The Wikimedia Foundation Turns On HTTPS By Default Across All Sites, Including Wikipedia

The Wikimedia Foundation, which runs Wikipedia and a number of other wiki-based projects, announced this morning that it’s now implementing HTTPS by default across all its sites in order to encrypt its traffic. The decision, it says, will make it harder for governments and other third parties to monitor users’ traffic, and will make it more difficult for Internet Service Providers (ISPs) to censor access to specific Wikipedia articles or other information hosted on its network of sites.

The organization had previously implemented HTTPS by default back in 2013, but the move at the time only affected logged-in users to Wikimedia project websites, including Wikipedia. That meant that to enable this protection, users would first have to establish an account on the site and then sign in with their username and password combination. But for specific countries, like China and Iran, where HTTPS was not an easy option, the organization said, then, that they would not be required to use HTTPS when logging in or viewing website pages.

Today, The Wikimedia Foundation reports that it will also use HTTP Strict Transport Security (HSTS) to protect against efforts to “break” HTTPS and intercept traffic.

It also did a lot of work on its own infrastructure and code base in preparation for the change, which included calibrating its HTTPS configuration to perform well even in countries or on networks with poor technical infrastructure of their own. The organization says it has minimized the negative impacts of making the switch to HTTPS with regard to “latency, page load times, and user experience.”

The concerns about HTTPS’ impact on those with low bandwidth and poor connections, for a long time, has been one of the reasons why the organization held off on switching on HTTPS by default. In fact, in March, Lila Tretikov, Wikimedia Foundation’s Executive Director, cited this exact problem in an interview where she explained why Wikimedia’s sites hadn’t made the change, despite increasing calls for major web properties to protect their users via the encryption technology.

However, the organization warns that while it did its best to support a range of devices used in places with varying levels of connectivity and freedom of information, the switch “could affect access for some Wikimedia traffic in certain parts of the world.” In other words, it remains to be seen what sort of impact the transition will have on places where web access is routinely censored and spied on, as well as in regions where the networks themselves are underdeveloped.

“In the case of China, we understand both HTTP and HTTPS versions of Chinese Wikipedia have been inaccessible in mainland China for a large number of users for some weeks now,” a Wikimedia spokesperson said. “However, some users have been able to maintain access — enabling HTTPS will better secure their connections, as well as improving security for other Chinese Wikipedia users, such as those in Hong Kong and Taiwan. Additionally, many users in China look to English Wikipedia as a source, and they can now access English Wikipedia more securely,” they added.

The organization will not offer a way for users to opt-out of using HTTPS by default, as it did in 2013, but says it has made it more difficult for governments to interfere with users’ access to Wikipedia.

Wikimedia also reminded users that it has supported HTTPS manually for four years, through HTTPS Everywhere, a project offering browser extensions that makes it easier to web surf using HTTPS technology, and it supported HTTPS when users were directed to Wikimedia sites from major search engines.

Despite the potential for the HTTPS transition to impact some users, the organization said it was time to make the change:

“We believe encryption makes the web stronger for everyone. In a world where mass surveillance has become a serious threat to intellectual freedom, secure connections are essential for protecting users around the world. Without encryption, governments can more easily surveil sensitive information, creating a chilling effect, and deterring participation, or in extreme cases they can isolate or discipline citizens. Accounts may also be hijacked, pages may be censored, other security flaws could expose sensitive user information and communications. Because of these circumstances, we believe that the time for HTTPS by default is now. We encourage others to join us as we move forward with this commitment.”

The Wikimedia Foundation has been working toward this shift over the past year by ramping up testing and optimization efforts, and says it’s now completing the implementation of HTTPS and HSTS for all Wikimedia sites. Today begins the final steps of this transition, and the process should be completed in a couple of weeks.