvedBBlack
ResolvedBBlack
ResolvedDzahn
ResolvedBBlack
ResolvedBBlack
ResolvedBBlack
ResolvedBBlack
DuplicateNone
ResolvedBBlack
ResolvedPchelolo
ResolvedPchelolo
Declinedvalhallasw
ResolvedWhatamidoing-WMF
Declinedori
OpenNone
ResolvedBBlack
OpenNone
OpenNone
DuplicateNone
DeclinedNone
Resolved AlexMonk-WMF
Resolvedfaidon
ResolvedBBlack
OpenNone
ResolvedNone
ResolvedKrinkle
ResolvedKrinkle
ResolvedBBlack
There are a very large number of changes, so older changes are hidden. Show Older Changes
Restricted Application added subscribers: Matanya, Aklapper. · View Herald TranscriptJul 3 2015, 4:58 AM
BBlack moved this task from Triage to In Progress on the Traffic board.Jul 3 2015, 5:20 AM
BBlack updated the task description. (Show Details)Jul 3 2015, 12:41 PM
BBlack set Security to None.
BBlack updated the task description. (Show Details)
BBlack updated the task description. (Show Details)Jul 3 2015, 1:11 PM
BBlack updated the task description. (Show Details)Jul 4 2015, 4:56 PM
BBlack updated the task description. (Show Details)Jul 4 2015, 8:20 PM
BBlack updated the task description. (Show Details)Jul 6 2015, 3:07 PM

Notable changes today:
Switch to compat-dhe: T104281 - pending gerrit commit to switch: https://gerrit.wikimedia.org/r/#/c/222023/ . Probably going out today (July 6).
Dashboard for negotiated protocols/ciphers: https://tessera.wikimedia.org/dashboards/6/tls

BBlack updated the task description. (Show Details)Jul 7 2015, 12:21 AM
BBlack updated the task description. (Show Details)Jul 7 2015, 5:23 AM
BBlack updated the task description. (Show Details)Jul 7 2015, 2:53 PM
BBlack updated the task description. (Show Details)Jul 14 2015, 12:11 AM
BBlack updated the task description. (Show Details)
BBlack updated the task description. (Show Details)Jul 14 2015, 12:13 AM
BBlack updated the task description. (Show Details)Jul 14 2015, 12:54 AM
BBlack updated the task description. (Show Details)Jul 14 2015, 2:58 PM
BBlack updated the task description. (Show Details)
BBlack updated the task description. (Show Details)Jul 14 2015, 4:12 PM
BBlack updated the task description. (Show Details)
BBlack updated the task description. (Show Details)Jul 28 2015, 6:07 PM
ori added a comment.Jul 28 2015, 6:13 PM

submitted to the Chromium HSTS Preload list

The Chromium project indicates that they are willing to special-case certain requests, and that petitioners should write to Adam Langley <agl@google.com>. Maybe they could accelerate our inclusion in the list?

I think that's mostly about agl special-casing exemptions to the list of rules for automatic inclusion to the master list in git (the ones about restrictions on implementation details), not about accelerating the process for getting the updated list into browsers faster. The list gets fairly regularly batch-updated in git, and then I imagine that factors into merging into release branches for Chrom(e|ium) or pulls into remote release branches for FF/IE/Safari at regular intervals. agl actually checks and commits the list updates himself, I'm sure he's noticed our submission if that has any bearing on anything :)

greg updated the task description. (Show Details)Aug 27 2015, 4:13 AM
BBlack updated the task description. (Show Details)Sep 9 2015, 3:46 PM
Dzahn moved this task from Backlog to Big Picture on the HTTPS board.Dec 4 2015, 8:45 PM
BBlack updated the task description. (Show Details)Apr 12 2016, 11:33 AM
BBlack updated the task description. (Show Details)Apr 12 2016, 4:28 PM
BBlack updated the task description. (Show Details)Apr 13 2016, 6:21 PM
BBlack updated the task description. (Show Details)Apr 15 2016, 10:42 AM
Krinkle removed a subscriber: Krinkle.Apr 16 2016, 1:03 AM
BBlack updated the task description. (Show Details)Apr 21 2016, 9:31 PM
BBlack updated the task description. (Show Details)Jun 6 2016, 10:57 PM
BBlack updated the task description. (Show Details)Jul 19 2016, 10:29 PM
BBlack updated the task description. (Show Details)Jul 27 2016, 7:44 PM
BBlack updated the task description. (Show Details)Jul 27 2016, 9:32 PM
BBlack moved this task from In Progress to Triage on the Traffic board.Sep 30 2016, 1:20 PM
BBlack moved this task from Triage to TLS on the Traffic board.Sep 30 2016, 1:51 PM
elukey added a subscriber: elukey.Oct 14 2016, 10:19 AM
BBlack updated the task description. (Show Details)Dec 19 2016, 4:33 PM
BBlack added a comment.EditedJun 26 2017, 11:06 PM

The original point of this (now ~2 years old) tracking task was to track the very long tail of known but relatively-minor issues preventing us from reaching a full transition to modern HTTPS-only for all public-facing production things that the Foundation has control over, in the wake the transition for our major public hostnames announced in https://blog.wikimedia.org/2015/06/12/securing-wikimedia-sites-with-https/ . This ticket has a danger of becoming an undead meta-task as more sub-tasks might topically accrete to it over time. It's not intended to replace the idea of a tag or a workboard column, after all, and we have such a thing in the TLS column of the Traffic workboard for tracking all other ongoing TLS improvements. The remaining set of valid open tasks is fairly small at this point and a few of them are near closing, so we're going to try to wind this ticket down completely over the next several months, and I'm going to unlink a few on categorical grounds today.

Remaining open tasks directly linked into here which need work before this closes:

  • T132521 Enforce HTTPS+HSTS on remaining one-off sites in wikimedia.org that don't use standard cache cluster termination - still valid due to a couple of relevant subtasks:
    • T128559 store.wikimedia.org HTTPS issues - Still outstanding on the HSTS issue here
    • T137161 Fix nits in HTTPS/HSTS configs in externally-hosted fundraising domains - Looks due to close any day now, hopefully
  • T133548 Create a secure redirect service for large count of non-canonical / junk domains - Still relevant, hoping to close this out in the latter half of 2017
  • T168919 stream.wikimedia.org: remove legacy rcstream/socket.io HTTPS redirect hole punches - Relevant and newly-added (was missing)

Stuff I'm unlinking today as categorically inappropriate or unnecessary in the view of the original transition's long tail:

  • T92002 implement Public Key Pinning (HPKP) for Wikimedia domains - Unlinking, this is just a general improvement we'd like to have, but not required to close this IMHO (similar to other issues like CAA support, etc)
  • T153563 Consider switching to HTTPS for Wikidata query service links - Unlinking, as this is categorically an application-layer issue, and WDQS's actual basic TLS termination is standard and acceptable.
BBlack updated the task description. (Show Details)Jun 26 2017, 11:12 PM
BBlack updated the task description. (Show Details)Jun 26 2017, 11:25 PM
BBlack updated the task description. (Show Details)
BBlack updated the task description. (Show Details)

So with these changes and cleanups in the past few weeks, we're basically down to two outstanding issues here from the original context:

  • T133548 - Create a secure redirect service for large count of non-canonical / junk domains - Still relevant, there's some subtasks underneath about LE scaling, hoping to close this out in the latter half of 2017
  • T128559 - store.wikimedia.org HTTPS issues - Still outstanding on the HSTS issue here, no response lately...
BBlack updated the task description. (Show Details)Jul 11 2017, 5:15 PM
BBlack updated the task description. (Show Details)
BBlack updated the task description. (Show Details)Jul 11 2017, 5:19 PM