Page MenuHomePhabricator

Concept URI in sidebar on Wikidata uses HTTP instead of HTTPS
Open, Needs TriagePublic

Description

Problem
The "Concept URI" in the sidebar of Wikibase entities, uses HTTP instead of HTTPS. While I assume HTTP is used for conformity, if someone were to access it over HTTP (and then redirected), it would reveal what entity they were attempting to access to the public network. Also, a redirect is a "round trip" (the client has to wait for the headers before making another request to the Location) that is unnecessary.

Solution
To increase the privacy of our users and reduce the number of redirects, we should change this sidebar link to be the same protocol as the page, which is HTTPS.

Event Timeline

So, the concept URI is http.
Perhaps we should:

  • Make the link very obviously marked as not secure?
  • Remove the link, possibly providing the concept URI in plain text on the page info page?

Thoughts @Lydia_Pintscher ?

So, the concept URI is http.

Do we not support https concept URIs?

See T153563#2884409 and the comment added in https://gerrit.wikimedia.org/r/#/c/operations/mediawiki-config/+/473292/8/wmf-config/InitialiseSettings.php

The concept URI should be http.

Another option might be to change what this link says and then use https?

I think since the URI is a redirect anyways (and is rather confusing if you don't know that), then my preference would be to show it as plaintext (maybe at the bottom of the page in the "footer")?

Maybe somewhere near "This page was last edited on 17 June 2019, at 18:54." text.

I think we need to think about this more globally together with T109420 and T85633 to come up with a suitable solution.

Wikidata seems to lag in terms of implementation of https compared to other parts of WMF. Can we do something about it?

Wikidata seems to lag in terms of implementation of https compared to other parts of WMF. Can we do something about it?

Wikidata does implement https everywhere.
The concept URI however is a slightly trickier issue being a linked data identifier.
But switching to https is possible but would require planing, communication etc.

In T153563#2884409 @Smalyshev said:

Thus, I do not think we should change our identifier scheme to diverge from what is used in every other linked data application.

I wonder if the norm is switching toward https now? Perhaps we should follow?

I wonder if the norm is switching toward https now? Perhaps we should follow?

It kinda appears (from what I can tell) that either is supported. When using the URI as a URL, on every single one of the examples on T153563#2884409, you get redirected to https. However, the pages then list the URL as http.

I didn't dig too deeply into the docs, but schema.org for sure explicitly mentions that either is supported. Perhaps that's a good strategy for us? default to http, but allow https?

or perhaps the simplest solution is to display it plaintext, though, we probably ought to also support https in WDQS, etc.

So, the concept URI is http.
Perhaps we should:

  • Make the link very obviously marked as not secure?
  • Remove the link, possibly providing the concept URI in plain text on the page info page?

I find the second option is a good option, on the page info page and/or somewhere on the entity page itself.

The link in the toolbox is a bit disappointing because it goes to the very same page after 3 redirects (whose one using http):

And as said above it is not really a locator but an identifier, so there is no need to use it as a link, even if it works. I guess the main uses of this identifier is for federated SPARQL queries from other SPARQL endpoints or more generally for exported data.

I didn't dig too deeply into the docs, but schema.org for sure explicitly mentions that either is supported. Perhaps that's a good strategy for us? default to http, but allow https?

https://schema.org/docs/faq.html#19 is talking about using https for schema.,org based uris, not for all uris.

I just looked at the .ttl output for an entity and it actually currently outputs:

@prefix wdata: <https://www.wikidata.org/wiki/Special:EntityData/> .

heh

wdata: is not the concept uri though. wd: is the thing, wdata: is Wikidata page talking about the thing. We consciously separated them in the data.

https://schema.org/docs/faq.html#19 is talking about using https for schema.,org based uris, not for all uris.

Well I would assume so, that is the only domain they have the authority to talk about.

As pointed out, the concept URI is http, not https. See also https://www.w3.org/DesignIssues/Security-NotTheS.html . It's too widespread now to change it. For Commons we could do https from the start

Multichill renamed this task from Concept URI in sidebar uses HTTP instead of HTTPS to Concept URI in sidebar on Wikidata uses HTTP instead of HTTPS.Jul 24 2020, 12:08 PM
Jseddon added a subscriber: Jseddon.