Securing access to Wikimedia sites with HTTPS
June 12, 2015 by Yana Welinder, Victoria Baranetsky and Brandon Black
To ensure that Wikipedia users can share in the world’s knowledge more securely, the Wikimedia Foundation is implementing HTTPS, to encrypt all traffic on Wikimedia sites.
Image by Hugh D’Andrade, from Electronic Frontier Foundation, freely licensed under CC BY-SA 3.0.

To be truly free, access to knowledge must be secure and uncensored. At the Wikimedia Foundation, we believe that you should be able to use Wikipedia and the Wikimedia sites without sacrificing privacy or safety.
Today, we’re happy to announce that we are in the process of implementing HTTPS to encrypt all Wikimedia traffic. We will also use HTTP Strict Transport Security (HSTS) to protect against efforts to ‘break’ HTTPS and intercept traffic. With this change, the nearly half a billion people who rely on Wikipedia and its sister projects every month will be able to share in the world’s knowledge more securely.
The HTTPS protocol creates an encrypted connection between your computer and Wikimedia sites to ensure the security and integrity of data you transmit. Encryption makes it more difficult for governments and other third parties to monitor your traffic. It also makes it harder for Internet Service Providers (ISPs) to censor access to specific Wikipedia articles and other information.
HTTPS is not new to Wikimedia sites. Since 2011, we have been working on establishing the infrastructure and technical requirements, and understanding the policy and community implications of HTTPS for all Wikimedia traffic, with the ultimate goal of making it available to all users. In fact, for the past four years, Wikimedia users could access our sites with HTTPS manually, through HTTPS Everywhere, and when directed to our sites from major search engines. Additionally, all logged in users have been accessing via HTTPS since 2013.
Over the last few years, increasing concerns about government surveillance prompted members of the Wikimedia community to push for more broad protection through HTTPS. We agreed, and made this transition a priority for our policy and engineering teams.
We believe encryption makes the web stronger for everyone. In a world where mass surveillance has become a serious threat to intellectual freedom, secure connections are essential for protecting users around the world. Without encryption, governments can more easily surveil sensitive information, creating a chilling effect, and deterring participation, or in extreme cases they can isolate or discipline citizens. Accounts may also be hijacked, pages may be censored, other security flaws could expose sensitive user information and communications. Because of these circumstances, we believe that the time for HTTPS for all Wikimedia traffic is now. We encourage others to join us as we move forward with this commitment.
The technical challenges of migrating to HTTPS
HTTPS migration for one of the world’s most popular websites can be complicated. For us, this process began years ago and involved teams from across the Wikimedia Foundation. Our engineering team has been driving this transition, working hard to improve our sites’ HTTPS performance, prepare our infrastructure to handle the transition, and ultimately manage the implementation.
Our first steps involved improving our infrastructure and code base so we could support HTTPS. We also significantly expanded and updated our server hardware. Since we don’t employ third party content delivery systems, we had to manage this process for our entire infrastructure stack in-house.
HTTPS may also have performance implications for users, particularly our many users accessing Wikimedia sites from countries or networks with poor technical infrastructure. We’ve been carefully calibrating our HTTPS configuration to minimize negative impacts related to latency, page load times, and user experience. This was an iterative process that relied on industry standards, a large amount of testing, and our own experience running the Wikimedia sites.
Throughout this process, we have carefully considered how HTTPS affects all of our users. People around the world access Wikimedia sites from a diversity of devices, with varying levels of connectivity and freedom of information. Although we have optimized the experience as much as possible with this challenge in mind, this change could affect access for some Wikimedia traffic in certain parts of the world.
In the last year leading up to this roll-out, we’ve ramped up our testing and optimization efforts to make sure our sites and infrastructure can support this migration. Our focus is now on completing the implementation of HTTPS and HSTS for all Wikimedia sites. We look forward to sharing a more detailed account of this unique engineering accomplishment once we’re through the full transition.
Today, we are happy to start the final steps of this transition, and we expect completion within a couple of weeks.
Yana Welinder, Senior Legal Counsel, Wikimedia Foundation
Victoria Baranetsky, Legal Counsel, Wikimedia Foundation
Brandon Black, Operations Engineer, Wikimedia Foundation
Related Posts
Archive notice: This is an archived post from blog.wikimedia.org, which operated under different editorial and content guidelines than Diff.
84 Comments
nemobis
6 years ago
#23960
Will concrete information be made available on https://meta.wikimedia.org/wiki/HTTPS ? Example question: when will HTTPS made universal on the wikis which asked it some years ago?
0
ywelinder
6 years ago
#23961
@nemobis Thanks for pointing out this meta page. We will try to provide more info there eventually, but have our hands full with the rollout. In the meantime, if you would like to use the information in this post to respond to questions, that would be incredibly helpful.
0
Lou
6 years ago
#23962
Hi, Greetings!
Glad to see Wiki turns on HTTPS by default. However, can I turn off HTTPS? Since the GFW in China blocks Wiki in HTTPS sometimes, and it takes far more time to load the site.
Regards
0
A Cypherpunk
6 years ago
#23963
Thank you! #EncryptTheWeb
0
nemobis
6 years ago
#23964
Yana, I’m sorry but I’m unable to extract any information from this post. However, I linked it from there and updated a local it.wiki discussion with clarifications provided by ops.
0
bender235
6 years ago
#23965
I’m glad to finally see this. Thanks.
0
deedayuk
6 years ago
#23966
PLEASE leave users the possibility to opt out of HTTPS; why has it now been taken away?
I don’t care about intelligence agencies spying on my Wikipedia contributions, if they ever do; I just want the best possible performance AND I’m happy to save the Wikimedia infrastructure valuable processing time, by avoiding something for me completely pointless, i.e. encryption.
Shouldn’t Wikipedia be all about freedom? Then turn on HTTPS by default if you want, and then leave the user free to decide whether to turn it off or not.
Thank you.
0
blackhat999
6 years ago
#23967
This is a major step forward.
0
Will
6 years ago
#23968
https://www.httpvshttps.com/
0
Matt
6 years ago
#23969
Well done.
https://www.ssllabs.com/ssltest/analyze.html?d=en.wikipedia.org
0
Maik
6 years ago
#23970
Makes the web a little bit safer.
0
cosjef
6 years ago
#23971
“We’ve been carefully calibrating our HTTPS configuration to minimize negative impacts related to latency, page load times, and user experience.”
Can you please expand on this in more detail? More specifically how you decided to make tradeoffs of speed and performance and cipher suites used?
0
nowak
6 years ago
#23972
Old OPERA (12.16) stop working
0
Alexander
6 years ago
#23973
This is great news! Everything should be encrypted by default, so that it does not look suspicious when one really needs encryption (like when searching for an illness or for chapter 11 information).
0
Ron Clarke
6 years ago
#23974
The browser I use most (99 %) is Arachne running in DOS.
Arachne does not do HTTPS.
Is there any way I can access Wikipedia WITHOUT HTTPS ??
0
Glenn McCorkle
6 years ago
#23975
To elaborate on the post by Ron Clarke:
Ron & I are active developers of DOS Arachne available at…
http://glennmcc.org/
The page for-which on wikipedia is no longer accessible to DOS Arachne
due to https being required.
https://en.wikipedia.org/wiki/Arachne_(web_browser)
Before this change to https, DOS Arachne was indeed able to access that page via…
http://en.wikipedia.org/wiki/Arachne_(web_browser)
However, attempting to access via http now auto-rediects to https
Please, re-think your position of requiring https access.
“free” information is not so “free” after-all if accessing said information has the string
attached of requiring a protocol that is not available in _all_ web browsers.
0
Ellie Kesselman
6 years ago
#23976
Will this affect the status of the ongoing NSA lawsuit by Wikipedia? Is there any need for the lawsuit, if editors and readers are all accessing Wikipedia via HTTPS?
0
P
6 years ago
#23977
It would be a great idea if it worked, sadly Wikipedia seems to have died for me in FF3. I’m getting an error message saying “The connection was interrupted”.
Works fine in IE.
0
Steve
6 years ago
#23978
@Arachne_running_in_DOS, you already have a problem today with other SSL/TLS sites like e-banking etc. Why now adding a SSL/TLS support to that browser instead, is this really something very hard to do, or just not a priority? @All_users_who_do_not_respect_privacy, actually I think you are honest, everyone want privacy, but some do not understand it. Everyone that do not need privacy, please create web page, publish all your passwords and also please upload all of your personal information – your telephone SMS, photos, all e-mail conversations, etc. You said you don’t care about privacy, so this should not be a problem. Let’s… Read more »
0
Ellie Kesselman
6 years ago
#23979
@Steve
Please try to be a little less gratuitously antagonistic to prior comments, okay? The content about government pedophiles is extreme in this context
http://diff.wikimedia.org/2015/06/12/securing-wikimedia-sites-with-https/#comment-24274
0
dewimorgan
5 years ago
#23980
@Glenn McCorkle and Ron Clarke: “Ron & I are active developers of DOS Arachne” This ship has sailed. Every single .gov domain will be HTTPS-only by next year. Many already are. For active developers of web browsers which don’t support HTTPS, implementing it should have been the number one priority for the last few years, because other browsers – even other command-line browsers that can run on legacy hardware – support it just fine. Like an FTP program without FTPS or SFTP, or an email program without STARTTLS, you’ll lose market share and relevance. Oh, and IPv6 URLs are a… Read more »
0
Ron Clarke
5 years ago
#23981
Steve,
> Why now adding a SSL/TLS support to that browser instead, is this really something very hard to do, or just not a priority?
Adding SSL to Arachne would be wonderful, and we wish we could. But…..we have a lack of suitably skilled coders with an interest in DOS browsers, and Arachne in particular.
Any volunteers ?
0
Mat2
5 years ago
#23982
Now all IE6 users will be cut off from using Wikipedia:
https://www.ssllabs.com/ssltest/analyze.html?d=en.wikipedia.org
Wouldn’t it be possible to add some user-agent sniffing so that these browsers could still access Wikipedia? They are usually used by poorer people.
0
dewimorgan
Reply to  Mat25 years ago
#23983
“Wouldn’t it be possible to add some user-agent sniffing” NO! No it would not. Because then a man in the middle can replace anyone’s user agent details with another user agent, and bingo, nobody any longer has any encryption at all. Invisibly and undetectably. Why would wikimedia hand attackers such a gift on a plate? Upgrading from IE6 to a secure browser is entirely possible for every single user on the planet. There is no sane reason for anyone, anywhere, to use an insecure browser. The very worst smartphone and smartwatch in the world can browse securely. Even Lynx can… Read more »
0
Mat2
5 years ago
#23984
“Because then a man in the middle can replace anyone’s user agent details with another user agent, and bingo, nobody any longer has any encryption at all. Invisibly and undetectably.” Such an attack is already possible with tools such as sslstrip. Therefore user-agent sniffing doesn’t decrease security for other users out there: it will make life easier neither for criminals nor for companies that want to monitor traffic. Wikipedia is going to use HSTS and add itself to HSTS preload lists in browsers: that will block downgrade to HTTP for new browsers. “Upgrading from IE6 to a secure browser is… Read more »
0
zzo38
5 years ago
#23985
I *really* want the ability to connect without HTTPS. I want to avoid the overhead required by HTTPS please.
0
Ron
5 years ago
#23986
> There are two reasons someone might ask for any form of downgrade or opt-out to be permitted:
Make that three reasons.
I run in DOS, and I like to keep the functionality of Arachne.
Yes, I also run Links, Elinks and Lynx in DOS, but Arachne is more versatile than all of them – except for a lack of SSL.
0
astrodevamm
5 years ago
#23987
Very good step indeed, in fact, in cyber world https is more important because of security issues. Know a days users check website also they check that website https not. If they found https is not they click on cut button and skip from website…
0
Pushpendra Pal
5 years ago
#23988
Great move team. Web is becoming a tool for governments and enforcement agencies to surveillance on citizens. SSL helps website visitors to send and receive encrypted data.
I also want to move my website http://careervendor.com from HTTP to HTTPS. I am fearing about loosing traffic, backlink and ranking. Can anyone please suggest a way for proper migration.
0
astrodevamm
5 years ago
#23989
Very good step indeed, in fact, in cyber world https is more important because of security issues. Know a days users check website also they check that website https not. If they found https is not they click on cut button and skip from website…
0
Sports Fan Stan
5 years ago
#23990
All well and good to force everyone to use https. Would it be too much to ask to employ a real SSL certificate that doesn’t rely on a wildcard. At present, we can’t even use Wikipedia anymore because we can’t trust the website. Uggghhh…
0
Gary Smith
5 years ago
#23991
All the points are explained very clearly, Great source of information. Thanks for en-lighting us with your knowledge, it is helpful for many of us.
0
omtim
5 years ago
#23992
Great step for sure, actually, in digital world https is more imperative
0
Flo
5 years ago
#23993
Is there *any* way to use Wikipedia *without* https? I have an old device which is not capable of using https. And please don’t tell me to buy new hardware or software. So please offer a possibility to read Wikipedia *without* forced https!!!! BTW: I cannot follow the reasons to *enforce* https: Concerning privacy: when you browse Wikipedia the URLs contain the topic you are reading (e.g.: https://en.wikipedia.org/wiki/CMAC) thus any sniffer can track what you are currenly reading. Only the *contents* is encrypted, but the contents is visible by anybody anyway (in contrast to the content of my bank account).… Read more »
0
Creg
5 years ago
#23994
Flo said
“Concerning privacy: when you browse Wikipedia the URLs contain the topic you are reading thus any sniffer can track what you are currenly reading. Only the *contents* is encrypted, but the contents is visible by anybody anyway (in contrast to the content of my bank account).”
False. The root domain (wikipedia.org) can be inferred from the IP address of the server during the TCP/IP request but the complete URL and exact page you’re reading cannot.
Read the article on https.
0
Rodion
5 years ago
#23995
I also want there is a way to use wikipedia with plain HTTP if necessary. Currently there is a stupid debate between our government and local wiki representatives (I could not decide which of them is more stupid, I’m sorry) about restricting access to certain pages (about drugs). Providers can do this for single page if it is accessed with HTTP, but they need to deny access to whole website if it is accessed via HTTPS. So it would be good if we have some fallback, perhaps with banner explaining “all horrible consequences” of reading wiki in plain HTTP. In… Read more »
0
Our most popular posts of 2015: black hats, artificial intelligence, John Oliver, and a photobomb – Wikimedia blog
5 years ago
#23996
[…] in 2015, we began encrypting all of our traffic with HTTPS to ensure that users and readers alike can use our services “without sacrificing privacy or […]
0
Google steals 550+ million Wikipedia clicks in 6 months, traffic drop confirmed by Wiki's Jimmy Wales
5 years ago
#23997
[…] HTTPS fluctuations? Wikipedia moved to HTTPS before 2 months ago, but the serious drop in the organic desktop traffic began actually at […]
0
Part 3 - The Evolving Data Story Around Wikipedia - Similarweb Blog
5 years ago
#23998
[…] has been kind enough to share their thoughts that their shift to HTTPS might have resulted in drops in traffic overall and from search engines :”This switch to […]
0
Announcing a new informational resource on Wikimedia Foundation v. NSA and government surveillance – Wikimedia blog
5 years ago
#23999
[…] dates as these become available; helpful English Wikipedia articles about government surveillance; information about HTTPS access to the projects and online security; and social media action items for anybody […]
0
HTTPS and Wikipedia – Crossref Blog
5 years ago
#24000
[…] June 2015 the Wikimedia foundation made the announcement that they were finalising the switch, and that within a few weeks all traffic would be […]
0
为什么迁移到 HTTPS 有利于网站统计 – 博客歪歪
5 years ago
#24001
[…] 实际上已于 2015 年六月 从 HTTP 迁移到了 HTTPS。在那时,几乎所有从 wikipedia.org 到 HTTP […]
0
为什么迁移到 HTTPS 有利于网站统计 | 神刀安全网
5 years ago
#24002
[…] 实际上已于 2015 年六月 从 HTTP 迁移到了 HTTPS 。在那时,几乎所有从 wikipedia.org 到 HTTP […]
0
The Lopsided Geography of Wikipedia -RocketNews
4 years ago
#24003
[…] is presently blocking Wikipedia in its entirety, in part because of the encyclopedia’s recent move to an encrypted “HTTPS” protocol that makes it harder for the government to determine […]
0
VIVO TRENDS | A Wikipedia perdeu meio bilhão de visitas nos últimos meses
4 years ago
#24004
[…] no protocolo de navegação da Wikipédia também ajuda na queda de acessos. Em junho, foi anunciado que os sites da Wikimedia seriam criptografados com o protocolo HTTPS, que garante a segurança e […]
0
J. Wales : « Tout ce qui ressemble à un péage sur les autoroutes de l’information suscite notre inquiétude » | Le Bon Article
4 years ago
#24005
[…] fois, elle a été documentée. C’est pour éviter cela que nous avons pris la décision d’utiliser par défaut le protocole « HTTPS », qui rend la surveillance de votre navigation beaucoup plus difficile, sur toutes les […]
0
Le cofondateur de Wikipédia inquiet de « tout ce qui ressemble à un péage sur les autoroutes de l’information » | Le Bon Article
4 years ago
#24006
[…] fois, elle a été documentée. C’est pour éviter cela que nous avons pris la décision d’utiliser par défaut le protocole « HTTPS », qui rend la surveillance de votre navigation beaucoup plus difficile, sur toutes les […]
0
Growing the Wikimedia blog – Wikimedia Blog
4 years ago
#24007
[…] Securing access to Wikimedia sites with HTTPS – 14k views […]
0
bart
4 years ago
#24008
Google usually has an alternate (cache) for each wiki link.
I just use these cache pages.
0
Let's Encrypt SSL Certificates and Nginx for HTTPS
4 years ago
#24009
[…] the use of HTTPS as a rankings signal. Over the past few years, organizations like Facebook, Wikipedia, and the Federal CIO Council have shown that properly switching to HTTPS is no longer the […]
0
Appeal filed in Wikimedia v. NSA – Wikimedia Blog
4 years ago
#24010
[…] to protect the free expression and privacy rights of all Wikipedia users. We have since enabled default HTTPS access to protect Wikipedia users from government surveillance, and we remain committed to our stringent […]
0
Meta
Posted in Foundation, From the archives, Legal, Platform engineering, Technology, Wikipedia
Tagged encryption, https, Security, surveillance, technology, web, Wikimedia, Wikimedia Blog, Wikimedia Foundation, Wikipedia
Welcome to Diff
Welcome to Diff, a community blog by – and for – the Wikimedia movement. Join Diff today to share stories from your community and comment on articles. We want to hear your voice!
Subscribe to Diff via Email
Enter your email address to subscribe to Diff and receive notifications of new posts by email.
Wikimedia Foundation News
Wikipedia readers in Latin America invited to support 20 years of free knowledge through new fundraising campaignApril 19, 2021 Pats Pena
Wikimedia Technology Blog
Discovering and fixing CVE-2021-33038 in Mailman3June 11, 2021 Kunal Mehta
Down the Rabbit Hole
Project Rewrite: A conversation on building online spaces for women’s global power with Jensine…June 2, 2021 Adora Svitak
Photo credits
Wikimania 2019 Group Photo
Patricia Costillo
CC BY-SA 4.0
Diff
This is Diff, a Wikimedia community blog.
All participants are responsible for building a place that is welcoming and friendly to everyone. Learn more about Diff.
A Wikimedia Foundation Project
Links
Join
Subscribe
Guidelines
Editorial guidelines
Privacy Policy
Terms of Use
Log in
Content licensed under Creative Commons Attribution-ShareAlike 3.0 (CC-BY-SA) unless otherwise noted.
Powered by WordPress.com VIP, Automattic Privacy Notice.
Equity & InclusionEducation & Open AccessTechnologyPartnerships & EventsPolicy & AdvocacyMovement StrategyAboutSubmitWikimania 2021