Page MenuHomePhabricator

Re-evaluate use of EV certificates for payments.wm.o?
Open, NormalPublic

Description

payments.wikimedia.org is the only domain I am aware of at Wikimedia that uses an EV cert (it was mentioned in T155806 among other places), and based on SAL Archive 19 they've been in use there for 7 years. It's also expiring relatively soon, on the 25th October. Per this post, the value of such certificates is now more in question than ever (in addition to people not really paying attention to them before, some popular browsers are no longer indicating EV status) so I'm thinking that (instead of someone immediately just going and getting a renewal) it may be worth re-evaluating whether it's worth the foundation continuing to spend (presumably) extra money on this - I don't know if that would necessarily mean getting an OV cert like the rest of the fundraising domains, or considering setting up for Let's Encrypt certs or getting some commercial DV cert.
(I noticed the main page was redirecting me away to donate.wm.o so I did some digging and found that it actually hosts a MediaWiki install: https://payments.wikimedia.org/index.php/Special:SpecialPages)

Event Timeline

Krenair created this task.Sep 20 2018, 10:14 AM
Restricted Application added a project: Operations. · View Herald TranscriptSep 20 2018, 10:14 AM
Restricted Application added a subscriber: Aklapper. · View Herald Transcript
Krenair updated the task description. (Show Details)Sep 20 2018, 10:14 AM

Just to emphasise, it's not doing anything special on Chrome on my Android phone, and the article linked above shows similar things on some browsers on iOS:

Krenair updated the task description. (Show Details)Sep 20 2018, 10:36 AM
JW added a subscriber: JW.Sep 22 2018, 1:22 PM
MoritzMuehlenhoff triaged this task as Normal priority.Sep 25 2018, 10:28 AM
ema moved this task from Triage to TLS on the Traffic board.Oct 1 2018, 9:37 AM
Liuxinyu970226 added a subscriber: Liuxinyu970226.EditedOct 8 2018, 2:54 AM

@Krenair please, no more DV certs, that's the reason why jawiki, ugwiki, wuuwiki, zhwiki, zh-yuewiki and zhwikinews are SNI RSTed by GFW, because DV and some kinds of OV certs can still provide SNI informations regularly (T205378).

Jgreen added a subscriber: Jgreen.

EV certs do seem to have lost almost all their value. That said the cost difference over an OV cert is under $100. Also, I'm not sure whose decision this is--I'm adding Fundraising-Backlog and removing fr-tech-ops to bump it up the chain.

@Krenair please, no more DV certs, that's the reason why jawiki, ugwiki, wuuwiki, zhwiki, zh-yuewiki and zhwikinews are SNI RSTed by GFW, because DV and some kinds of OV certs can still provide SNI informations regularly (T205378).

Does that actually have anything to do with whether the cert is DV vs. OV vs. EV?

I'm not sure whose decision this is--I'm adding Fundraising-Backlog and removing fr-tech-ops to bump it up the chain.

Presumably whoever would be responsible for purchasing a renewal has to consider this.

BBlack added a subscriber: BBlack.Oct 10 2018, 2:03 PM

@Krenair please, no more DV certs, that's the reason why jawiki, ugwiki, wuuwiki, zhwiki, zh-yuewiki and zhwikinews are SNI RSTed by GFW, because DV and some kinds of OV certs can still provide SNI informations regularly (T205378).

Does that actually have anything to do with whether the cert is DV vs. OV vs. EV?

No, it doesn't. SNI is a property of TLS that's independent of certificate type. Encrypted SNI will probably eventually be a standard, but that's whole separate matter.

Presumably whoever would be responsible for purchasing a renewal has to consider this.

It's one thing to keep renewing a cert and another to reevaluate the cost:benefit and decide to change the type. I've asked a couple times over the years if we want to stick with EV and so far the answer is yes. Today the cert cost is so low that I will be surprised if the Fundraising team changes its decision, but we'll see!

The kicker probably wouldn't be the monetary cost. It would be that if you didn't require EV, you could auto-issue certs from LetsEncrypt and get rid of manually worrying about them ever again.

The kicker probably wouldn't be the monetary cost. It would be that if you didn't require EV, you could auto-issue certs from LetsEncrypt and get rid of manually worrying about them ever again.

True, and we're working on that for other FR hosts. For this host specifically it's snagglier than production because we would have to figure out how to handle LE's cert exchange/renewal in a way that doesn't perturb PCI compliance.

@BBlack I have been exploring options and it sounds like the DNS TXT record challege would allow us to issue certs without disturbing the hosts. Do you have any caveats about this approach?

Krenair added a comment.EditedOct 10 2018, 4:48 PM

That is being set up for prod at the moment actually, but it relies on trusted servers SSHing to prod auth DNS machines. I'm not sure frack servers would get that kind of access and they technically can't take advantage of the prod service (even if it were PCI compliant to do so - which I doubt - they don't have prod puppet certs AFAIK). Alternatively you could have someone manually renew every 90 days but that's likely not worth the effort. How complex is the payments site? Is it possible to do http challenges there?

How complex is the payments site? Is it possible to do http challenges there?

Off the top of my head I can't remember if hosting an http site on an in-scope server is explicitly prohibited. Even if it isn't, it would cause us to fail compliance scans because it would appear that we allow payments over plain http. You'll see that we don't even host an http->https redirect anymore because of this.

Krenair added a comment.EditedOct 10 2018, 5:47 PM

How complex is the payments site? Is it possible to do http challenges there?

Off the top of my head I can't remember if hosting an http site on an in-scope server is explicitly prohibited. Even if it isn't, it would cause us to fail compliance scans because it would appear that we allow payments over plain http. You'll see that we don't even host an http->https redirect anymore because of this.

Oh wow, okay - I was expecting you to say it was behind LVS or something but not that. I think LE's HTTP challenges will follow redirects over to HTTPS but I don't know how it behaves if your server doesn't allow unencrypted HTTP on port 80 at all. There is another challenge type called TLS-ALPN-01 which I don't know much about but I doubt its easy to implement.

I guess you could come up with some way of frack servers requesting certs from LE and specifying a DNS challenge, publishing their challenge data somewhere for a script on a prod auth DNS server to pick up, which then puts it into the DNS data. But that might be more effort than it's worth.

Oh wow, okay - I was expecting you to say it was behind LVS or something but not that.

Ha, well there is that too, it just didn't occur to me!