Page MenuHomePhabricator

Chmarkine (Chmarkine)
User

Projects

User does not belong to any projects.

Today

  • Clear sailing ahead.

Tomorrow

  • Clear sailing ahead.

Tuesday

  • Clear sailing ahead.

User Details

User Since
Oct 6 2014, 5:57 AM (266 w, 6 d)
Availability
Available
LDAP User
Chmarkine
MediaWiki User
Unknown

Recent Activity

Apr 8 2019

Chmarkine placed T91151: Chinese language converter doesn't recognize Accept-Language: zh-Hans-CN up for grabs.
Apr 8 2019, 10:45 PM · Chinese-Sites, MediaWiki-Language-converter, Patch-For-Review, MediaWiki-Internationalization
Chmarkine closed T91151: Chinese language converter doesn't recognize Accept-Language: zh-Hans-CN as Resolved.
Apr 8 2019, 10:45 PM · Chinese-Sites, MediaWiki-Language-converter, Patch-For-Review, MediaWiki-Internationalization

Apr 28 2016

Chmarkine added a comment to T132450: enable https for (ubuntu|apt|mirrors).wikimedia.org.

I just tried on a new install of Ubuntu 12.04.5 Desktop, and apt-transport-https is installed out of box.

Apr 28 2016, 12:16 PM · Patch-For-Review, Traffic, HTTPS, Operations
Chmarkine added a comment to T132450: enable https for (ubuntu|apt|mirrors).wikimedia.org.

I'm not convinced https for that is a good idea. apt doesn't support it by default — apt-transport-https isn't installed out of the box even in Ubuntu AFAIK.

Apr 28 2016, 2:53 AM · Patch-For-Review, Traffic, HTTPS, Operations

Apr 27 2016

Chmarkine updated subscribers of T132450: enable https for (ubuntu|apt|mirrors).wikimedia.org.

@mark As (ubuntu|mirrors).wikimedia.org now supports HTTPS, could we update Wikimedia's Ubuntu mirror link to https://ubuntu.wikimedia.org/ubuntu/ on Ubuntu's website?

Apr 27 2016, 5:52 AM · Patch-For-Review, Traffic, HTTPS, Operations

Apr 15 2016

Chmarkine added a comment to T132450: enable https for (ubuntu|apt|mirrors).wikimedia.org.

I suggest we use Let's Encrypt. It can issue SAN certificates.

Apr 15 2016, 4:09 AM · Patch-For-Review, Traffic, HTTPS, Operations

Apr 13 2016

Chmarkine added a comment to T132464: HTTPS redirects for transparency.wikimedia.org.

Redirect to https should be fine, since we enabled HSTS for transparency.wikimedia.org in May 2015.[1] But was there any reason that the redirect was dropped?

Apr 13 2016, 3:18 PM · Patch-For-Review, Operations, HTTPS, Traffic
Chmarkine added a comment to T132521: Enforce HTTPS+HSTS on remaining one-off sites in wikimedia.org that don't use standard cache cluster termination.

As for the rest of the work, IMHO we should re-purpose the wiki tracking page at https://wikitech.wikimedia.org/wiki/HTTPS/domains to cover longer-term progress on the rest of these issues and leave this ticket open until we get them all resolved. We can remove the ones with standard cache termination (text, upload, misc, maps) because they're easily enumerated and dealt with elsewhere and will be enforced consistently by the code for the cache clusters, and expand that table with the new entries from the audit above, etc.

Apr 13 2016, 8:53 AM · Patch-For-Review, HTTPS, Traffic, Operations

Apr 12 2016

Chmarkine added a comment to T111967: Preload HSTS for select hostnames within wikimedia.org.

With the impending removal of *.donate, we'll actually finally be able to HSTS wikimedia.org itself at the DNS level.

Apr 12 2016, 12:38 PM · Operations, Traffic, HTTPS

Mar 2 2016

Chmarkine updated subscribers of T128559: store.wikimedia.org HTTPS issues.
Mar 2 2016, 7:55 AM · Operations, Traffic, Wikimedia-Shop, HTTPS
Chmarkine added a subtask for T128559: store.wikimedia.org HTTPS issues: T39790: shop.wikimedia.org should be HTTPS only.
Mar 2 2016, 7:52 AM · Operations, Traffic, Wikimedia-Shop, HTTPS
Chmarkine added a parent task for T39790: shop.wikimedia.org should be HTTPS only: T128559: store.wikimedia.org HTTPS issues.
Mar 2 2016, 7:52 AM · Operations, Traffic, HTTPS, Wikimedia-Shop
Chmarkine created T128559: store.wikimedia.org HTTPS issues.
Mar 2 2016, 7:51 AM · Operations, Traffic, Wikimedia-Shop, HTTPS

Feb 23 2016

Chmarkine added a comment to T74514: links.email.donate.wikimedia.org should offer HTTPS.

So is links.email.donate.wikimedia.org still in use? If not, can we remove it from the DNS record?

Feb 23 2016, 4:25 AM · Operations, Traffic, Wikimedia-Fundraising, Blocked-on-Fundraising-Tech, HTTPS

Jan 29 2016

Chmarkine added a project to T64488: Wikimedia blog has unsecured elements on https: HTTPS.
Jan 29 2016, 1:27 PM · HTTPS, Wikimedia-Blog
Chmarkine added a project to T104728: make blog links from wmfwiki front page use HTTPS links: HTTPS.
Jan 29 2016, 1:25 PM · Operations, Traffic, HTTPS, Wikimedia-Blog

Jan 7 2016

Chmarkine edited projects for T122933: Remove the "HTTPS to HTTP" url filter in the IRC feed, added: Wikimedia-IRC-RC-Server; removed Wikimedia-General-or-Unknown.
Jan 7 2016, 9:35 AM · Traffic, Operations, Wikimedia-IRC-RC-Server, HTTPS, Patch-For-Review, User-notice

Dec 14 2015

Chmarkine added a comment to T92002: implement Public Key Pinning (HPKP) for Wikimedia domains.

@BBlack I suggest to remove at least VeriSignClass3_G2 and VeriSignClass1 from our trust list. According to [1], Class3_G2 is a 1024 bit root, and Class1 was replaced by Class1_G3 during 2010.

Dec 14 2015, 10:35 AM · Operations, Traffic, HTTPS

Dec 4 2015

Chmarkine added a comment to T50501: beta: Get SSL certificates for *.{projects}.beta.wmflabs.org.

Let's Encrypt is in Public Beta now. Everyone can get free certificates from them now.

Dec 4 2015, 6:12 AM · Operations, Beta-Cluster-Infrastructure

Nov 18 2015

Chmarkine added a project to T118787: releases.wikimedia.org should be https only and have hsts set: HTTPS.
Nov 18 2015, 4:22 PM · Traffic, HTTPS, Operations

Nov 10 2015

Chmarkine added a comment to T118181: Planning for phasing out non-Forward-Secret TLS ciphers.

We could start with one-off services that are more technical in nature, which normal users would rarely connect to and aren't critical to them, such as icinga.wikimedia.org.

I support this. There are many other such domains that I think we can turn to "mid" now, including gerrit, rt, wikitech, wikitech-static, ticket, librenms, and tendril. Note that https://lists.wikimedia.org already uses "mid" cipher suite.

Nov 10 2015, 11:22 AM · Operations, Traffic

Nov 6 2015

Chmarkine added a comment to T105455: Xbox 360 Internet Explorer unable to view Wikipedia.

Are there any updates now?

Nov 6 2015, 5:05 AM · Operations, Traffic, Browser-Support-Internet-Explorer, HTTPS

Oct 20 2015

Chmarkine added a comment to T50501: beta: Get SSL certificates for *.{projects}.beta.wmflabs.org.

Let's Encrypt provides free trusted(*) DV non-wildcard certs. We have 31 domains lists here. If you think it's plausible, we can obtain 31 certs (one for each domain) from Let's Encrypt at zero cost.
(*) They will have their CA certificate cross-signed by IdenTrust next month, so the certs they issued won't be trusted until then.

Oct 20 2015, 9:40 AM · Operations, Beta-Cluster-Infrastructure

Oct 1 2015

Chmarkine added a comment to T105455: Xbox 360 Internet Explorer unable to view Wikipedia.

Did Microsoft fix this issue yet?

Oct 1 2015, 9:35 AM · Operations, Traffic, Browser-Support-Internet-Explorer, HTTPS

Sep 24 2015

Chmarkine added a comment to T50501: beta: Get SSL certificates for *.{projects}.beta.wmflabs.org.

Chmarkine, there's always StartCom/StartSSL which has free certs, and they're already trusted by default in all major browsers.

Sep 24 2015, 2:39 PM · Operations, Beta-Cluster-Infrastructure
Chmarkine added a comment to T50501: beta: Get SSL certificates for *.{projects}.beta.wmflabs.org.

Let's Encrypt provides free trusted(*) DV non-wildcard certs. We have 31 domains lists here. If you think it's plausible, we can obtain 31 certs (one for each domain) from Let's Encrypt at zero cost.

Sep 24 2015, 8:47 AM · Operations, Beta-Cluster-Infrastructure

Sep 20 2015

Chmarkine added a comment to T55259: Add Forward Secrecy to all HTTPS sites.

I think this task can finally be closed as resolved, as there're no more domains that lack FS. (T91504 is now about DNSSEC.)

Sep 20 2015, 7:31 AM · Operations, HTTPS

Aug 27 2015

Chmarkine updated subscribers of T110511: sitemap.wikimedia.org uses invalid SSL certificate.

I copied the CC list of T107575 to this one.

Aug 27 2015, 1:01 PM · Operations, Patch-For-Review, HTTPS
Chmarkine added a subtask for T102824: Clean up DNS/redirects for TLS: T110511: sitemap.wikimedia.org uses invalid SSL certificate.
Aug 27 2015, 1:01 PM · Operations, Traffic
Chmarkine added a parent task for T110511: sitemap.wikimedia.org uses invalid SSL certificate: T102824: Clean up DNS/redirects for TLS.
Aug 27 2015, 1:01 PM · Operations, Patch-For-Review, HTTPS
Chmarkine added a project to T110511: sitemap.wikimedia.org uses invalid SSL certificate: acl*sre-team.
Aug 27 2015, 12:57 PM · Operations, Patch-For-Review, HTTPS
Chmarkine created T110511: sitemap.wikimedia.org uses invalid SSL certificate.
Aug 27 2015, 11:54 AM · Operations, Patch-For-Review, HTTPS

Aug 26 2015

Chmarkine added a subtask for T103919: let all services on misc-web enforce http->https redirects: T93702: Fix the mixed content issue on Wikimedia Statistics.
Aug 26 2015, 4:39 PM · Patch-For-Review, Operations, HTTPS, Traffic
Chmarkine added a parent task for T93702: Fix the mixed content issue on Wikimedia Statistics: T103919: let all services on misc-web enforce http->https redirects.
Aug 26 2015, 4:39 PM · Analytics-Wikistats, HTTPS
Chmarkine closed T107575: download.wiki[mp]edia.org are using an invalid certificate as Resolved.

Confirmed that this issue was fixed.

Aug 26 2015, 12:12 AM · Traffic, Operations, Patch-For-Review, HTTPS
Chmarkine closed T107575: download.wiki[mp]edia.org are using an invalid certificate, a subtask of T102824: Clean up DNS/redirects for TLS, as Resolved.
Aug 26 2015, 12:12 AM · Operations, Traffic

Aug 25 2015

Chmarkine added a comment to T103919: let all services on misc-web enforce http->https redirects.

According to DNS, download.wikimedia.org and gerrit.wikimedia.org are not behind misc-web. Why are these two domains in misc.inc.vcl.erb?

Aug 25 2015, 4:59 AM · Patch-For-Review, Operations, HTTPS, Traffic
Chmarkine renamed T107575: download.wiki[mp]edia.org are using an invalid certificate from download.wikipedia.org is using an invalid certificate to download.wiki[mp]edia.org are using an invalid certificate.
Aug 25 2015, 3:21 AM · Traffic, Operations, Patch-For-Review, HTTPS

Aug 21 2015

Chmarkine closed T33323: Mandate only-SSL for accounts with access to private information as Resolved.

Resolved since HTTPS has been enforced for everyone.

Aug 21 2015, 8:55 AM · Traffic, Patch-For-Review, HTTPS
Chmarkine closed T33323: Mandate only-SSL for accounts with access to private information, a subtask of T29946: [DO NOT USE] SSL related (tracking) [superseded by #HTTPS], as Resolved.
Aug 21 2015, 8:55 AM · Operations, Traffic, Tracking-Neverending, HTTPS
Chmarkine placed T33325: OpenSearch is not using https in its content even it's being accessed via https up for grabs.
Aug 21 2015, 8:47 AM · HTTPS
Chmarkine closed T33325: OpenSearch is not using https in its content even it's being accessed via https as Resolved.

This was resolved when the canonical URLs on all pages point to HTTPS. T53002

Aug 21 2015, 8:46 AM · HTTPS

Aug 15 2015

Chmarkine added a comment to T107575: download.wiki[mp]edia.org are using an invalid certificate.

How about mapping download.Wikipedia.org to the text cluster, and then have it redirect to https://dumps.wikimedia.org?

Aug 15 2015, 3:53 PM · Traffic, Operations, Patch-For-Review, HTTPS

Jul 31 2015

Chmarkine added a project to T21353: Set up compat redirect stats.wikipedia.org -> stats.wikimedia.org: acl*sre-team.
Jul 31 2015, 2:53 PM · Traffic, Operations, DNS
Chmarkine reopened T21353: Set up compat redirect stats.wikipedia.org -> stats.wikimedia.org as "Open".

https://stats.wikipedia.org/ is broken. Error: 404, Domain not served here

Jul 31 2015, 2:53 PM · Traffic, Operations, DNS
Chmarkine added a parent task for T107575: download.wiki[mp]edia.org are using an invalid certificate: T102824: Clean up DNS/redirects for TLS.
Jul 31 2015, 2:33 PM · Traffic, Operations, Patch-For-Review, HTTPS
Chmarkine added a subtask for T102824: Clean up DNS/redirects for TLS: T107575: download.wiki[mp]edia.org are using an invalid certificate.
Jul 31 2015, 2:33 PM · Operations, Traffic
Chmarkine updated the task description for T107575: download.wiki[mp]edia.org are using an invalid certificate.
Jul 31 2015, 1:51 PM · Traffic, Operations, Patch-For-Review, HTTPS
Chmarkine created T107575: download.wiki[mp]edia.org are using an invalid certificate.
Jul 31 2015, 1:41 PM · Traffic, Operations, Patch-For-Review, HTTPS

Jul 30 2015

Chmarkine added a comment to T104244: Preload HSTS.

wikipedia.org is already on the preload list! Among Alexa Top 10 websites, Wikipedia is the only one that has all subdomains preloaded!
https://chromium.googlesource.com/chromium/src/+/master/net/http/transport_security_state_static.json#3319
https://twitter.com/konklone/status/626538394202570752

Jul 30 2015, 7:50 AM · Operations, HTTPS, Traffic

Jul 29 2015

Chmarkine added a comment to T104244: Preload HSTS.

Before wikimedia.org is ready to preload, how about emailing agl@chromium.org to request preloading some high traffic and sensitive subdomains of wikimedia.org, like commons, donate, payments, etc.?

Jul 29 2015, 11:45 AM · Operations, HTTPS, Traffic

Jul 28 2015

Chmarkine removed a project from T105451: WMF-Last-Access cookies doesn't set Secure flag: Patch-For-Review.
Jul 28 2015, 4:14 PM · Traffic, Operations, good first bug, HTTPS
Chmarkine renamed T105451: WMF-Last-Access cookies doesn't set Secure flag from GeoIP and WMF-Last-Access cookies don't set Secure flag to WMF-Last-Access cookies doesn't set Secure flag.
Jul 28 2015, 4:14 PM · Traffic, Operations, good first bug, HTTPS

Jul 24 2015

Chmarkine added a comment to T102814: Decom old multiple-subdomain wikis in wikipedia.org.

Have these communities been notified yet?

Jul 24 2015, 11:34 PM · Operations, Trust-and-Safety, Patch-For-Review, Traffic, HTTPS
Chmarkine added a comment to T106311: pywikipedia.org is not responding; pywikibot.org is not registered.

the question is: what should it be replaced with...?

Jul 24 2015, 9:21 AM · Domains, Operations, Traffic, Cloud-Services, Pywikibot

Jul 21 2015

Chmarkine changed the status of T104649: Chromium says "Your connection to gerrit.wikimedia.org is encrypted with obsolete cryptography" from Declined to Resolved.

Why decline it? It has been resolved! Apache 2.2 now supports ECDHE. See T55259#1448222.

Jul 21 2015, 12:46 PM · Operations, Gerrit, HTTPS
Chmarkine changed the status of T104649: Chromium says "Your connection to gerrit.wikimedia.org is encrypted with obsolete cryptography", a subtask of T55259: Add Forward Secrecy to all HTTPS sites, from Declined to Resolved.
Jul 21 2015, 12:46 PM · Operations, HTTPS

Jul 17 2015

Chmarkine added a comment to T92002: implement Public Key Pinning (HPKP) for Wikimedia domains.

How about doing "report-only" first with a longer max-age, like 7 days?

Jul 17 2015, 11:01 AM · Operations, Traffic, HTTPS

Jul 16 2015

Chmarkine added a comment to T104942: TLS and *.wap/*.mobile multi-level subdomains of wikipedia.org.

Could you look at the referrers as well? Do most of the requests come from search engines?

Jul 16 2015, 4:02 PM · Operations, Reading-Admin, Patch-For-Review, Mobile, HTTPS, Traffic

Jul 14 2015

Chmarkine added a comment to T105716: Drop AES-256 mid/compat lists..

My thought is that we'd better support a cipher suite as long as someone is actively using it and it is not close to broken (such as RC4). So how about keeping AES256-SHA256 and cutting out other AES256 ciphers in mid and compat lists? Also, why not remove dhe-rsa-camellia256-sha too? It was not negotiated for 3 weeks.[1]

Jul 14 2015, 4:40 AM · Operations, Patch-For-Review, Traffic, HTTPS

Jul 11 2015

Chmarkine added a comment to T105455: Xbox 360 Internet Explorer unable to view Wikipedia.

Ok after some debugging with @mark (who has an xbox 360!), we've found what the incompatibility is. It's the same incompatibility that breaks ancient Java6 with us now: The Xbox360's IE9 supports DHE-based ciphersuites, but is incompatible with DH parameters greater than 1024-bit prime size, and we're using a 2048-bit prime parameter. Unfortunately, to give Forward Secrecy to other clients (and a lot of them are other Microsoft clients), we have to keep those DHE suites high on our preference list.
The best recourse on Microsoft's end of things would be upgrade the TLS library, if possible, to support 2048 (or even greater) -bit DH parameters for DHE ciphers.

Jul 11 2015, 12:04 PM · Operations, Traffic, Browser-Support-Internet-Explorer, HTTPS
Chmarkine added a project to T101451: Protect outgoing emails with SMTP STARTLS: HTTPS.
Jul 11 2015, 10:17 AM · HTTPS, Wikimedia-Mailing-lists, Wikimedia-General-or-Unknown
Chmarkine added a project to T101452: Protect incoming emails with SMTP STARTLS: HTTPS.
Jul 11 2015, 10:15 AM · Operations, Mail

Jul 10 2015

Chmarkine updated the task description for T105451: WMF-Last-Access cookies doesn't set Secure flag.
Jul 10 2015, 9:19 AM · Traffic, Operations, good first bug, HTTPS
Chmarkine added a subtask for T104681: HTTPS Plans (tracking / high-level info): T105451: WMF-Last-Access cookies doesn't set Secure flag.
Jul 10 2015, 9:17 AM · Tracking-Neverending, Operations, Traffic, HTTPS
Chmarkine added a parent task for T105451: WMF-Last-Access cookies doesn't set Secure flag: T104681: HTTPS Plans (tracking / high-level info).
Jul 10 2015, 9:17 AM · Traffic, Operations, good first bug, HTTPS
Chmarkine updated the task description for T105451: WMF-Last-Access cookies doesn't set Secure flag.
Jul 10 2015, 8:41 AM · Traffic, Operations, good first bug, HTTPS
Chmarkine renamed T105451: WMF-Last-Access cookies doesn't set Secure flag from GeoIP cookie doesn't set Secure flag to GeoIP and WMF-Last-Access cookies don't set Secure flag.
Jul 10 2015, 8:39 AM · Traffic, Operations, good first bug, HTTPS
Chmarkine created T105451: WMF-Last-Access cookies doesn't set Secure flag.
Jul 10 2015, 7:55 AM · Traffic, Operations, good first bug, HTTPS
Chmarkine added a comment to T102814: Decom old multiple-subdomain wikis in wikipedia.org.

It would seem arbcom-(de|nl|en) are the main ones to worry about notifying...

Jul 10 2015, 4:03 AM · Operations, Trust-and-Safety, Patch-For-Review, Traffic, HTTPS
Chmarkine updated the task description for T73156: Replace SHA1 certificates with SHA256.
Jul 10 2015, 2:12 AM · Operations, HTTPS

Jul 7 2015

Chmarkine added a comment to T104942: TLS and *.wap/*.mobile multi-level subdomains of wikipedia.org.

How many requests to these domains there are in the log? *.wap was deprecated in early 2009, and *.mobile was deprecated in late 2011. Google has 39,300 results for site:*.mobile.wikipedia.org, which is fewer than the 96,700 results for site:www.*.wikipedia.org. I think it is fine to delete them from DNS.

Jul 7 2015, 8:03 AM · Operations, Reading-Admin, Patch-For-Review, Mobile, HTTPS, Traffic

Jul 6 2015

Chmarkine committed rOPUPee9f662c3dff: HSTS preload for Mediawiki and Wikimediafoundation (authored by Chmarkine).
HSTS preload for Mediawiki and Wikimediafoundation
Jul 6 2015, 4:51 PM
Chmarkine added a comment to T102827: Decide what to do with *.donate.wikimedia.org subdomain + TLS.

Actually http://www.email.donate.wikimedia.org/ can be removed too.

Jul 6 2015, 4:46 PM · Operations, Patch-For-Review, fundraising-tech-ops, Traffic

Jul 5 2015

Chmarkine added a comment to T102827: Decide what to do with *.donate.wikimedia.org subdomain + TLS.

Oh, actually http://www.donate.wikimediafoundation.org/ redirects to https://wikimediafoundation.org/wiki/Home, and http://www.donate.mediawiki.org/ shows an "unconfigured domain" error page. So they are broken already.

Jul 5 2015, 7:35 AM · Operations, Patch-For-Review, fundraising-tech-ops, Traffic
Restricted Application updated subscribers of T102827: Decide what to do with *.donate.wikimedia.org subdomain + TLS.

Once these two domain names, www.donate.wikimediafoundation.org and www.donate.mediawiki.org are removed, wikimediafoundation.org and mediawiki.org can be preloaded. Fortunately, searching them on Google returns no results: https://www.google.com/search?q=%22www.donate.wikimediafoundation.org%22 and https://www.google.com/search?q=%22www.donate.mediawiki.org%22. So I think it is safe to remove at least these two.

Jul 5 2015, 7:27 AM · Operations, Patch-For-Review, fundraising-tech-ops, Traffic

Jul 3 2015

Chmarkine added a comment to T55259: Add Forward Secrecy to all HTTPS sites.

If you switch a site to strong, it *will* become inaccessible to several insecure and/or legacy client platforms, including: Android 2.x, IE8/XP, Java6, and any automated client code / bots which indirectly use OpenSSL versions < 1.0 (older Linux distros such as Ubuntu Lucid).

Jul 3 2015, 11:11 AM · Operations, HTTPS
Restricted Application updated subscribers of T101048: Policy decisions for new (and current) DNS domains registered to the WMF.
Jul 3 2015, 6:22 AM · Operations, WMF-Legal, Traffic

Jul 2 2015

Chmarkine added a subtask for T40516: Enable HSTS on Wikimedia sites: T104244: Preload HSTS.
Jul 2 2015, 1:58 PM · Operations, Traffic, HTTPS
Chmarkine added a parent task for T104244: Preload HSTS: T40516: Enable HSTS on Wikimedia sites.
Jul 2 2015, 1:58 PM · Operations, HTTPS, Traffic
Chmarkine added a project to T104244: Preload HSTS: HTTPS-by-default.
Jul 2 2015, 1:56 PM · Operations, HTTPS, Traffic

Jun 27 2015

Chmarkine added a comment to T103919: let all services on misc-web enforce http->https redirects.

stats.wikimedia.org doesn't redirect http to https. It has mixed content (T93702). Do we need to fix that first?

Jun 27 2015, 9:56 AM · Patch-For-Review, Operations, HTTPS, Traffic

Jun 21 2015

Chmarkine added a comment to T73156: Replace SHA1 certificates with SHA256.

so all is left here is OTRS it seems

Jun 21 2015, 9:29 AM · Operations, HTTPS

Jun 18 2015

Chmarkine added a comment to T102815: Decom www.$lang hostnames/redirects.

Noted on irc, tons of results in:
01:40 < Mjbmr> https://www.google.com/search?q=site:www.en.wikipedia.org
I wonder why google ignores the fact that those redirect and have rel=canonical in the content? Can we get google to get rid of these before we kill them?

Jun 18 2015, 6:06 AM · Operations, Patch-For-Review, HTTPS, Traffic

Jun 5 2015

Chmarkine placed T72326: Ganglia server doesn't send intermediary certificates up for grabs.
Jun 5 2015, 12:20 AM · Operations, HTTPS
Chmarkine closed T72326: Ganglia server doesn't send intermediary certificates as Resolved.

This has been fixed in T100825.

Jun 5 2015, 12:20 AM · Operations, HTTPS

Jun 1 2015

Chmarkine added a comment to T100827: replace git's sha1 cert with sha256.

git.wikimedia.org is behind misc-web. Is this cert still needed?

Jun 1 2015, 12:02 PM · Operations, Patch-For-Review, HTTPS

May 1 2015

Chmarkine added a subtask for T55259: Add Forward Secrecy to all HTTPS sites: T90351: Improve SSL of lists.wikimedia.org.
May 1 2015, 12:38 PM · Operations, HTTPS
Chmarkine added a parent task for T90351: Improve SSL of lists.wikimedia.org: T55259: Add Forward Secrecy to all HTTPS sites.
May 1 2015, 12:38 PM · Patch-For-Review, Wikimedia-Mailing-lists, HTTPS

Apr 29 2015

Chmarkine added a comment to T40516: Enable HSTS on Wikimedia sites.

Why aren't the Vary and HSTS headers set for https://gdash.wikimedia.org, but are correctly set for http://gdash.wikimedia.org?

Apr 29 2015, 1:46 AM · Operations, Traffic, HTTPS

Apr 28 2015

Chmarkine added a comment to T49832: Force all Wikimedia cluster traffic to be over SSL for all users (logged-in and anon).

As I've stated before, personally I'd prefer to do the hard redirects before the rel=canonical during the initial rollout process, simply because it's easier to take back in realtime if anything doesn't work out as planned in terms of load and capacity. We already have a process down for this stuff. It's not my place to speak to the rest, but I assure you people are aware and working on it.

Apr 28 2015, 8:18 AM · Operations, Traffic, HTTPS-by-default, HTTPS
Chmarkine added a comment to T49832: Force all Wikimedia cluster traffic to be over SSL for all users (logged-in and anon).

Can we start to force HTTPS for all users from the US soon? They should have low latency impact, since they are close to the datacenters. Do we have a timeline now? One thing is that once we redirect to HTTPS for US users, Google will update the indexed Wikipedia links to HTTPS as well.

Apr 28 2015, 4:14 AM · Operations, Traffic, HTTPS-by-default, HTTPS

Apr 20 2015

Chmarkine committed rOPUPd2d229a8308e: doc - Enable HSTS max-age=7 days (authored by Chmarkine).
doc - Enable HSTS max-age=7 days
Apr 20 2015, 2:39 PM

Mar 26 2015

Chmarkine committed rOPUP0a2683f71ae0: iegreview - Enable HSTS max-age=7 days (authored by Chmarkine).
iegreview - Enable HSTS max-age=7 days
Mar 26 2015, 12:37 AM
Chmarkine committed rOPUP1ff600082fdf: annual - Enable HSTS max-age=7 days (authored by Chmarkine).
annual - Enable HSTS max-age=7 days
Mar 26 2015, 12:08 AM

Mar 25 2015

Chmarkine committed rOPUPc7ab9e420fa0: dbtree - Enable HSTS max-age=7 days (authored by Chmarkine).
dbtree - Enable HSTS max-age=7 days
Mar 25 2015, 11:41 PM
Chmarkine added a comment to T49832: Force all Wikimedia cluster traffic to be over SSL for all users (logged-in and anon).

Great! https://en.m.wikipedia.org now works in China. According to the report on zhwiki and tests on greatfire.org, only http://zh.wikisource.org/, http://zh.wikinews.org/, and http://ug.wikipedia.org/ are still blocked, which I think are blocked based on URL rather than IP. All other Wikimedia sites, (http and https) are not blocked now. Thank you!

Mar 25 2015, 4:49 PM · Operations, Traffic, HTTPS-by-default, HTTPS
Chmarkine added a comment to T91504: SSL-config of the OTRS is outdated.

Sure it does, but the webserver for our OTRS doesn’t use it. HSTS is a nice idea, yes

Mar 25 2015, 5:51 AM · Operations, HTTPS, Security, OTRS
Chmarkine reopened T70554: https://planet.wikimedia.org redirects to http://meta.wikimedia.org/wiki/Planet_Wikimedia as "Open".

Now https://planet.wikimedia.org redirects to http://meta.wikimedia.org/wiki/Planet_Wikimedia again.

Mar 25 2015, 5:06 AM · Traffic, Wikimedia-Planet, Operations, HTTPS
Chmarkine added a parent task for T91504: SSL-config of the OTRS is outdated: T55259: Add Forward Secrecy to all HTTPS sites.
Mar 25 2015, 4:58 AM · Operations, HTTPS, Security, OTRS