Last modified: 2013-08-19 15:43:21 UTC

Wikimedia Bugzilla is closed!

Wikimedia migrated from Bugzilla to Phabricator. Bug reports are handled in Wikimedia Phabricator.
This static website is read-only and for historical purposes. It is not possible to log in and except for displaying bug reports and their history, links might be broken. See T49276, the corresponding Phabricator task for complete and up-to-date bug report information.
First Last Prev Next    This bug is not in your last search results.
Bug 47276 - wikimediafoundation.org should be HTTPS-only
wikimediafoundation.org should be HTTPS-only
Status: RESOLVED WONTFIX
Product: Wikimedia
Classification: Unclassified
Site requests (Other open bugs)
wmf-deployment
All All
: Low enhancement (vote)
: ---
Assigned To: Nobody - You can work on this!
: ops
Depends on:
Blocks: ssl
  Show dependency treegraph
 
Reported: 2013-04-16 04:31 UTC by MZMcBride
Modified: 2013-08-19 15:43 UTC (History)
13 users (show)

See Also:
Web browser: ---
Mobile Platform: ---
Assignee Huggle Beta Tester: ---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Description MZMcBride 2013-04-16 04:31:14 UTC 
HTTPS can be enforced via <https://noc.wikimedia.org/conf/remnant.conf>. I had a thought today that wikimediafoundation.org should be HTTPS-only. Subsequent thoughts added doubt. For example, the wiki doesn't really get used for donation forms as much these days, I don't think, so some risk is mitigated.

But... it's still a weird fishbowl wiki that allows strange uploads and raw HTML, so it wouldn't be totally unexpected for it to enforce HTTPS. I think it might be nice to have. Filing this as an enhancement request for consideration.
Comment 1 Daniel Zahn 2013-04-17 23:49:42 UTC 
https://gerrit.wikimedia.org/r/#/c/56062/
Comment 2 Daniel Zahn 2013-06-03 19:46:23 UTC 
please continue discussion on gerrit patch or here. i don't have a strong opinion on it, just created the patch to show it would be in redirects.conf as opposed to remnants.conf
Comment 3 MZMcBride 2013-06-03 21:17:48 UTC 
This seems like an uncontroversial change.
Comment 4 MZMcBride 2013-06-05 07:32:46 UTC 
(In reply to comment #2)
> please continue discussion on gerrit patch or here. i don't have a strong
> opinion on it, just created the patch to show it would be in redirects.conf
> as opposed to remnants.conf

Thanks for catching that, by the way. I'd gotten private wikis and fishbowl wikis slightly confused.

In addition to changing redirects.conf, I believe $wgServer (or maybe $wgCanonicalSomething) also needs to be adjusted.
Comment 5 Gerrit Notification Bot 2013-06-27 23:14:37 UTC 
Change 56062 abandoned by Dzahn:
Always redirect wikimediafoundation.org to https (RT-4830)

Reason:
abandoning in favor of waiting for varnish to handle it, see bug for details

https://gerrit.wikimedia.org/r/56062
Comment 6 Ryan Lane 2013-06-27 23:16:44 UTC 
We're waiting on switching to varnish to make the redirects behave properly. When users are forced to login via https (which is soon) this won't be a problem for logged-in users anyway. Also, the current status quo is that anons hit http.

Forcing users to HTTPS will lock out users in any country that blocks HTTPS, so I'd prefer not to do this.
Note You need to log in before you can comment on or make changes to this bug.
First Last Prev Next    This bug is not in your last search results.

Navigation
Links