Page MenuHomePhabricator
Create Task
Maniphest T163251

Communicate dropping IE8-on-XP support (a security change) to affected editors and other community members
Closed, ResolvedPublic
Actions

Assigned To
Johan
Authored By
Whatamidoing-WMF
Apr 18 2017, 7:52 PM
Tags
Referenced Files
F9102414: Screen Shot 2017-08-17 at 15.04.55.png
Aug 17 2017, 10:07 PM
F9102415: Screen Shot 2017-08-17 at 15.05.49.png
Aug 17 2017, 10:07 PM
Subscribers
Aklapper
BBlack
EdErhart-WMF
Elitre
faidon
gerritbot
Izno
View All 15 Subscribers
Tokens
"Like" token, awarded by Qgil."Like" token, awarded by Elitre.

Description

T147199: Removing support for DES-CBC3-SHA TLS cipher (drops IE8-on-XP support) needs to be communicated to affected editors. This will need some CL time (part-time for about four months).

Details

SubjectRepoBranchLines +/-
ssl_ciphersuite: dump 3DES on 2017-11-17operations/puppetproduction+5 -6
browsersec: use status code 403operations/puppetproduction+1 -6
browsersec: bump to 100% 2017-10-17, update translationsoperations/puppetproduction+25 -34
browsersec: bump to 29% 2017-10-12operations/puppetproduction+1 -1
browsersec: bump to 26% 2017-10-05operations/puppetproduction+1 -1
browsersec: bump to 23% 2017-09-28operations/puppetproduction+1 -1
browsersec: bump to 20% 2017-09-21operations/puppetproduction+1 -1
browsersec: bump to 17% 2017-09-14operations/puppetproduction+1 -1
browsersec: bump to 14% 2017-09-07operations/puppetproduction+1 -1
browsersec: affect API calls and non-GET as welloperations/puppetproduction+8 -7
Deprecation of 3DES: bump to 11%operations/puppetproduction+1 -1
browsersec: re-order languages slightlyoperations/puppetproduction+3 -3
browsersec: add missing dir=rtl for faoperations/puppetproduction+1 -1
browsersec: add fa translationoperations/puppetproduction+1 -0
browsersec: update ar translationoperations/puppetproduction+1 -1
Deprecation of 3DES: bump to 8%operations/puppetproduction+1 -1
browsersec: add back wiki-colon filtering for text onlyoperations/puppetproduction+3 -0
browsersec: remove wiki-colon filteringoperations/puppetproduction+5 -8
Varnish: move errorpage/browsersec to common codeoperations/puppetproduction+78 -69
browsersec: add pt, bn, ru, sv, he, sqoperations/puppetproduction+9 -4
Deprecation of 3DES: Bump pageview replacement to 5%operations/puppetproduction+3 -3
Deprecation of 3DES: internationalize and update warningoperations/puppetproduction+15 -3
Show related patches Customize query in gerrit

Related Objects
Search...

Event Timeline

There are a very large number of changes, so older changes are hidden. Show Older Changes
Johan moved this task from July to August on the Community-Relations-Support (Jul-Sep 2017) board.Aug 16 2017, 2:20 PM
BBlack added a comment.Aug 17 2017, 4:22 PM

Update: Today is the start date for going to 5%. Before we pull that trigger sometime later (perhaps much later) today, I'm working on a few other things:

  1. Creating a wikitech page with technical details about both the deprecation process/timeline and the rationale, to link elsewhere (e.g. on the browser rec page).
  2. Importing some of the translations that exist so far into the warning page, along with various other suggested wording updates.
Whatamidoing-WMF added a comment.Aug 17 2017, 5:52 PM

I've left another note about this at enwiki's VPT: https://en.wikipedia.org/w/index.php?title=Wikipedia:Village_pump_(technical)&diff=795973850&oldid=795961036

That's where experienced editors are most likely end up, if they see these errors and are confused.

BBlack added a comment.Aug 17 2017, 6:25 PM

Ok thanks!

I've done (1) above here: https://wikitech.wikimedia.org/wiki/HTTPS/3DES_Deprecation . Will link that back into the browser recommendation page when I updated it for dates in a few minutes as well. It's probably not helpful for most end-users, but it lays everything out in deeper technical terms, especially the rationale section.

Izno subscribed.Aug 17 2017, 6:33 PM

I have a dumb question! 😃

Currently, https://en.wikipedia.org/test-sec-warning says "Our HTTPS: Browser Recommendations page on wikitech has more-detailed information on fixing this situation." However, if wikitech is going the same way as the rest of the wikis experiencing this phenomenon (I expect it will), then the user will also be unable to access that link at some point in the future.

BBlack added a comment.Aug 17 2017, 6:44 PM

It's a very valid question :)

Around the time of the final date of protocol-level removal (~Nov 17), 3DES will stop working for most of our sites, Wikitech included, at which point nobody can view any of these messages or warnings directly. However, the ramp-up in pageview replacements with the https://en.wikipedia.org/test-sec-warning is happening only on our standard Varnish termination layer. This affects all of the major wiki projects in all languages, but doesn't apply to a handful of our sites which are on separate internet-facing infrastructure, including Wikitech and a few other more-technical sites/tools.

Whatamidoing-WMF added a subscriber: EdErhart-WMF.Aug 17 2017, 6:45 PM

The information could also be duplicated on the blog, I suppose. @EdErhart-WMF, will you want a blog post about this anyway?

Johan added a comment.Aug 17 2017, 7:19 PM

Maybe it would be possible to have a "Translate" link after the translated languages?

Platonides subscribed.Aug 17 2017, 7:38 PM

Maybe worth adding a link to https://www.ssllabs.com/ssltest/viewMyClient.html to the error page so people can check their cipher support ?

Johan added a comment.Aug 17 2017, 7:42 PM

I imagine people who use IE8 on XP mainly fall into two categories: those who have no control over their work environment, and those who are easily confused by computer technology and don't really know what a cipher is.

BBlack added a comment.Aug 17 2017, 8:13 PM

Hopefully in the former case, they'll complain to their IT department and they'll fix it, and hopefully in the latter they'll blindly trust our Firefox links and find their way out of this mess from there :)

BBlack added a comment.Aug 17 2017, 8:24 PM

Testing updated HTML with some translations and a translate link (and other minor cleanups) at https://pinkunicorn.wikimedia.org/test-sec-warning . Will push something like this to the real one at https://en.wikipedia.org/test-sec-warning before upping percentage. Thoughts? Further tweaks? Mistakes? :)

BBlack added a comment.Aug 17 2017, 8:35 PM

Update: noticed I had en-US firefox links in all of the translations. Updated them all now.

MoritzMuehlenhoff added a comment.Aug 17 2017, 8:37 PM

Looks good to me, go for it :-)

Krinkle subscribed.Aug 17 2017, 8:39 PM
In T163251#3532086, @BBlack wrote:

Testing updated HTML with some translations and a translate link (and other minor cleanups) at https://pinkunicorn.wikimedia.org/test-sec-warning . Will push something like this to the real one at https://en.wikipedia.org/test-sec-warning before upping percentage. Thoughts? Further tweaks? Mistakes? :)

A few nits:

  • Consistently use lower case attribute names, e.g. dir="rtl".
  • Add missing lang attributes to all the non-English paragraphs. Both for semantic reasons, maintenance (easier to update in-place without knowing the language), and possibly to help assistive technology.
  • Prefix each paragraph content with the autonym for that language as well for end-users, which should make it significantly easier to find your language and less visually distracting for the mind when reading by naturally not needing to look through the other paragraphs.

Example:

<p lang="de"><strong>Deutsch:</strong> Die Wikimedia-Wikis werden bald ...</p>
Platonides added a comment.Aug 17 2017, 8:44 PM
In T163251#3532113, @BBlack wrote:

Update: noticed I had en-US firefox links in all of the translations. Updated them all now.

Heh, I had been updating the translations with the localised links.

In T163251#3532123, @Krinkle wrote:
  • Prefix each paragraph content with the autonym for that language as well for end-users, which should make it significantly easier to find your language and less visually distracting for the mind when reading by naturally not needing to look through the other paragraphs.

Choose between them with javascript, like in the error page?

Krinkle added a comment.EditedAug 17 2017, 8:49 PM
In T163251#3532129, @Platonides wrote:
  • Prefix each paragraph content with the autonym for that language as well for end-users, which should make it significantly easier to find your language [..]

Choose between them with javascript, like in the error page?

That JavaScript is no longer in production. Something similar could be written at some point, and is planned for the error page redesign, but perhaps not the best time to try and push it out as part of this. If you're able to write something up that's simple, secure, Grade C compatible, and accessible, I'd be willing to review it.

BBlack added a comment.Aug 17 2017, 8:52 PM

Thanks! Updated for all the above as best I can (I'm not 100% sure on the language-name text prefix for Arabic and Chinese, but took a good stab from http://mediaglyphs.org/mg/?p=langnames ), I guess someone that knows better can recommend a further fixup?

I also re-ordered everything (except English at the top as canonical) according to language popularity from https://en.wikipedia.org/wiki/List_of_languages_by_number_of_native_speakers .

gerritbot subscribed.Aug 17 2017, 8:59 PM

Change 372448 had a related patch set uploaded (by BBlack; owner: BBlack):
[operations/puppet@production] 3DES Deprecation: internationalize and update warning

https://gerrit.wikimedia.org/r/372448

gerritbot added a project: Patch-For-Review.Aug 17 2017, 8:59 PM
BBlack added a comment.Aug 17 2017, 9:00 PM

patch above is the same changes as a real changeset (it's just hard to review them that way, simpler manually on https://pinkunicorn.wikimedia.org/test-sec-warning ).

BBlack added a comment.Aug 17 2017, 9:32 PM

After a couple of other minor nits, going to push the above as it stands. We can iterate further as necessary, at least it's an improvement on the original!

gerritbot added a comment.Aug 17 2017, 9:35 PM

Change 372448 merged by BBlack:
[operations/puppet@production] Deprecation of 3DES: internationalize and update warning

https://gerrit.wikimedia.org/r/372448

gerritbot added a comment.Aug 17 2017, 9:59 PM

Change 372467 had a related patch set uploaded (by BBlack; owner: BBlack):
[operations/puppet@production] Deprecation of 3DES: Bump pageview replacement to 5%

https://gerrit.wikimedia.org/r/372467

Krinkle added a comment.Aug 17 2017, 10:07 PM
In T163251#3532186, @BBlack wrote:

patch above is the same changes as a real changeset (it's just hard to review them that way, simpler manually on https://pinkunicorn.wikimedia.org/test-sec-warning ).

Thanks for adding the lang attributes. I also realised that one of the benefits this has is that browsers will pick a better and more suitable default font for the entire paragraph. For example, here is Japanese:

AfterBefore
Screen Shot 2017-08-17 at 15.04.55.png (496×1 px, 186 KB)
Screen Shot 2017-08-17 at 15.05.49.png (360×1 px, 139 KB)
gerritbot added a comment.Aug 17 2017, 10:09 PM

Change 372467 merged by BBlack:
[operations/puppet@production] Deprecation of 3DES: Bump pageview replacement to 5%

https://gerrit.wikimedia.org/r/372467

EdErhart-WMF added a comment.Aug 19 2017, 5:49 AM

Clearly I don't check my Phab notifications enough! Happy to run a blog post on this, perhaps framed in the context of protecting our community members/readers?

Johan added a comment.Aug 21 2017, 4:34 PM
In T163251#3531895, @Johan wrote:

Maybe it would be possible to have a "Translate" link after the translated languages?

... wait, that was a stupid suggestion. My apologies. I momentarily forgot we're almost only showing this page to users who won't be able to use our translation tools on Meta (they depend on JavaScript).

BBlack added a comment.Aug 21 2017, 4:40 PM

Heh yeah I guess you're right. Still, I added it to the current page, and we seemed to have picked up some new translations over the weekend. I can pull the link back out of there on the next update if that makes more sense.

Johan closed subtask T172418: Get translations for "IE8 on XP won't work" as Resolved.Aug 21 2017, 4:57 PM
gerritbot added a comment.Aug 22 2017, 3:01 PM

Change 373086 had a related patch set uploaded (by BBlack; owner: BBlack):
[operations/puppet@production] browsersec: add pt, bn, ru, sv, he, sq

https://gerrit.wikimedia.org/r/373086

gerritbot added a comment.Aug 22 2017, 3:01 PM

Change 373087 had a related patch set uploaded (by BBlack; owner: BBlack):
[operations/puppet@production] Varnish: move errorpage/browsersec to common code

https://gerrit.wikimedia.org/r/373087

gerritbot added a comment.Aug 22 2017, 3:01 PM

Change 373088 had a related patch set uploaded (by BBlack; owner: BBlack):
[operations/puppet@production] browsersec: remove wiki-colon filtering

https://gerrit.wikimedia.org/r/373088

gerritbot added a comment.Aug 22 2017, 3:19 PM

Change 373086 merged by BBlack:
[operations/puppet@production] browsersec: add pt, bn, ru, sv, he, sq

https://gerrit.wikimedia.org/r/373086

gerritbot added a comment.Aug 22 2017, 3:38 PM

Change 373087 merged by BBlack:
[operations/puppet@production] Varnish: move errorpage/browsersec to common code

https://gerrit.wikimedia.org/r/373087

gerritbot added a comment.Aug 22 2017, 3:38 PM

Change 373088 merged by BBlack:
[operations/puppet@production] browsersec: remove wiki-colon filtering

https://gerrit.wikimedia.org/r/373088

gerritbot added a comment.Aug 22 2017, 4:17 PM

Change 373099 had a related patch set uploaded (by BBlack; owner: BBlack):
[operations/puppet@production] browsersec: add back wiki-colon filtering for text only

https://gerrit.wikimedia.org/r/373099

gerritbot added a comment.Aug 22 2017, 4:28 PM

Change 373099 merged by BBlack:
[operations/puppet@production] browsersec: add back wiki-colon filtering for text only

https://gerrit.wikimedia.org/r/373099

gerritbot added a comment.Aug 25 2017, 4:55 AM

Change 373726 had a related patch set uploaded (by BBlack; owner: BBlack):
[operations/puppet@production] 3DES Deprecation: bump to 8%

https://gerrit.wikimedia.org/r/373726

gerritbot added a comment.Aug 25 2017, 4:57 AM

Change 373726 merged by BBlack:
[operations/puppet@production] Deprecation of 3DES: bump to 8%

https://gerrit.wikimedia.org/r/373726

leila subscribed.Aug 28 2017, 5:48 PM

I see that the Arabic text in the banner is broken. I'm looking at this page. This should not go like this to Arabic speakers. :) Can someone look into it? (I don't know Arabic fluently, but I know enough to be able to explain to whoever picks this up what's wrong in the text.)

Also, if you need help with Persian translation, let me know and I'll work on it.

Johan added a comment.Aug 29 2017, 11:27 AM

Thanks for reporting. We've looked into it and got a native speaker of Arabic to point out what needs to be fixed.

Translations are always welcome. They can be done here:
https://meta.wikimedia.org/wiki/User:Johan_(WMF)/IE8XP

gerritbot added a comment.Aug 29 2017, 5:45 PM

Change 374585 had a related patch set uploaded (by BBlack; owner: BBlack):
[operations/puppet@production] browsersec: update ar translation

https://gerrit.wikimedia.org/r/374585

gerritbot added a comment.Aug 29 2017, 5:46 PM

Change 374585 merged by BBlack:
[operations/puppet@production] browsersec: update ar translation

https://gerrit.wikimedia.org/r/374585

leila added a comment.Aug 29 2017, 5:50 PM
In T163251#3561653, @Johan wrote:

Thanks for reporting. We've looked into it and got a native speaker of Arabic to point out what needs to be fixed.

Great! (I still don't see the change in the link, but I guess you will push it later.:)

Translations are always welcome. They can be done here:
https://meta.wikimedia.org/wiki/User:Johan_(WMF)/IE8XP

ok. {{done}}

gerritbot added a comment.Aug 29 2017, 6:21 PM

Change 374602 had a related patch set uploaded (by BBlack; owner: BBlack):
[operations/puppet@production] browsersec: add fa translation

https://gerrit.wikimedia.org/r/374602

gerritbot added a comment.Aug 29 2017, 6:25 PM

Change 374602 merged by BBlack:
[operations/puppet@production] browsersec: add fa translation

https://gerrit.wikimedia.org/r/374602

gerritbot added a comment.Aug 29 2017, 6:29 PM

Change 374604 had a related patch set uploaded (by BBlack; owner: BBlack):
[operations/puppet@production] browsersec: add missing dir=rtl for fa

https://gerrit.wikimedia.org/r/374604

gerritbot added a comment.Aug 29 2017, 6:30 PM

Change 374604 merged by BBlack:
[operations/puppet@production] browsersec: add missing dir=rtl for fa

https://gerrit.wikimedia.org/r/374604

gerritbot added a comment.Aug 29 2017, 6:58 PM

Change 374605 had a related patch set uploaded (by BBlack; owner: BBlack):
[operations/puppet@production] browsersec: re-order languages slightly

https://gerrit.wikimedia.org/r/374605

gerritbot added a comment.Aug 29 2017, 7:00 PM

Change 374605 merged by BBlack:
[operations/puppet@production] browsersec: re-order languages slightly

https://gerrit.wikimedia.org/r/374605

Nirmos subscribed.Aug 30 2017, 10:29 PM
gerritbot added a comment.Sep 1 2017, 3:14 AM

Change 375107 had a related patch set uploaded (by BBlack; owner: BBlack):
[operations/puppet@production] Deprecation of 3DES: bump to 11%

https://gerrit.wikimedia.org/r/375107

gerritbot added a comment.Sep 1 2017, 3:15 AM

Change 375107 merged by BBlack:
[operations/puppet@production] Deprecation of 3DES: bump to 11%

https://gerrit.wikimedia.org/r/375107

gerritbot added a comment.Sep 6 2017, 5:56 PM

Change 376309 had a related patch set uploaded (by BBlack; owner: BBlack):
[operations/puppet@production] browsersec: affect API calls and non-GET as well

https://gerrit.wikimedia.org/r/376309

gerritbot added a comment.Sep 6 2017, 5:56 PM

Change 376310 had a related patch set uploaded (by BBlack; owner: BBlack):
[operations/puppet@production] browsersec: bump to 14% 2017-09-07

https://gerrit.wikimedia.org/r/376310

gerritbot added a comment.Sep 6 2017, 5:56 PM

Change 376311 had a related patch set uploaded (by BBlack; owner: BBlack):
[operations/puppet@production] browsersec: bump to 17% 2017-09-14

https://gerrit.wikimedia.org/r/376311

gerritbot added a comment.Sep 6 2017, 5:56 PM

Change 376312 had a related patch set uploaded (by BBlack; owner: BBlack):
[operations/puppet@production] browsersec: bump to 20% 2017-09-21

https://gerrit.wikimedia.org/r/376312

gerritbot added a comment.Sep 6 2017, 5:56 PM

Change 376313 had a related patch set uploaded (by BBlack; owner: BBlack):
[operations/puppet@production] browsersec: bump to 23% 2017-09-28

https://gerrit.wikimedia.org/r/376313

gerritbot added a comment.Sep 6 2017, 5:56 PM

Change 376314 had a related patch set uploaded (by BBlack; owner: BBlack):
[operations/puppet@production] browsersec: bump to 26% 2017-10-05

https://gerrit.wikimedia.org/r/376314

gerritbot added a comment.Sep 6 2017, 5:56 PM

Change 376315 had a related patch set uploaded (by BBlack; owner: BBlack):
[operations/puppet@production] browsersec: bump to 29% 2017-10-12

https://gerrit.wikimedia.org/r/376315

gerritbot added a comment.Sep 6 2017, 5:56 PM

Change 376316 had a related patch set uploaded (by BBlack; owner: BBlack):
[operations/puppet@production] browsersec: bump to 100% 2017-10-17

https://gerrit.wikimedia.org/r/376316

gerritbot added a comment.Sep 6 2017, 6:10 PM

Change 376309 merged by BBlack:
[operations/puppet@production] browsersec: affect API calls and non-GET as well

https://gerrit.wikimedia.org/r/376309

Krinkle unsubscribed.Sep 6 2017, 8:29 PM
gerritbot added a comment.Sep 7 2017, 6:39 PM

Change 376310 merged by BBlack:
[operations/puppet@production] browsersec: bump to 14% 2017-09-07

https://gerrit.wikimedia.org/r/376310

Johan added a comment.Sep 8 2017, 3:21 PM

A couple of discussions: English Wikipedia, Swedish Wikipedia.

BBlack added a comment.Sep 8 2017, 4:05 PM

Thanks! So far, I haven't heard of any huge community pushback, which is awesome :)

Johan added a comment.Sep 8 2017, 4:37 PM

To be honest, most of the community is blissfully unaware this is happening. But unless you bring out all the bells and whistles and the blinking lights, that's always going to be the case. (: We've put the information out through Tech News and the normal channels for technical updates, we're making sure those who are actually affected get to know it and so on.

The communities tend to be reasonable when you do something for good reason, and especially the fact that there's some sort of risk for everyone else in letting 0,1% connect to the wikis the way they are is a pretty reasonable argument for doing this.

Qgil moved this task from August to September on the Community-Relations-Support (Jul-Sep 2017) board.Sep 11 2017, 12:36 PM
gerritbot added a comment.Sep 14 2017, 2:44 PM

Change 376311 merged by BBlack:
[operations/puppet@production] browsersec: bump to 17% 2017-09-14

https://gerrit.wikimedia.org/r/376311

gerritbot added a comment.Sep 21 2017, 2:40 PM

Change 376312 merged by BBlack:
[operations/puppet@production] browsersec: bump to 20% 2017-09-21

https://gerrit.wikimedia.org/r/376312

gerritbot added a comment.Sep 28 2017, 2:58 PM

Change 376313 merged by BBlack:
[operations/puppet@production] browsersec: bump to 23% 2017-09-28

https://gerrit.wikimedia.org/r/376313

Johan edited projects, added Community-Relations-Support (Oct-Dec 2017); removed Community-Relations-Support (Jul-Sep 2017).Oct 4 2017, 3:46 AM
Johan moved this task from Backlog to October on the Community-Relations-Support (Oct-Dec 2017) board.
Johan added a comment.Oct 4 2017, 4:16 AM

There will be a new reminder in the issue of Tech News going out to the communities on October 16..

gerritbot added a comment.Oct 5 2017, 2:59 PM

Change 376314 merged by BBlack:
[operations/puppet@production] browsersec: bump to 26% 2017-10-05

https://gerrit.wikimedia.org/r/376314

gerritbot added a comment.Oct 12 2017, 12:52 PM

Change 376315 merged by BBlack:
[operations/puppet@production] browsersec: bump to 29% 2017-10-12

https://gerrit.wikimedia.org/r/376315

gerritbot added a comment.Oct 16 2017, 7:00 PM

Change 384578 had a related patch set uploaded (by BBlack; owner: BBlack):
[operations/puppet@production] ssl_ciphersuite: dump 3DES on 2017-11-17

https://gerrit.wikimedia.org/r/384578

gerritbot added a comment.Oct 17 2017, 1:23 PM

Change 376316 merged by BBlack:
[operations/puppet@production] browsersec: bump to 100% 2017-10-17, update translations

https://gerrit.wikimedia.org/r/376316

gerritbot added a comment.Oct 17 2017, 2:19 PM

Change 384707 had a related patch set uploaded (by BBlack; owner: BBlack):
[operations/puppet@production] browsersec: use status code 403

https://gerrit.wikimedia.org/r/384707

gerritbot added a comment.Oct 17 2017, 2:20 PM

Change 384707 merged by BBlack:
[operations/puppet@production] browsersec: use status code 403

https://gerrit.wikimedia.org/r/384707

gerritbot added a comment.Nov 17 2017, 1:06 PM

Change 384578 merged by BBlack:
[operations/puppet@production] ssl_ciphersuite: dump 3DES on 2017-11-17

https://gerrit.wikimedia.org/r/384578

BBlack closed this task as Resolved.Nov 17 2017, 3:48 PM

Done here I think as well, thanks everyone :)

Qgil moved this task from October to November on the Community-Relations-Support (Oct-Dec 2017) board.Nov 21 2017, 8:35 AM
Qgil awarded a token.
Qgil subscribed.
Johan moved this task from Do now to Archive on the User-Johan board.Jan 10 2018, 4:31 PM
BBlack mentioned this in T185582: Wikipedia no longer accessible to those using some braille devices.Jan 26 2018, 6:44 PM
Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL