Page MenuHomePhabricator

Enable HSTS and point rel=canonical to HTTPS for all Russian Wikimedia projects
Closed, ResolvedPublic

Description

Since Russian Wikimedia projects are HTTPS only and have HSTS enabled, we should set its wgCanonicalServer to HTTPS, so that Bing will update the links to HTTPS.

[1] https://www.bing.com/search?q=site%3aru.wikipedia.org

A Russian Wikipedia community member implemented a JavaScript redirect to send Russian Wikipedia traffic to HTTPS in August 2014, so most Russian Wikipedia traffic has been going over HTTPS since last year. A similar hack was in place in Russian Wikinews. The resulting configuration was vulnerable to man-in-the-middle attacks, as it depended on users first loading the insecure version. It also caused a major performance hit for users due to the double-loading. In consultation with Russian Wikimedia community members, consistent with our long term HTTPS rollout objectives, and consistent with the pre-existing request to participate in the HTTPS beta, we superseded the hack with a server-side redirect and HSTS as a secure and consistent default configuration for all Russian language projects.

Details

Related Gerrit Patches:
operations/mediawiki-config : masterPoint rel=canonical to HTTPS for all ru projects

Event Timeline

Chmarkine claimed this task.
Chmarkine raised the priority of this task from to Needs Triage.
Chmarkine updated the task description. (Show Details)
Chmarkine added projects: HTTPS, HTTPS-by-default.
Chmarkine added a subscriber: Chmarkine.
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptFeb 24 2015, 4:22 AM
Aklapper set Security to None.
Chmarkine renamed this task from Point rel=canonical to HTTPS for Russian Wikipedia (ruwiki) to Point rel=canonical to HTTPS for all Russian Wikimedia projects.Feb 24 2015, 7:23 PM
Chmarkine updated the task description. (Show Details)

Change 192502 had a related patch set uploaded (by Chmarkine):
Point rel=canonical to HTTPS for all ru projects All Russian Wikimedia projects are HTTPS only, so change the canonical links to have search engines update their indexes.

https://gerrit.wikimedia.org/r/192502

Patch-For-Review

Since Russian Wikimedia projects are HTTPS only and have HSTS enabled

Can you mention the commit which made them so, please?

Change 192502 merged by jenkins-bot:
Point rel=canonical to HTTPS for all ru projects

https://gerrit.wikimedia.org/r/192502

Since Russian Wikimedia projects are HTTPS only and have HSTS enabled

Can you mention the commit which made them so, please?

Sorry, I don't know! @JanZerebecki told me to update the canonical links for all Russian projects. I also checked the response headers, and indeed they were HTTPS only.

Chmarkine closed this task as Resolved.Feb 25 2015, 4:37 PM
Elitre added a subscriber: Elitre.Feb 25 2015, 10:26 PM

Ok, as there doesn't seem to be a ticket about HSTS I'm using this one instead.

Nemo_bis renamed this task from Point rel=canonical to HTTPS for all Russian Wikimedia projects to Enable HSTS and point rel=canonical to HTTPS for all Russian Wikimedia projects.Mar 11 2015, 11:19 AM
Nemo_bis updated the task description. (Show Details)
Nemo_bis added a subscriber: Eloquence.
putnik added a subscriber: putnik.Mar 11 2015, 12:29 PM