Feb 8 2023
Apr 8 2019
Apr 28 2016
I just tried on a new install of Ubuntu 12.04.5 Desktop, and apt-transport-https is installed out of box.
Apr 27 2016
Apr 15 2016
I suggest we use Let's Encrypt. It can issue SAN certificates.
Apr 13 2016
Redirect to https should be fine, since we enabled HSTS for transparency.wikimedia.org in May 2015. But was there any reason that the redirect was dropped?
Apr 12 2016
Mar 2 2016
Feb 23 2016
So is links.email.donate.wikimedia.org still in use? If not, can we remove it from the DNS record?
Jan 29 2016
Jan 7 2016
Dec 14 2015
@BBlack I suggest to remove at least VeriSignClass3_G2 and VeriSignClass1 from our trust list. According to , Class3_G2 is a 1024 bit root, and Class1 was replaced by Class1_G3 during 2010.
Dec 4 2015
Let's Encrypt is in Public Beta now. Everyone can get free certificates from them now.
Nov 18 2015
Nov 10 2015
We could start with one-off services that are more technical in nature, which normal users would rarely connect to and aren't critical to them, such as icinga.wikimedia.org.
I support this. There are many other such domains that I think we can turn to "mid" now, including gerrit, rt, wikitech, wikitech-static, ticket, librenms, and tendril. Note that https://lists.wikimedia.org already uses "mid" cipher suite.
Nov 6 2015
Are there any updates now?
Oct 20 2015
Oct 1 2015
Did Microsoft fix this issue yet?
Sep 24 2015
Sep 20 2015
I think this task can finally be closed as resolved, as there're no more domains that lack FS. (T91504 is now about DNSSEC.)
Aug 27 2015
I copied the CC list of T107575 to this one.
Aug 26 2015
Confirmed that this issue was fixed.
Aug 25 2015
According to DNS, download.wikimedia.org and gerrit.wikimedia.org are not behind misc-web. Why are these two domains in misc.inc.vcl.erb?
Aug 21 2015
Resolved since HTTPS has been enforced for everyone.
This was resolved when the canonical URLs on all pages point to HTTPS. T53002
Aug 15 2015
How about mapping download.Wikipedia.org to the text cluster, and then have it redirect to https://dumps.wikimedia.org?
Jul 31 2015
https://stats.wikipedia.org/ is broken. Error: 404, Domain not served here
Jul 30 2015
wikipedia.org is already on the preload list! Among Alexa Top 10 websites, Wikipedia is the only one that has all subdomains preloaded!
Jul 29 2015
Before wikimedia.org is ready to preload, how about emailing firstname.lastname@example.org to request preloading some high traffic and sensitive subdomains of wikimedia.org, like commons, donate, payments, etc.?
Jul 28 2015
Jul 24 2015
Have these communities been notified yet?
Jul 21 2015
Why decline it? It has been resolved! Apache 2.2 now supports ECDHE. See T55259#1448222.
Jul 17 2015
How about doing "report-only" first with a longer max-age, like 7 days?
Jul 16 2015
Could you look at the referrers as well? Do most of the requests come from search engines?
Jul 14 2015
My thought is that we'd better support a cipher suite as long as someone is actively using it and it is not close to broken (such as RC4). So how about keeping AES256-SHA256 and cutting out other AES256 ciphers in mid and compat lists? Also, why not remove dhe-rsa-camellia256-sha too? It was not negotiated for 3 weeks.
Jul 11 2015
Jul 10 2015
Jul 7 2015
How many requests to these domains there are in the log? *.wap was deprecated in early 2009, and *.mobile was deprecated in late 2011. Google has 39,300 results for site:*.mobile.wikipedia.org, which is fewer than the 96,700 results for site:www.*.wikipedia.org. I think it is fine to delete them from DNS.
Jul 6 2015
Actually http://www.email.donate.wikimedia.org/ can be removed too.
Jul 5 2015
Oh, actually http://www.donate.wikimediafoundation.org/ redirects to https://wikimediafoundation.org/wiki/Home, and http://www.donate.mediawiki.org/ shows an "unconfigured domain" error page. So they are broken already.
Once these two domain names, www.donate.wikimediafoundation.org and www.donate.mediawiki.org are removed, wikimediafoundation.org and mediawiki.org can be preloaded. Fortunately, searching them on Google returns no results: https://www.google.com/search?q=%22www.donate.wikimediafoundation.org%22 and https://www.google.com/search?q=%22www.donate.mediawiki.org%22. So I think it is safe to remove at least these two.
Jul 3 2015
Jul 2 2015
Jun 27 2015
stats.wikimedia.org doesn't redirect http to https. It has mixed content (T93702). Do we need to fix that first?
Jun 21 2015
Jun 18 2015
Jun 5 2015
This has been fixed in T100825.
Jun 1 2015
git.wikimedia.org is behind misc-web. Is this cert still needed?
May 1 2015
Apr 29 2015
Apr 28 2015
Can we start to force HTTPS for all users from the US soon? They should have low latency impact, since they are close to the datacenters. Do we have a timeline now? One thing is that once we redirect to HTTPS for US users, Google will update the indexed Wikipedia links to HTTPS as well.
Apr 20 2015
Mar 26 2015
Mar 25 2015
Great! https://en.m.wikipedia.org now works in China. According to the report on zhwiki and tests on greatfire.org, only http://zh.wikisource.org/, http://zh.wikinews.org/, and http://ug.wikipedia.org/ are still blocked, which I think are blocked based on URL rather than IP. All other Wikimedia sites, (http and https) are not blocked now. Thank you!