Page MenuHomePhabricator

Communicate dropping IE8-on-XP support (a security change) to affected editors and other community members
Closed, ResolvedPublic

Description

T147199: Removing support for DES-CBC3-SHA TLS cipher (drops IE8-on-XP support) needs to be communicated to affected editors. This will need some CL time (part-time for about four months).

Event Timeline

There are a very large number of changes, so older changes are hidden. Show Older Changes
ayounsi removed a subscriber: ayounsi.Aug 3 2017, 6:09 PM

Update: Today is the start date for going to 5%. Before we pull that trigger sometime later (perhaps much later) today, I'm working on a few other things:

  1. Creating a wikitech page with technical details about both the deprecation process/timeline and the rationale, to link elsewhere (e.g. on the browser rec page).
  2. Importing some of the translations that exist so far into the warning page, along with various other suggested wording updates.

I've left another note about this at enwiki's VPT: https://en.wikipedia.org/w/index.php?title=Wikipedia:Village_pump_(technical)&diff=795973850&oldid=795961036

That's where experienced editors are most likely end up, if they see these errors and are confused.

Ok thanks!

I've done (1) above here: https://wikitech.wikimedia.org/wiki/HTTPS/3DES_Deprecation . Will link that back into the browser recommendation page when I updated it for dates in a few minutes as well. It's probably not helpful for most end-users, but it lays everything out in deeper technical terms, especially the rationale section.

Izno added a subscriber: Izno.Aug 17 2017, 6:33 PM

I have a dumb question! 😃

Currently, https://en.wikipedia.org/test-sec-warning says "Our HTTPS: Browser Recommendations page on wikitech has more-detailed information on fixing this situation." However, if wikitech is going the same way as the rest of the wikis experiencing this phenomenon (I expect it will), then the user will also be unable to access that link at some point in the future.

It's a very valid question :)

Around the time of the final date of protocol-level removal (~Nov 17), 3DES will stop working for most of our sites, Wikitech included, at which point nobody can view any of these messages or warnings directly. However, the ramp-up in pageview replacements with the https://en.wikipedia.org/test-sec-warning is happening only on our standard Varnish termination layer. This affects all of the major wiki projects in all languages, but doesn't apply to a handful of our sites which are on separate internet-facing infrastructure, including Wikitech and a few other more-technical sites/tools.

The information could also be duplicated on the blog, I suppose. @EdErhart-WMF, will you want a blog post about this anyway?

Johan added a comment.Aug 17 2017, 7:19 PM

Maybe it would be possible to have a "Translate" link after the translated languages?

Maybe worth adding a link to https://www.ssllabs.com/ssltest/viewMyClient.html to the error page so people can check their cipher support ?

Johan added a comment.Aug 17 2017, 7:42 PM

I imagine people who use IE8 on XP mainly fall into two categories: those who have no control over their work environment, and those who are easily confused by computer technology and don't really know what a cipher is.

Hopefully in the former case, they'll complain to their IT department and they'll fix it, and hopefully in the latter they'll blindly trust our Firefox links and find their way out of this mess from there :)

Testing updated HTML with some translations and a translate link (and other minor cleanups) at https://pinkunicorn.wikimedia.org/test-sec-warning . Will push something like this to the real one at https://en.wikipedia.org/test-sec-warning before upping percentage. Thoughts? Further tweaks? Mistakes? :)

Update: noticed I had en-US firefox links in all of the translations. Updated them all now.

Looks good to me, go for it :-)

Testing updated HTML with some translations and a translate link (and other minor cleanups) at https://pinkunicorn.wikimedia.org/test-sec-warning . Will push something like this to the real one at https://en.wikipedia.org/test-sec-warning before upping percentage. Thoughts? Further tweaks? Mistakes? :)

A few nits:

  • Consistently use lower case attribute names, e.g. dir="rtl".
  • Add missing lang attributes to all the non-English paragraphs. Both for semantic reasons, maintenance (easier to update in-place without knowing the language), and possibly to help assistive technology.
  • Prefix each paragraph content with the autonym for that language as well for end-users, which should make it significantly easier to find your language and less visually distracting for the mind when reading by naturally not needing to look through the other paragraphs.

Example:

<p lang="de"><strong>Deutsch:</strong> Die Wikimedia-Wikis werden bald ...</p>

Update: noticed I had en-US firefox links in all of the translations. Updated them all now.

Heh, I had been updating the translations with the localised links.

  • Prefix each paragraph content with the autonym for that language as well for end-users, which should make it significantly easier to find your language and less visually distracting for the mind when reading by naturally not needing to look through the other paragraphs.

Choose between them with javascript, like in the error page?

Krinkle added a comment.EditedAug 17 2017, 8:49 PM
  • Prefix each paragraph content with the autonym for that language as well for end-users, which should make it significantly easier to find your language [..]

Choose between them with javascript, like in the error page?

That JavaScript is no longer in production. Something similar could be written at some point, and is planned for the error page redesign, but perhaps not the best time to try and push it out as part of this. If you're able to write something up that's simple, secure, Grade C compatible, and accessible, I'd be willing to review it.

Thanks! Updated for all the above as best I can (I'm not 100% sure on the language-name text prefix for Arabic and Chinese, but took a good stab from http://mediaglyphs.org/mg/?p=langnames ), I guess someone that knows better can recommend a further fixup?

I also re-ordered everything (except English at the top as canonical) according to language popularity from https://en.wikipedia.org/wiki/List_of_languages_by_number_of_native_speakers .

Change 372448 had a related patch set uploaded (by BBlack; owner: BBlack):
[operations/puppet@production] 3DES Deprecation: internationalize and update warning

https://gerrit.wikimedia.org/r/372448

patch above is the same changes as a real changeset (it's just hard to review them that way, simpler manually on https://pinkunicorn.wikimedia.org/test-sec-warning ).

After a couple of other minor nits, going to push the above as it stands. We can iterate further as necessary, at least it's an improvement on the original!

Change 372448 merged by BBlack:
[operations/puppet@production] Deprecation of 3DES: internationalize and update warning

https://gerrit.wikimedia.org/r/372448

Change 372467 had a related patch set uploaded (by BBlack; owner: BBlack):
[operations/puppet@production] Deprecation of 3DES: Bump pageview replacement to 5%

https://gerrit.wikimedia.org/r/372467

patch above is the same changes as a real changeset (it's just hard to review them that way, simpler manually on https://pinkunicorn.wikimedia.org/test-sec-warning ).

Thanks for adding the lang attributes. I also realised that one of the benefits this has is that browsers will pick a better and more suitable default font for the entire paragraph. For example, here is Japanese:

AfterBefore

Change 372467 merged by BBlack:
[operations/puppet@production] Deprecation of 3DES: Bump pageview replacement to 5%

https://gerrit.wikimedia.org/r/372467

Clearly I don't check my Phab notifications enough! Happy to run a blog post on this, perhaps framed in the context of protecting our community members/readers?

Johan added a comment.Aug 21 2017, 4:34 PM

Maybe it would be possible to have a "Translate" link after the translated languages?

... wait, that was a stupid suggestion. My apologies. I momentarily forgot we're almost only showing this page to users who won't be able to use our translation tools on Meta (they depend on JavaScript).

Heh yeah I guess you're right. Still, I added it to the current page, and we seemed to have picked up some new translations over the weekend. I can pull the link back out of there on the next update if that makes more sense.

Change 373086 had a related patch set uploaded (by BBlack; owner: BBlack):
[operations/puppet@production] browsersec: add pt, bn, ru, sv, he, sq

https://gerrit.wikimedia.org/r/373086

Change 373087 had a related patch set uploaded (by BBlack; owner: BBlack):
[operations/puppet@production] Varnish: move errorpage/browsersec to common code

https://gerrit.wikimedia.org/r/373087

Change 373088 had a related patch set uploaded (by BBlack; owner: BBlack):
[operations/puppet@production] browsersec: remove wiki-colon filtering

https://gerrit.wikimedia.org/r/373088

Change 373086 merged by BBlack:
[operations/puppet@production] browsersec: add pt, bn, ru, sv, he, sq

https://gerrit.wikimedia.org/r/373086

Change 373087 merged by BBlack:
[operations/puppet@production] Varnish: move errorpage/browsersec to common code

https://gerrit.wikimedia.org/r/373087

Change 373088 merged by BBlack:
[operations/puppet@production] browsersec: remove wiki-colon filtering

https://gerrit.wikimedia.org/r/373088

Change 373099 had a related patch set uploaded (by BBlack; owner: BBlack):
[operations/puppet@production] browsersec: add back wiki-colon filtering for text only

https://gerrit.wikimedia.org/r/373099

Change 373099 merged by BBlack:
[operations/puppet@production] browsersec: add back wiki-colon filtering for text only

https://gerrit.wikimedia.org/r/373099

Change 373726 had a related patch set uploaded (by BBlack; owner: BBlack):
[operations/puppet@production] 3DES Deprecation: bump to 8%

https://gerrit.wikimedia.org/r/373726

Change 373726 merged by BBlack:
[operations/puppet@production] Deprecation of 3DES: bump to 8%

https://gerrit.wikimedia.org/r/373726

leila added a subscriber: leila.Aug 28 2017, 5:48 PM

I see that the Arabic text in the banner is broken. I'm looking at this page. This should not go like this to Arabic speakers. :) Can someone look into it? (I don't know Arabic fluently, but I know enough to be able to explain to whoever picks this up what's wrong in the text.)

Also, if you need help with Persian translation, let me know and I'll work on it.

Thanks for reporting. We've looked into it and got a native speaker of Arabic to point out what needs to be fixed.

Translations are always welcome. They can be done here:
https://meta.wikimedia.org/wiki/User:Johan_(WMF)/IE8XP

Change 374585 had a related patch set uploaded (by BBlack; owner: BBlack):
[operations/puppet@production] browsersec: update ar translation

https://gerrit.wikimedia.org/r/374585

Change 374585 merged by BBlack:
[operations/puppet@production] browsersec: update ar translation

https://gerrit.wikimedia.org/r/374585

leila added a comment.Aug 29 2017, 5:50 PM

Thanks for reporting. We've looked into it and got a native speaker of Arabic to point out what needs to be fixed.

Great! (I still don't see the change in the link, but I guess you will push it later.:)

Translations are always welcome. They can be done here:
https://meta.wikimedia.org/wiki/User:Johan_(WMF)/IE8XP

ok. {{done}}

Change 374602 had a related patch set uploaded (by BBlack; owner: BBlack):
[operations/puppet@production] browsersec: add fa translation

https://gerrit.wikimedia.org/r/374602

Change 374602 merged by BBlack:
[operations/puppet@production] browsersec: add fa translation

https://gerrit.wikimedia.org/r/374602

Change 374604 had a related patch set uploaded (by BBlack; owner: BBlack):
[operations/puppet@production] browsersec: add missing dir=rtl for fa

https://gerrit.wikimedia.org/r/374604

Change 374604 merged by BBlack:
[operations/puppet@production] browsersec: add missing dir=rtl for fa

https://gerrit.wikimedia.org/r/374604

Change 374605 had a related patch set uploaded (by BBlack; owner: BBlack):
[operations/puppet@production] browsersec: re-order languages slightly

https://gerrit.wikimedia.org/r/374605

Change 374605 merged by BBlack:
[operations/puppet@production] browsersec: re-order languages slightly

https://gerrit.wikimedia.org/r/374605

Nirmos added a subscriber: Nirmos.Aug 30 2017, 10:29 PM

Change 375107 had a related patch set uploaded (by BBlack; owner: BBlack):
[operations/puppet@production] Deprecation of 3DES: bump to 11%

https://gerrit.wikimedia.org/r/375107

Change 375107 merged by BBlack:
[operations/puppet@production] Deprecation of 3DES: bump to 11%

https://gerrit.wikimedia.org/r/375107

Change 376309 had a related patch set uploaded (by BBlack; owner: BBlack):
[operations/puppet@production] browsersec: affect API calls and non-GET as well

https://gerrit.wikimedia.org/r/376309

Change 376310 had a related patch set uploaded (by BBlack; owner: BBlack):
[operations/puppet@production] browsersec: bump to 14% 2017-09-07

https://gerrit.wikimedia.org/r/376310

Change 376311 had a related patch set uploaded (by BBlack; owner: BBlack):
[operations/puppet@production] browsersec: bump to 17% 2017-09-14

https://gerrit.wikimedia.org/r/376311

Change 376312 had a related patch set uploaded (by BBlack; owner: BBlack):
[operations/puppet@production] browsersec: bump to 20% 2017-09-21

https://gerrit.wikimedia.org/r/376312

Change 376313 had a related patch set uploaded (by BBlack; owner: BBlack):
[operations/puppet@production] browsersec: bump to 23% 2017-09-28

https://gerrit.wikimedia.org/r/376313

Change 376314 had a related patch set uploaded (by BBlack; owner: BBlack):
[operations/puppet@production] browsersec: bump to 26% 2017-10-05

https://gerrit.wikimedia.org/r/376314

Change 376315 had a related patch set uploaded (by BBlack; owner: BBlack):
[operations/puppet@production] browsersec: bump to 29% 2017-10-12

https://gerrit.wikimedia.org/r/376315

Change 376316 had a related patch set uploaded (by BBlack; owner: BBlack):
[operations/puppet@production] browsersec: bump to 100% 2017-10-17

https://gerrit.wikimedia.org/r/376316

Change 376309 merged by BBlack:
[operations/puppet@production] browsersec: affect API calls and non-GET as well

https://gerrit.wikimedia.org/r/376309

Krinkle removed a subscriber: Krinkle.Sep 6 2017, 8:29 PM

Change 376310 merged by BBlack:
[operations/puppet@production] browsersec: bump to 14% 2017-09-07

https://gerrit.wikimedia.org/r/376310

BBlack added a comment.Sep 8 2017, 4:05 PM

Thanks! So far, I haven't heard of any huge community pushback, which is awesome :)

Johan added a comment.Sep 8 2017, 4:37 PM

To be honest, most of the community is blissfully unaware this is happening. But unless you bring out all the bells and whistles and the blinking lights, that's always going to be the case. (: We've put the information out through Tech News and the normal channels for technical updates, we're making sure those who are actually affected get to know it and so on.

The communities tend to be reasonable when you do something for good reason, and especially the fact that there's some sort of risk for everyone else in letting 0,1% connect to the wikis the way they are is a pretty reasonable argument for doing this.

Change 376311 merged by BBlack:
[operations/puppet@production] browsersec: bump to 17% 2017-09-14

https://gerrit.wikimedia.org/r/376311

Change 376312 merged by BBlack:
[operations/puppet@production] browsersec: bump to 20% 2017-09-21

https://gerrit.wikimedia.org/r/376312

Change 376313 merged by BBlack:
[operations/puppet@production] browsersec: bump to 23% 2017-09-28

https://gerrit.wikimedia.org/r/376313

Johan added a comment.Oct 4 2017, 4:16 AM

There will be a new reminder in the issue of Tech News going out to the communities on October 16..

Change 376314 merged by BBlack:
[operations/puppet@production] browsersec: bump to 26% 2017-10-05

https://gerrit.wikimedia.org/r/376314

Change 376315 merged by BBlack:
[operations/puppet@production] browsersec: bump to 29% 2017-10-12

https://gerrit.wikimedia.org/r/376315

Change 384578 had a related patch set uploaded (by BBlack; owner: BBlack):
[operations/puppet@production] ssl_ciphersuite: dump 3DES on 2017-11-17

https://gerrit.wikimedia.org/r/384578

Change 376316 merged by BBlack:
[operations/puppet@production] browsersec: bump to 100% 2017-10-17, update translations

https://gerrit.wikimedia.org/r/376316

Change 384707 had a related patch set uploaded (by BBlack; owner: BBlack):
[operations/puppet@production] browsersec: use status code 403

https://gerrit.wikimedia.org/r/384707

Change 384707 merged by BBlack:
[operations/puppet@production] browsersec: use status code 403

https://gerrit.wikimedia.org/r/384707

Change 384578 merged by BBlack:
[operations/puppet@production] ssl_ciphersuite: dump 3DES on 2017-11-17

https://gerrit.wikimedia.org/r/384578

BBlack closed this task as Resolved.Nov 17 2017, 3:48 PM

Done here I think as well, thanks everyone :)

Qgil awarded a token.
Qgil added a subscriber: Qgil.
Johan moved this task from Do now to Archive on the User-Johan board.Jan 10 2018, 4:31 PM