Page MenuHomePhabricator

Remove "Basic" support (Grade C) for browsers without TLS 1.2+ (MediaWiki core and WMF infra)
Closed, ResolvedPublic

Description

Affected components: MediaWiki core, all skins/extensions, Wikimedia Foundation product, third-parties.

Motivation

Since January 2020, Wikimedia has not served traffic to browsers which do not support TLS 1.2 (T238038).

It doesn't really make sense to maintain Grade C support just for third party wikis that might be using very old browsers. Third parties can use MediaWiki 1.35 (LTS) until September 2023.


Exploration

As mentioned in T262946#6512792, this means increasing our requirements to:

  • Firefox 27+ (released 2014-02); from 3+
    • Versions from 24+ can be configured to use TLS 1.2, but this is a very advanced feature, and they may not have the correct ciphers.
  • Chrome 31+ (2013-11); from 1+
    • 29+ has TLS 1.2, but not the correct ciphers
  • Safari 9+ (2015-09, also grade A); from 3+
    • 7+ has TLS 1.2, but not the correct ciphers
  • Opera 18+ (2013-11); from 15+
    • 16+ has TLS 1.2, but not the correct ciphers
  • iOS (Safari) 9+ (2015-09), from 6.1+);
    • 5+ has TLS 1.2, but not the correct ciphers
  • Android 4.3+x browser (Chromium 89 WebView) or Google Chrome for Android or other browsers like Firefox Android; from 3+
    • Ed: Not sure if we need to list individual users of Chromium WebView

IE 9-10 would be untouched by this, as both versions can be enabled to support TLS 1.2.
Opera 12 would have been able to support it too, but has already fallen out of basic support.

Statistics

Focussing on Firefox, Chrome, Safari and Opera as biggest of the mentioned ones here, stats are all access restricted at turnilo.wikimedia.org:

Page views Jan 2020-Feb 2021. Jan 2020 as the TLS change and restricted access took place around there.

Firefox 3-26 page views

Firefox 3-26 between 2.1 and 5.4 million out of 3.6 to 4 billion total per weeks of 2021.

Chrome 1-30 page views

Chrome 1-30 between 1.6 and 1.8 million out of 3.6 to 4 billion total per weeks of 2021.

Safari 1-7 page views

Safari 1-7 between 550k and 770k out of 3.6 to 4 billion total per weeks of 2021.

Opera 15-17 page views

Opera 15-17 between 2 and 17 (!!) views out of 3.6 to 4 billion total per weeks of 2021.

Extended motivation, or what would this enable us

List prepped by @Esanders below

Following features would now be fully supported (HTML, CSS, SVG, WAI-ARIA, PNG, WOFF, only excluding JS features as Grade A specifics) without hacks, workarounds or fallbacks:

  • EventTarget.addEventListener()
  • Audio element
  • CSS3 Background-image options
  • CSS3 Border-radius (rounded corners)
  • Canvas (basic support)
  • Text API for Canvas
  • contenteditable attribute (basic support)
  • CSS background-position edge offsets
  • CSS3 Box-shadow
  • CSS Counters
  • ::first-letter CSS pseudo-element selector
  • CSS first-line pseudo-element
  • CSS position:fixed
  • CSS Generated content for pseudo-elements
  • letter-spacing CSS property
  • CSS3 Media Queries
  • CSS namespaces
  • CSS3 Opacity
  • CSS 2.1 selectors
  • CSS3 selectors
  • CSS Table display
  • CSS3 Colors
  • CSS currentColor value
  • Document Object Model Range
  • @font-face Web fonts
  • naturalWidth & naturalHeight image properties
  • CSS inline-block
  • Selection controls for input & textarea
  • CSS min/max-width/height
  • MP3 audio format
  • CSS3 Multiple backgrounds
  • PNG alpha transparency
  • readonly attribute of input and textarea elements
  • Server Name Indication
  • Inline SVG in HTML5
  • SVG in HTML img element
  • tabindex global attribute
  • CSS3 Text-overflow
  • Video element
  • WOFF - Web Open Font Format
  • XHTML served as application/xhtml+xml

The following would become at least partially supported:

  • :indeterminate CSS pseudo-class
  • AAC audio file format
  • autocomplete attribute: on & off values
  • calc() as CSS unit value
  • ch (character) unit
  • Cross-Origin Resource Sharing
  • CSS3 word-break
  • defer attribute for external scripts
  • disabled attribute of the fieldset element
  • maxlength attribute for input and textarea elements
  • rem (root em) units
  • SVG effects for HTML
  • SVG in CSS backgrounds
  • Viewport units: vw, vh, vmin, vmax
  • WAI-ARIA Accessibility features
  • X-Frame-Options HTTP header

Event Timeline

Volker_E renamed this task from Bump Grade C to require TLS 1.2 (i.e. browsers which WMF supports) to Bump basic supported browsers (grade C) to require TLS 1.2 for MediaWiki core and Wikimedia infrastructure alike.Oct 30 2020, 3:14 PM
Volker_E added a project: TechCom-RFC.
Volker_E updated the task description. (Show Details)
Volker_E edited projects, added Readers-Web-Backlog; removed TechCom-RFC.
Volker_E added a project: TechCom-RFC.
Volker_E awarded a token.

Grade C before: https://www.caniuse.com/?compare=ie+9,edge+12,edge+79,firefox+3.6,chrome+4,safari+3.1,opera+15,ios_saf+5.0-5.1,android+4.1&compareCats=CSS,HTML5,Other,Security,SVG
Grade C after: https://www.caniuse.com/?compare=ie+9,edge+12,edge+79,firefox+27,chrome+29,safari+7,opera+16,ios_saf+5.0-5.1&compareCats=CSS,HTML5,Other,Security,SVG

According to a caniuse comparison, the following features would now be fully supported (excludes JS features):

  • EventTarget.addEventListener()
  • Audio element
  • CSS3 Background-image options
  • CSS3 Border-radius (rounded corners)
  • Canvas (basic support)
  • Text API for Canvas
  • contenteditable attribute (basic support)
  • CSS background-position edge offsets
  • CSS3 Box-shadow
  • CSS Counters
  • ::first-letter CSS pseudo-element selector
  • CSS first-line pseudo-element
  • CSS position:fixed
  • CSS Generated content for pseudo-elements
  • letter-spacing CSS property
  • CSS3 Media Queries
  • CSS namespaces
  • CSS3 Opacity
  • CSS 2.1 selectors
  • CSS3 selectors
  • CSS Table display
  • CSS3 Colors
  • CSS currentColor value
  • Document Object Model Range
  • @font-face Web fonts
  • naturalWidth & naturalHeight image properties
  • CSS inline-block
  • Selection controls for input & textarea
  • CSS min/max-width/height
  • MP3 audio format
  • CSS3 Multiple backgrounds
  • PNG alpha transparency
  • readonly attribute of input and textarea elements
  • Server Name Indication
  • Inline SVG in HTML5
  • SVG in HTML img element
  • tabindex global attribute
  • CSS3 Text-overflow
  • Video element
  • WOFF - Web Open Font Format
  • XHTML served as application/xhtml+xml

The following would become at least partially supported:

  • :indeterminate CSS pseudo-class
  • AAC audio file format
  • autocomplete attribute: on & off values
  • calc() as CSS unit value
  • ch (character) unit
  • Cross-Origin Resource Sharing
  • CSS3 word-break
  • defer attribute for external scripts
  • disabled attribute of the fieldset element
  • maxlength attribute for input and textarea elements
  • rem (root em) units
  • SVG effects for HTML
  • SVG in CSS backgrounds
  • Viewport units: vw, vh, vmin, vmax
  • WAI-ARIA Accessibility features
  • X-Frame-Options HTTP header

Edit: Updated now that versions are even higher with cipher requirements.

I'm not sure we need to support FF 24-26, where TLS1.2 could theoretically be enabled. There is no obvious CTA to enable TLS 1.2 so we should assume that users don't know how to do it. Contrast with IE9 where it appears to have been enabled by some patch.

FF26:

We would be able to drop some vendor prefixes:

  • -webkit-box-sizing (-moz-box-sizing is required up to FF 28)
  • -moz-transition and -webkit-transition
  • -moz-transform (-webkit-transform is required up to Chrome 35)

Didn't we just increase the TLS requirements again this week?

Didn't we just increase the TLS requirements again this week?

Please provide a link so we can check if that changes browser support.

Didn't we just increase the TLS requirements again this week?

Please provide a link so we can check if that changes browser support.

Found it: T258405 — ECDHE-ECDSA-AES128-SHA was removed as of 29 October.

Also DHE-RSA-AES128-SHA was removed as of 29 September, and ECDHE-ECDSA-AES128-SHA is going to be removed soon.

It seems like most browsers support multiple ciphers. Unless we hear otherwise I would assume that this doesn't result in any additional browsers being blocked.

WMF Browser requirements are most definitely higher now.
For Safari

  • iOS 9
  • MacOS X 10.11

Android 4.4.2
Firefox i think is 31+ ?? not sure
Chrome: probably still pretty old versions, but ssllabs doesn't go that far back.

see also https://www.wikipedia.org/sec-warning and https://www.ssllabs.com/ssltest/analyze.html?d=en.wikipedia.org&s=208.80.154.224&hideResults=on&ignoreMismatch=on

Confirmed Safari 8 + 10.10 not working:


Also Mobile Safari 8 not working.

Safari 9 and Mobile both work

Confirmed FF 27 is the first version that works.

Chrome 31 is the first version that works, Chrome 30 doesn't work:

Opera 18 is the first version that works (presuambly the first based on Chromium 31)

[…] Third parties can use MediaWiki 1.35 for the immediate-term future (LTS).

Clarified to until September 2023.

I don't quite see this as an RfC. It's an observation about the change already made. People saying "no" don't have anywhere to go?

@Jdforrester-WMF Have been coming from general MediaWiki usage, although the browser support matrix mentions this coverage in a side sentence.
If we remove the RFC, we should be louder on it being based on the combination only.

I don't quite see this as an RfC. It's an observation about the change already made. People saying "no" don't have anywhere to go?

One could object to us dropping support for TLS <1.2 in MediaWiki in general. But yes, the significant change was made without much consultation.

This will also result in not-insignificant changes to our Grade A matrix, particularly mobile browsers.

The following will now be fully supported in Grade A:

  • Blob constructing
  • Blob URLs
  • Channel messaging
  • CSS Animation
  • CSS background-position edge offsets
  • CSS background-repeat round and space
  • CSS Repeating Gradients
  • CSS3 2D Transforms
  • CSS3 Transitions
  • Document.execCommand()
  • FileReaderSync
  • High Resolution Time API
  • Mutation Observer
  • Navigation Timing API
  • Page Visibility
  • readonly attribute of input and textarea elements
  • requestAnimationFrame
  • Session history management
  • Strict Transport Security
  • SVG filters
  • Web Sockets
  • Web Workers
  • WebGL - 3D Canvas graphics
  • WebVTT - Web Video Text Tracks
  • WOFF - Web Open Font Format

The following will now be partially supported in Grade A:

  • :indeterminate CSS pseudo-class
  • calc() as CSS unit value
  • ch (character) unit
  • Content Security Policy 1.0
  • CSS Flexible Box Layout Module
  • CSS Gradients
  • CSS3 3D Transforms
  • CSS3 Border images
  • CSS3 Multiple column layout
  • disabled attribute of the fieldset element
  • Do Not Track API
  • ECMAScript 2015 (ES6)
  • FileReader API
  • HTML5 form features
  • HTTP/2 protocol
  • IndexedDB
  • Pattern attribute for input fields
  • progress element
  • Rebeccapurple color
  • Referrer Policy
  • Selection API
  • SVG effects for HTML
  • Synchronous Clipboard API
  • Viewport units: vw, vh, vmin, vmax
  • WAI-ARIA Accessibility features
  • X-Frame-Options HTTP header

@Ed are these stats based on online research or emperical checks by us/you?

If we haven't already, it might be worth checking what our pageview stats in Turnilo say about these browsers, and if a sizable amount shows up to perhaps double check emperically where the support line is.

If the data is bogus, it'd be good to record here how large the noise is, as that could inform follow-up work to reduce noise and/or to document how big the "bogus margin".

Also, has someone reached out to PET managers about third-party stake? We could check in with someone from Bluespice or Fandom. and/or PET might say we can't/shouldn't support these browsers for third-parties. I'm not expecting "interesting", but I think it's important to keep these using these communication channels with third-parties and with management to ensure that they can steer as needed and that there's a shared understanding and awareness of the trade-offs and upcoming benefits, and also so that our work on this is recognised, and not decided upon in isolated by ourselves.

Krinkle triaged this task as Medium priority.Nov 19 2020, 3:58 AM
Krinkle moved this task from P3: Explore to P4: Tune on the TechCom-RFC board.

The browser versions I listed in T266866#6597380 were verified via crossbrowsertesting.com.

If we haven't already, it might be worth checking what our pageview stats in Turnilo say about these browsers

Adding this task to our Web team kanban board for possibly looking closer at the browser stats.

Volker wrote on 23 Nov 2020:

Adding this task to our Web team kanban board for possibly looking closer at the browser stats.

@Volker_E @ovasileva Gentle reminder on the above :)

@Krinkle Updated stats in task description should be sufficiently clear to move this forward. :)

Krinkle renamed this task from Bump basic supported browsers (grade C) to require TLS 1.2 for MediaWiki core and Wikimedia infrastructure alike to Remove "Basic" support (Grade C) for browsers without TLS 1.2+ (MediaWiki core and WMF infra).Mar 4 2021, 12:39 PM
Krinkle removed a project: TechCom-RFC.

Hey folks, I just wanted to chime in here and say that from a product perspective, paying any cost or effort to continuing to support browsers that we don’t support on our flagship products feels like something we should stop. I understand that there are 3rd party wikis that might choose to make different decisions about TLS support, but the value of increasing development velocity and improving user experience on Wikipedia (visited by 1.5B devices a month) vastly outweighs the negative consequences. Let me know how I can help communicate this if you feel a communication for this is necessary.

Since it's not clear to me, what is the difference between Firefox 24-26 and IE9/10 as in the task description? They both describe being able to use TLS1.2 but the former is supposedly an advanced feature (Firefox users, I would venture, would be more willing to turn such a thing on..., especially if they're still on these versions).

Just looking to be clear and consistent.

@Izno The main difference is, that we can't say for sure for Firefox 24-26, that they have the correct ciphers enabled. The Firefox 24-26 stats are showing between 280-400k per week, averaging at about 340k out of 3.6 to 4 billion total for weeks of 2021.
For completion, IE 9 + 10 have about 2 million views per week in the same timeframe.

Volker_E updated the task description. (Show Details)

Email sent out to wikitech-l & design.public for further comments. Countdown until 18 March for objections, if none we'll bump the requirements then.

Android support is a bit unclear. Even though caniuse returns Android 2.1-4.4 not supporting TLS 1.2, Browserstack's testing on Samsung/Google Nexus/HTC One M8 device( emulator)s with Android 4.3 or 4.4 access enwiki without limitations.


While Nexus w Android 4.2 can't, neither Kindle w Android 4.3:

In doubt I'd lean towards bumping to 4.3 with stock browser.


iOS and Safari provides a clear picture. iOS 8 & Safari 8 on macOS are out of game:

No further objections raised here or on wikitech-l thread, so will go ahead with bumping the requirements.