HTTPS enabled by default for logged-in users on Wikimedia sites

Today, August 28, the Wikimedia Foundation is making a change to the software that powers the Wikimedia projects: By default, all logged-in users will now be using HTTPS to access Wikimedia sites. What this does is encrypt the connection between the Wikimedia servers and the user’s browser so that the information sent between the two is not readable by anyone else. This is in response to the recent concerns over the privacy and security of our user community, and we explained the rationale for this change in our post about the future of HTTPS at Wikimedia.

What this means for you

How this works is simple: If a user wants to log in, they will be redirected to use HTTPS for the login, thus keeping their username and password secure. After they are logged in, they stay on the HTTPS version of the Wikimedia site they are using.

Excluded Countries

Some users live in areas where HTTPS is not an easy option, most times because of explicit blocking by a government. At the request of these communities, we have made an explicit exclusion for users from those affected countries. Simply put, users from China and Iran will not be required to use HTTPS for logging in, nor for viewing any Wikimedia project site.

Disabling

Are you having a slow or unreliable experience while browsing Wikimedia sites over HTTPS? Then you can turn HTTPS off in your user preferences, under the “User profile” tab: Uncheck “Always use a secure connection when logged in”. You will need to log out and log in again for the preference to take effect. But remember, you will still need to log in using the secure HTTPS process.

HELP!

For further details, please see the HTTPS page on Meta-Wiki, which is available in several languages.
Are you unable to log in and edit a Wikimedia wiki after this change? Please contact the Wikimedia Foundation Operations team via any means you find comfortable, including this blog post’s comments section, on IRC in the #wikimedia-operationsconnect channel, or via the https@wikimedia.org email address.
Greg Grossmeier
Release Manager, Wikimedia Foundation

Archive notice: This is an archived post from blog.wikimedia.org, which operated under different editorial and content guidelines than Diff.

13 Comments
Inline Feedbacks
View all comments

Thank you very much! This is an excellent move for the privacy of users.

This is an excellent move, and while the costs of running SSL have gone down a lot recently, it stil isn’t cheap. I’ve just sent a donation to help cover the costs.
Would you have any idea of what enabling SSL for all unauthenticated users would entail?

Minor catch-22: because https is firewall-blocked, I can’t log in to access my user profile on WP to change preferences. So I “can[‘t] turn HTTPS off” ”Awkward!”

Great. Btw: what about digitally signing all emails send by the system as talk page information mails?
Ps. Why is this comment send over a non-encrypted line?

[…] HTTPS enabled by default for logged-in users on Wikimedia sites (wikimedia.org) […]

Unfortunately, I’m stuck on the https version of the page! I can’t go to the http version of the page. It’s still on by default. Please help! thanks!

[…] exact analyseren wie welk artikel op Wikipedia benadert. Om deze gegevens beter te beschermen, moeten aangemelde gebruikers sinds eind augustus versleutelde HTTPS-verbindingen gebruiken. Voor […]

Thank you for ensuring that WP is no longer “the encyclopedia that anyone can edit”. I’ll have so much more free time now.

[…] auch der Datenverkehr etwa bei einer HTTPS-Verbindung. Der spontane Jubel vieler Benutzer (“Thank you very much! This is an excellent move for the privacy of users“) war damit wohl etwas zu […]

This is an excellent move, and while the costs of running SSL have gone down a lot recently, it stil isn’t cheap. I’ve just sent a donation to help cover the costs.

This is true ?

UNCINETTO ARCHIVE,used https cookie

[…] HTTPS Everywhere, and when directed to our sites from major search engines. Additionally, all logged in users have been accessing via HTTPS since […]