The Signpost

Technology report

Wikimedia sites are going HTTPS only

Today it was announced that Wikimedia sites are going to become HTTPS only, finishing up 10 year effort of rolling out HTTPS. In December 2005, Brion Vibber set up an experimental HTTPS server using special urls like https://secure.wikimedia.org/wikipedia/en/wiki/Main_Page. In 2011, HTTPS became available using canonical urls like https://en.wikipedia.org/wiki/Main_Page, which allowed for the usage of protocol-relative urls (//en.wikipedia.org/wiki/Main_Page) to avoid serving HTTP content in pages loaded over HTTPS (mixed content).

Since August 2013, all logged in users used HTTPS; however, that system had some drawbacks. If a user clicked an HTTP link, they would be redirected to HTTPS, but their initial click would leak what page they were trying to visit. To counter that, HTTP Strict Transport Security (HSTS) is also being rolled out, which instructs browsers to only visit the website over HTTPS. Wikimedia sites will also be added to browser's HSTS preload lists, which will make sure the browser uses HTTPS even if you have never visited the website before to see the HSTS information.

As of writing, only 7 language groups have been converted[1]: ca, el, en, he, it, ug, zh. The Russian Wikipedia has been practically HTTPS-only since August 2014[2].

Legoktm is a software engineer for the Wikimedia Foundation, and he wrote this in his volunteer capacity.

















Wikipedia:Wikipedia Signpost/2015-06-10/Technology_report