Concept URI in sidebar on Wikidata uses HTTP instead of HTTPS
Open, Needs TriagePublic
Actions

Assigned To

None

Authored By

	dbarratt
	Jun 24 2019, 9:57 PM

Description

Problem
The "Concept URI" in the sidebar of Wikibase entities, uses HTTP instead of HTTPS. While I assume HTTP is used for conformity, if someone were to access it over HTTP (and then redirected), it would reveal what entity they were attempting to access to the public network. Also, a redirect is a "round trip" (the client has to wait for the headers before making another request to the Location) that is unnecessary.

Solution
To increase the privacy of our users and reduce the number of redirects, we should change this sidebar link to be the same protocol as the page, which is HTTPS.

Related Objects

Mentioned In: T331356: Wikidata seems to still be utilizing insecure HTTP URIs
T306532: Perform migration of batch A
T299045: [EPIC] Switch wikibase.cloud concept URIs to use https out of the box
T258590: Change incorrect usage of HTTP to HTTPS for concept URIs on Commons
T258508: WDQS | Prefix showing http instead of https
T258474: RDF dumps for Structured Data on Commons are broken
Mentioned Here: T85633: Adds a more prominent display of entity URIs
T109420: [Story] Make exports formats more visible
T153563: Consider switching to HTTPS for Wikidata query service links

Event Timeline

dbarratt created this task.Jun 24 2019, 9:57 PM

Restricted Application added a subscriber: Aklapper. · View Herald TranscriptJun 24 2019, 9:57 PM

dbarratt added a project: Privacy.Jun 24 2019, 9:57 PM

So, the concept URI is http.
Perhaps we should:

Make the link very obviously marked as not secure?
Remove the link, possibly providing the concept URI in plain text on the page info page?

Thoughts @Lydia_Pintscher ?

Addshore moved this task from incoming to needs discussion or investigation on the Wikidata board.Jun 24 2019, 10:22 PM

Addshore moved this task from Incoming to Needs Work on the Wikidata-Campsite board.

In T226453#5280633, @Addshore wrote:

So, the concept URI is http.

Do we not support https concept URIs?

See T153563#2884409 and the comment added in https://gerrit.wikimedia.org/r/#/c/operations/mediawiki-config/+/473292/8/wmf-config/InitialiseSettings.php

The concept URI should be http.

Another option might be to change what this link says and then use https?

In T226453#5280660, @Addshore wrote:

See T153563#2884409 and the comment added in https://gerrit.wikimedia.org/r/#/c/operations/mediawiki-config/+/473292/8/wmf-config/InitialiseSettings.php

That's interesting because schema.org supports either and is (eventually) migrating to https:
https://schema.org/docs/faq.html#19

I think since the URI is a redirect anyways (and is rather confusing if you don't know that), then my preference would be to show it as plaintext (maybe at the bottom of the page in the "footer")?

Addshore added a subscriber: Smalyshev.Jun 24 2019, 10:35 PM

Maybe somewhere near "This page was last edited on 17 June 2019, at 18:54." text.

I think we need to think about this more globally together with T109420 and T85633 to come up with a suitable solution.

Wikidata seems to lag in terms of implementation of https compared to other parts of WMF. Can we do something about it?

In T226453#5289510, @Esc3300 wrote:

Wikidata seems to lag in terms of implementation of https compared to other parts of WMF. Can we do something about it?

Wikidata does implement https everywhere.
The concept URI however is a slightly trickier issue being a linked data identifier.
But switching to https is possible but would require planing, communication etc.

In T153563#2884409 @Smalyshev said:

Thus, I do not think we should change our identifier scheme to diverge from what is used in every other linked data application.

I wonder if the norm is switching toward https now? Perhaps we should follow?

In T226453#5294638, @Addshore wrote:

I wonder if the norm is switching toward https now? Perhaps we should follow?

It kinda appears (from what I can tell) that either is supported. When using the URI as a URL, on every single one of the examples on T153563#2884409, you get redirected to https. However, the pages then list the URL as http.

I didn't dig too deeply into the docs, but schema.org for sure explicitly mentions that either is supported. Perhaps that's a good strategy for us? default to http, but allow https?

or perhaps the simplest solution is to display it plaintext, though, we probably ought to also support https in WDQS, etc.

In T226453#5280633, @Addshore wrote:

So, the concept URI is http.
Perhaps we should:

Make the link very obviously marked as not secure?

Remove the link, possibly providing the concept URI in plain text on the page info page?

I find the second option is a good option, on the page info page and/or somewhere on the entity page itself.

The link in the toolbox is a bit disappointing because it goes to the very same page after 3 redirects (whose one using http):

And as said above it is not really a locator but an identifier, so there is no need to use it as a link, even if it works. I guess the main uses of this identifier is for federated SPARQL queries from other SPARQL endpoints or more generally for exported data.

In T226453#5296385, @dbarratt wrote:

I didn't dig too deeply into the docs, but schema.org for sure explicitly mentions that either is supported. Perhaps that's a good strategy for us? default to http, but allow https?

https://schema.org/docs/faq.html#19 is talking about using https for schema.,org based uris, not for all uris.

I just looked at the .ttl output for an entity and it actually currently outputs:

@prefix wdata: <https://www.wikidata.org/wiki/Special:EntityData/> .

heh

wdata: is not the concept uri though. wd: is the thing, wdata: is Wikidata page talking about the thing. We consciously separated them in the data.

In T226453#5297810, @Addshore wrote:

https://schema.org/docs/faq.html#19 is talking about using https for schema.,org based uris, not for all uris.

Well I would assume so, that is the only domain they have the authority to talk about.

Lydia_Pintscher removed a project: Wikidata-Campsite.Jul 2 2019, 9:54 AM

As pointed out, the concept URI is http, not https. See also https://www.w3.org/DesignIssues/Security-NotTheS.html . It's too widespread now to change it. For Commons we could do https from the start

sbassett added a subscriber: • JFishback_WMF.Aug 27 2019, 4:16 PM

• JFishback_WMF added a project: Privacy Engineering.Mar 9 2020, 11:27 PM

• JFishback_WMF moved this task from Intake to Backlog on the Privacy board.

• JFishback_WMF moved this task from Incoming to Backlog on the Privacy Engineering board.Mar 10 2020, 1:09 AM

DemonDays64 subscribed.Mar 20 2020, 10:27 PM

dcausse mentioned this in T258474: RDF dumps for Structured Data on Commons are broken.Jul 21 2020, 9:40 AM

Gehel mentioned this in T258508: WDQS | Prefix showing http instead of https.Jul 22 2020, 1:47 PM

Stylestrip subscribed.Jul 22 2020, 2:05 PM

Multichill renamed this task from Concept URI in sidebar uses HTTP instead of HTTPS to Concept URI in sidebar on Wikidata uses HTTP instead of HTTPS.Jul 24 2020, 12:08 PM

Multichill removed a subtask: T258590: Change incorrect usage of HTTP to HTTPS for concept URIs on Commons.

Multichill mentioned this in T258590: Change incorrect usage of HTTP to HTTPS for concept URIs on Commons.Jul 24 2020, 12:11 PM

• Jseddon claimed this task.Apr 1 2021, 8:39 PM

• Jseddon removed • Jseddon as the assignee of this task.Apr 1 2021, 8:56 PM

• Jseddon subscribed.

Addshore mentioned this in T299045: [EPIC] Switch wikibase.cloud concept URIs to use https out of the box.Jan 12 2022, 12:31 PM

GreenReaper mentioned this in T306532: Perform migration of batch A.May 19 2022, 1:43 PM

Bugreporter mentioned this in T331356: Wikidata seems to still be utilizing insecure HTTP URIs.Mar 7 2023, 12:01 PM