Should Wikipedia Force All Users To Use HTTPS?

from the politics-of-encryption dept

It would be something of an understatement to say that encryption is a hot topic at the moment. But leaving aside deeper issues like the extent to which the Internet's cryptographic systems are compromised, there is a more general question about whether Web sites should be pushing users to connect using HTTPS in the hope that this might improve their security. That might seem a no-brainer, but for the Wikimedia Foundation (WMF), the organization that runs Wikipedia and related projects, it's a more complex issue.

The problem is that HTTPS access is disabled in some countries precisely to prevent users from being able to access sites securely. So when Wikimedia introduced its HTTPS-by-default policy on August 28, it made a couple of exceptions:

Some users live in areas where HTTPS is not an easy option, most times because of explicit blocking by a government. At the request of these communities, we have made an explicit exclusion for users from those affected countries. Simply put, users from China and Iran will not be required to use HTTPS for logging in, nor for viewing any Wikimedia project site.
An interesting post by Erik Möller, the WMF's Deputy Director, raises the question whether such exceptions help or hinder freedom in those countries:
In the long term, the Wikimedia movement is faced with a choice, which is inherently political: Should we indefinitely sustain security exceptions for regions that prevent the use of encryption, or should we shift to an alternative strategy?
Here are some of the considerations he mentions:
If we accommodate [China]'s or Iran's censorship practices, we are complicit in their attempts to monitor and control their citizenry. If a privileged user's credentials (e.g. Checkuser) are misused by the government through monitoring of unencrypted traffic, for example, this is an action that would not have been possible without our exemption. This could potentially expose even users not in the affected country to risks.
Möller goes on to suggest the following:
It could be argued that it's time to draw a line in the sand -- if you're prohibiting the use of encryption, you're effectively not part of the web. You're subverting basic web technologies.

Drawing this hard line clearly has negative near term effects on the citizenry of affected countries. But the more the rest of the world comes together in saying "What you are doing is wrong. Stop it." -- the harder it will be for outlier countries to continue doing it.
That may have been a defensible position last week, when he wrote those words, but it certainly isn't now. Snowden's information about efforts by the NSA and GCHQ to undermine every form of online encryption shows how they are "subverting basic web technologies" in a profound way; it is therefore no longer possible for the West to wag a finger at countries like China that are doing the same. However, Möller also points out:
There _are_ effective tools that can be used to circumvent attempts to censor and control the Internet. Perhaps it is time for WMF to ally with the organizations that develop and promote such tools, rather than looking for ways to guarantee basic site operation in hostile environments even at the expense of user privacy.
This is surely a better strategy. It would allow Wikimedia users in countries where HTTPS is blocked to access Wikipedia and related projects in a discreet way. Such circumvention tools could also be useful for many other sites that face the same problem, and so would be a force for combating censorship and control in general. Finally, if the privacy situation in the West continues to deteriorate, the software might even come in handy there, too.

Follow me @glynmoody on Twitter or, and on Google+

Filed Under: challenges, filtering, https, security, wikipedia
Companies: wikimedia foundation, wikipedia

Reader Comments

Subscribe: RSS

View by: Time | Thread

  1. identicon
    Anonymous Coward, 11 Sep 2013 @ 8:53am

    Re: Re: Re: Tor ban

    What third parties?

    I suggest doing a web search for "tor nsa" and reading what you find.

    Then consider that the NSA is hardly the only intelligence organization on this planet with an interest in doing so.

    Consider further that 60% of Tor development is paid for by the USG, which has now been definitively shown to be deliberating introducing weaknesses/backdoors into code. Do you REALLY think that the USG would be giving money to Tor if they couldn't break it?

    Of course the problem here is that once entity A can crack Tor, entities B through Z will be aware that it's a solvable problem and may even pick up some hints on how to replicate the work.

    Even if logins are required?

    Yes. Nothing stops an abuser from creating a large number of logins (either manually or via automation) -- any measure that would attempt to do so would also block the legitimate creation of a single login by a non-abuser.

    [...] which tools should they promote?

    Usenet. With encryption, of course. It's incredibly hard to block WHEN DEPLOYED PROPERLY and because it's been around for a very long time, rather sophisticated anti-abuse mechanisms have been developed for it. Yes, it's slower: that's a feature, not a bug. Yes, it takes some clue: that's also a feature, not a bug. But given that it can be propagated over network links, over dialup, via USB stick, via CD/DVD, via tape, via just about's enormously resistant to disruption.

Add Your Comment

Have a Techdirt Account? Sign in now. Want one? Register here

Subscribe to the Techdirt Daily newsletter

Comment Options:

  • Use markdown. Use plain text.
  • Remember name/email/url (set a cookie)

Follow Techdirt
Techdirt Gear
Show Now: Takedown
Report this ad  |  Hide Techdirt ads
Essential Reading
Techdirt Deals
Report this ad  |  Hide Techdirt ads
Techdirt Insider Chat
Report this ad  |  Hide Techdirt ads
Recent Stories
Report this ad  |  Hide Techdirt ads


Email This

This feature is only available to registered users. Register or sign in to use it.