T147199: Removing support for DES-CBC3-SHA TLS cipher (drops IE8-on-XP support) needs to be communicated to affected editors. This will need some CL time (part-time for about four months).
Description
Details
Status | Subtype | Assigned | Task | ||
---|---|---|---|---|---|
Resolved | BBlack | T118181 Planning for phasing out non-Forward-Secret TLS ciphers | |||
Declined | None | T147967 The WMF-Last-Access Set-Cookie header should follow RFC 2965 syntax rather than the pre-RFC Netscape format | |||
Resolved | BBlack | T147199 Removing support for DES-CBC3-SHA TLS cipher (drops IE8-on-XP support) | |||
Resolved | Johan | T163251 Communicate dropping IE8-on-XP support (a security change) to affected editors and other community members | |||
Resolved | Johan | T172418 Get translations for "IE8 on XP won't work" |
Event Timeline
Update: Today is the start date for going to 5%. Before we pull that trigger sometime later (perhaps much later) today, I'm working on a few other things:
- Creating a wikitech page with technical details about both the deprecation process/timeline and the rationale, to link elsewhere (e.g. on the browser rec page).
- Importing some of the translations that exist so far into the warning page, along with various other suggested wording updates.
I've left another note about this at enwiki's VPT: https://en.wikipedia.org/w/index.php?title=Wikipedia:Village_pump_(technical)&diff=795973850&oldid=795961036
That's where experienced editors are most likely end up, if they see these errors and are confused.
Ok thanks!
I've done (1) above here: https://wikitech.wikimedia.org/wiki/HTTPS/3DES_Deprecation . Will link that back into the browser recommendation page when I updated it for dates in a few minutes as well. It's probably not helpful for most end-users, but it lays everything out in deeper technical terms, especially the rationale section.
I have a dumb question! 😃
Currently, https://en.wikipedia.org/test-sec-warning says "Our HTTPS: Browser Recommendations page on wikitech has more-detailed information on fixing this situation." However, if wikitech is going the same way as the rest of the wikis experiencing this phenomenon (I expect it will), then the user will also be unable to access that link at some point in the future.
It's a very valid question :)
Around the time of the final date of protocol-level removal (~Nov 17), 3DES will stop working for most of our sites, Wikitech included, at which point nobody can view any of these messages or warnings directly. However, the ramp-up in pageview replacements with the https://en.wikipedia.org/test-sec-warning is happening only on our standard Varnish termination layer. This affects all of the major wiki projects in all languages, but doesn't apply to a handful of our sites which are on separate internet-facing infrastructure, including Wikitech and a few other more-technical sites/tools.
The information could also be duplicated on the blog, I suppose. @EdErhart-WMF, will you want a blog post about this anyway?
Maybe it would be possible to have a "Translate" link after the translated languages?
Maybe worth adding a link to https://www.ssllabs.com/ssltest/viewMyClient.html to the error page so people can check their cipher support ?
I imagine people who use IE8 on XP mainly fall into two categories: those who have no control over their work environment, and those who are easily confused by computer technology and don't really know what a cipher is.
Hopefully in the former case, they'll complain to their IT department and they'll fix it, and hopefully in the latter they'll blindly trust our Firefox links and find their way out of this mess from there :)
Testing updated HTML with some translations and a translate link (and other minor cleanups) at https://pinkunicorn.wikimedia.org/test-sec-warning . Will push something like this to the real one at https://en.wikipedia.org/test-sec-warning before upping percentage. Thoughts? Further tweaks? Mistakes? :)
Update: noticed I had en-US firefox links in all of the translations. Updated them all now.
A few nits:
- Consistently use lower case attribute names, e.g. dir="rtl".
- Add missing lang attributes to all the non-English paragraphs. Both for semantic reasons, maintenance (easier to update in-place without knowing the language), and possibly to help assistive technology.
- Prefix each paragraph content with the autonym for that language as well for end-users, which should make it significantly easier to find your language and less visually distracting for the mind when reading by naturally not needing to look through the other paragraphs.
Example:
<p lang="de"><strong>Deutsch:</strong> Die Wikimedia-Wikis werden bald ...</p>
Heh, I had been updating the translations with the localised links.
Choose between them with javascript, like in the error page?
That JavaScript is no longer in production. Something similar could be written at some point, and is planned for the error page redesign, but perhaps not the best time to try and push it out as part of this. If you're able to write something up that's simple, secure, Grade C compatible, and accessible, I'd be willing to review it.
Thanks! Updated for all the above as best I can (I'm not 100% sure on the language-name text prefix for Arabic and Chinese, but took a good stab from http://mediaglyphs.org/mg/?p=langnames ), I guess someone that knows better can recommend a further fixup?
I also re-ordered everything (except English at the top as canonical) according to language popularity from https://en.wikipedia.org/wiki/List_of_languages_by_number_of_native_speakers .
Change 372448 had a related patch set uploaded (by BBlack; owner: BBlack):
[operations/puppet@production] 3DES Deprecation: internationalize and update warning
patch above is the same changes as a real changeset (it's just hard to review them that way, simpler manually on https://pinkunicorn.wikimedia.org/test-sec-warning ).
After a couple of other minor nits, going to push the above as it stands. We can iterate further as necessary, at least it's an improvement on the original!
Change 372448 merged by BBlack:
[operations/puppet@production] Deprecation of 3DES: internationalize and update warning
Change 372467 had a related patch set uploaded (by BBlack; owner: BBlack):
[operations/puppet@production] Deprecation of 3DES: Bump pageview replacement to 5%
Thanks for adding the lang attributes. I also realised that one of the benefits this has is that browsers will pick a better and more suitable default font for the entire paragraph. For example, here is Japanese:
After | Before |
---|---|
Change 372467 merged by BBlack:
[operations/puppet@production] Deprecation of 3DES: Bump pageview replacement to 5%
Clearly I don't check my Phab notifications enough! Happy to run a blog post on this, perhaps framed in the context of protecting our community members/readers?
... wait, that was a stupid suggestion. My apologies. I momentarily forgot we're almost only showing this page to users who won't be able to use our translation tools on Meta (they depend on JavaScript).
Heh yeah I guess you're right. Still, I added it to the current page, and we seemed to have picked up some new translations over the weekend. I can pull the link back out of there on the next update if that makes more sense.
Change 373086 had a related patch set uploaded (by BBlack; owner: BBlack):
[operations/puppet@production] browsersec: add pt, bn, ru, sv, he, sq
Change 373087 had a related patch set uploaded (by BBlack; owner: BBlack):
[operations/puppet@production] Varnish: move errorpage/browsersec to common code
Change 373088 had a related patch set uploaded (by BBlack; owner: BBlack):
[operations/puppet@production] browsersec: remove wiki-colon filtering
Change 373086 merged by BBlack:
[operations/puppet@production] browsersec: add pt, bn, ru, sv, he, sq
Change 373087 merged by BBlack:
[operations/puppet@production] Varnish: move errorpage/browsersec to common code
Change 373088 merged by BBlack:
[operations/puppet@production] browsersec: remove wiki-colon filtering
Change 373099 had a related patch set uploaded (by BBlack; owner: BBlack):
[operations/puppet@production] browsersec: add back wiki-colon filtering for text only
Change 373099 merged by BBlack:
[operations/puppet@production] browsersec: add back wiki-colon filtering for text only
Change 373726 had a related patch set uploaded (by BBlack; owner: BBlack):
[operations/puppet@production] 3DES Deprecation: bump to 8%
Change 373726 merged by BBlack:
[operations/puppet@production] Deprecation of 3DES: bump to 8%
I see that the Arabic text in the banner is broken. I'm looking at this page. This should not go like this to Arabic speakers. :) Can someone look into it? (I don't know Arabic fluently, but I know enough to be able to explain to whoever picks this up what's wrong in the text.)
Also, if you need help with Persian translation, let me know and I'll work on it.
Thanks for reporting. We've looked into it and got a native speaker of Arabic to point out what needs to be fixed.
Translations are always welcome. They can be done here:
https://meta.wikimedia.org/wiki/User:Johan_(WMF)/IE8XP
Change 374585 had a related patch set uploaded (by BBlack; owner: BBlack):
[operations/puppet@production] browsersec: update ar translation
Change 374585 merged by BBlack:
[operations/puppet@production] browsersec: update ar translation
Great! (I still don't see the change in the link, but I guess you will push it later.:)
Translations are always welcome. They can be done here:
https://meta.wikimedia.org/wiki/User:Johan_(WMF)/IE8XP
ok. {{done}}
Change 374602 had a related patch set uploaded (by BBlack; owner: BBlack):
[operations/puppet@production] browsersec: add fa translation
Change 374602 merged by BBlack:
[operations/puppet@production] browsersec: add fa translation
Change 374604 had a related patch set uploaded (by BBlack; owner: BBlack):
[operations/puppet@production] browsersec: add missing dir=rtl for fa
Change 374604 merged by BBlack:
[operations/puppet@production] browsersec: add missing dir=rtl for fa
Change 374605 had a related patch set uploaded (by BBlack; owner: BBlack):
[operations/puppet@production] browsersec: re-order languages slightly
Change 374605 merged by BBlack:
[operations/puppet@production] browsersec: re-order languages slightly
Change 375107 had a related patch set uploaded (by BBlack; owner: BBlack):
[operations/puppet@production] Deprecation of 3DES: bump to 11%
Change 375107 merged by BBlack:
[operations/puppet@production] Deprecation of 3DES: bump to 11%
Change 376309 had a related patch set uploaded (by BBlack; owner: BBlack):
[operations/puppet@production] browsersec: affect API calls and non-GET as well
Change 376310 had a related patch set uploaded (by BBlack; owner: BBlack):
[operations/puppet@production] browsersec: bump to 14% 2017-09-07
Change 376311 had a related patch set uploaded (by BBlack; owner: BBlack):
[operations/puppet@production] browsersec: bump to 17% 2017-09-14
Change 376312 had a related patch set uploaded (by BBlack; owner: BBlack):
[operations/puppet@production] browsersec: bump to 20% 2017-09-21
Change 376313 had a related patch set uploaded (by BBlack; owner: BBlack):
[operations/puppet@production] browsersec: bump to 23% 2017-09-28
Change 376314 had a related patch set uploaded (by BBlack; owner: BBlack):
[operations/puppet@production] browsersec: bump to 26% 2017-10-05
Change 376315 had a related patch set uploaded (by BBlack; owner: BBlack):
[operations/puppet@production] browsersec: bump to 29% 2017-10-12
Change 376316 had a related patch set uploaded (by BBlack; owner: BBlack):
[operations/puppet@production] browsersec: bump to 100% 2017-10-17
Change 376309 merged by BBlack:
[operations/puppet@production] browsersec: affect API calls and non-GET as well
Change 376310 merged by BBlack:
[operations/puppet@production] browsersec: bump to 14% 2017-09-07
To be honest, most of the community is blissfully unaware this is happening. But unless you bring out all the bells and whistles and the blinking lights, that's always going to be the case. (: We've put the information out through Tech News and the normal channels for technical updates, we're making sure those who are actually affected get to know it and so on.
The communities tend to be reasonable when you do something for good reason, and especially the fact that there's some sort of risk for everyone else in letting 0,1% connect to the wikis the way they are is a pretty reasonable argument for doing this.
Change 376311 merged by BBlack:
[operations/puppet@production] browsersec: bump to 17% 2017-09-14
Change 376312 merged by BBlack:
[operations/puppet@production] browsersec: bump to 20% 2017-09-21
Change 376313 merged by BBlack:
[operations/puppet@production] browsersec: bump to 23% 2017-09-28
There will be a new reminder in the issue of Tech News going out to the communities on October 16..
Change 376314 merged by BBlack:
[operations/puppet@production] browsersec: bump to 26% 2017-10-05
Change 376315 merged by BBlack:
[operations/puppet@production] browsersec: bump to 29% 2017-10-12
Change 384578 had a related patch set uploaded (by BBlack; owner: BBlack):
[operations/puppet@production] ssl_ciphersuite: dump 3DES on 2017-11-17
Change 376316 merged by BBlack:
[operations/puppet@production] browsersec: bump to 100% 2017-10-17, update translations
Change 384707 had a related patch set uploaded (by BBlack; owner: BBlack):
[operations/puppet@production] browsersec: use status code 403
Change 384707 merged by BBlack:
[operations/puppet@production] browsersec: use status code 403
Change 384578 merged by BBlack:
[operations/puppet@production] ssl_ciphersuite: dump 3DES on 2017-11-17