Page MenuHomePhabricator

HTTPS/Browser Recommendations page on Wikitech is outdated
Open, MediumPublic

Description

https://wikitech.wikimedia.org/wiki/HTTPS/Browser_Recommendations is linked from https://en.wikipedia.org/sec-warning It included this text:

This means that if you use an old web browser, you can still read pages on Wikipedia, but your browsing activity cannot always be encrypted in a secure way.

I take it this referred to an earlier set of updates, but it's no longer accurate, so I've removed it. The remaining paragraphs should probably be reworked too, though, since the future they describe is now reality. :-)

Event Timeline

The wording issues here are actually a bit tricky. We've done several TLS standards upgrades over time, and there are still a few to go:

Done sometime in the past:

  • HTTPS enforcement with 301s
  • HSTS lock-on
  • SSLv3 removal
  • 3DES support removed (and there were a few others like this of less note)
  • Forward-secrecy enforcement

Doing now:

  • Removing TLSv1.0 and TLSv1.1

Known things coming in the future

  • Removing DHE support
  • Requiring AEAD ciphers
  • Much more distant: removing TLSv1.2 support (sometime long after we've added 1.3!)

So the general language issues around relative levels of security, and more security to come down the line, are still as relevant today as they were back then. The browser/OS version standards and upgrade recommendations are meant to cover at least up through the future DHE and AEAD changes, but obviously enforcing TLSv1.3-only, which is pretty far off in the future and would require even higher minimum version levels. Perhaps we should at least further re-word the parts about IE11 to favor edge more, since IE11 doesn't do 1.2 by default (as noted).

ema triaged this task as Medium priority.Dec 20 2019, 12:36 PM