It came to my attention that anyone visiting en.wikipedia.org site from an “old Android smartphone”, as Wikipedia puts it, will be redirected to https://en.wikipedia.org/sec-warning (http://web.archive.org/web/20191217154700/https://en.wikipedia.org/sec-warning), which, amongst other things, reads the following:
This is actually a good thing. There are many *valid technical reasons* behind this. You should do this too.
There’s a far better use for port 443.
Why do I need Wikipedia SSLed? I know the argument. But if it doesn’t work why not either let it fall back to 1.0 or to HTTP.
This seems like security for no valid reason.
Exactly. I used the wording from their own page; but I think it’s actually misleading. They’re actually going out of their way to prevent users of “old Android smartphones” from accessing Wikipedia; if they did nothing, everyone would still be able to read happily over HTTP.
Just let the old platforms ride off into the sunset as originally planned like the SSL implementations in older JRE installs, XP, etc. You shouldn’t be holding onto the past.
Ignoring the obvious reasons why TLS is needed and HTTP should not be used, I guess people who want an HTTP version of Wikipedia that is read-only and knowingly insecure, censorable, modifiable, etc. can donate a few million dollars to the Wikimedia Foundation, before the tax year is over, for the engineers, infrastructure, and everything, and write a special note, and maybe Wikipedia may consider this… Worst case, you just funded a secure encyclopedia and helped it grow in 2020 and years to come…
Let’s see those receipts coming!
because no one should know what you read about or check out at wikipedia
... because you should be able to verify the site you are at is actually the site you intended to be at...
Let the old crap go. Besides the sheer amount of ppl left that have the older phones most likely are not going to Wikipedia anyway.
Well, that would be nothing, because they’re blocking your device from having any access.
Just to make it clear: are you suggesting that it should be a requirement to always verify the site where anonymous people make anonymous edits? Let that sink in.
I am curious -- what exactly are those "obvious reasons"? (And for the record HTTP *IS* being used, it is just being tunneled inside a TLS connection).
I certainly cannot fathom any "obvious reasons" ...
TLS 1.2 as deployed in Web Browsers does not authenticate the end-point. What it does is present an "Advertizing ID" that is akin to the "Advertizing ID" that the telco's sold as "Caller ID", because they new that y'all proles would not pay if there were truth in naming. By the same token the general certificate system will "say" whatever he who pays wants it to say. It does not verify anything other than the fact that the remote end-point went to the bother of buying (or the trouble of fiddling about with) advertizing certificates.
Silicon Valley is typically out of touch with reality.
“the sheer amount of ppl left that have the older phones most likely are not going to Wikipedia anyway.”
Some don’t have the fiscal or logistical ability to do better.
If you care that bad, you work towards meeting the requirement. If you don’t care, then you don’t.
I think this is a bit over the top and troll-ish but there is a big thing going on in circles where transport integrity and secrecy are tied together when it’s not necessary.
Not all mutual authentication needs to be done with certificates (for example).
Forcing all of wikipedia to be https is an example of the side-effects of this practice when combined with deprecating older versions of TLS and older ciphers, you will inevitably make the content inaccessible as a result. The thought that we should all upgrade our devices (that work just fine) is a bit of a problem.
If I have an old tablet that my kids use to do wikipedia and are now locked out, that’s forcing an expense on the end-user of that tech and creates more e-waste etc than necessary. I’m not a fan of that either, but the painting a broad brush is not helpful to the conversation.
I normally don't chime in here, because I'm not technically a network operator, but I do know certs and PKI infrastructure.
Just wanted to point out that many situations where such security would be desirable -- a repressive government, an overly surveilling employer -- have, or can easily put in place, tech to subvert the entire process anyway. Require every browser to include a custom CA certificate, issue certs on the fly for any given site, and The Man can MITM every site you visit, supporting whatever protocol your device requires.
Requiring TLS 1.2 won't fix this -- it's an attempt to minimize the risk of specific protocol-based attacks at the expense of older browsers. That having been said, I'd like to see actual numbers on how many of Wikimedia's sites' visitors will be affected. What percentage of browsers visiting their sites can't support TLS 1.2 or later?