<html><head><meta http-equiv="Content-Type" content="text/html; charset=utf-8"></head><body style="word-wrap: break-word; -webkit-nbsp-mode: space; line-break: after-white-space;" class="">There are really two arguments here.<div class=""><br class=""></div><div class="">1. TLSv1.0 is insecure and should never be used in an HTTPS scenario - cant argue with this</div><div class="">2. Alot of static content sites are forcing HTTPS even though “technically” there is nothing that needs to be secured in transit - this is where the argument lies.</div><div class=""><br class=""></div><div class="">Why does access to wikipedia need to go over https? There is no login, no credit card or SSNs being transferred, etc.,. Part of the blame is google, they started penalize sites in their index if they didn’t do https, as a result, almost every website now does ssl - everything from <a href="http://allrecipes.com" class="">allrecipes.com</a> to a mommy blog, literally you cant find a non-ssl website anymore, everybody wants the better google rank, so they all gave in and went 100% ssl.</div><div class=""><br class=""></div><div class="">There is a reason however for search engines to enforce https, its a privacy issue, everyone is snooping on you, so if you dont want your ISP knowing what your searching for (<a href="http://search.com/?q=looking+for+a+divorce+lawyer" class="">http://search.com/?q=looking+for+a+divorce+lawyer</a>) and then selling that info to advertisers, you need https - and yes Wiki is sort of search engine.</div><div class=""><br class=""></div><div class="">What I foresee happening is people will come up with a 3rd party solution, basically, you’ll start seeing people offer http->https proxy services, it will be interesting to see if the content source providers try to clamp down on this or let it happen…</div><div class=""><br class=""></div><div class="">-John</div><div class=""><br class=""><div class=""><div><br class=""><blockquote type="cite" class=""><div class="">On Dec 31, 2019, at 11:11 AM, Royce Williams <<a href="mailto:royce@techsolvency.com" class="">royce@techsolvency.com</a>> wrote:</div><br class="Apple-interchange-newline"><div class=""><div dir="ltr" class=""><div dir="ltr" class="">On Tue, Dec 31, 2019 at 6:12 AM Seth Mattinen <<a href="mailto:sethm@rollernet.us" class="">sethm@rollernet.us</a>> wrote:<br class=""></div><div class="gmail_quote"><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">On 12/31/19 12:50 AM, Ryan Hamel wrote:<br class="">
> Just let the old platforms ride off into the sunset as originally <br class="">
> planned like the SSL implementations in older JRE installs, XP, etc. You <br class="">
> shouldn't be holding onto the past.<br class="">
<br class="">
<br class="">
Because poor people anywhere on earth that might not have access to the <br class="">
newer technology don't deserve access to Wikipedia, right? Gotta make <br class="">
sure information is only accessible to those with means to keep "lesser" <br class="">
people out.<br class=""></blockquote><div class=""><br class=""></div><div class="">This. </div><div class=""><br class=""></div><div class="">I visited a rural school in South Africa around 2008. </div><div class=""><br class=""></div><div class="">For many things - such as using their cellphone provider's billing infrastructure to pay for third-party services via SMS - a switch to TLS 1.2 only would probably have no impact. </div><div class=""><br class=""></div><div class="">But for educational purposes, their reliance on Wikipedia was dramatic - and they could *only* get to it from outdated phones that had been donated, scavenged, or cobbled together from parts.</div><div class=""><br class=""></div><div class="">In the intervening years, the disposable-electronics culture has probably been a great boon to them, bringing better and more tech - but much of it is probably still pre Android 4.4.2</div><div class=""><br class=""></div><div class="">But perhaps Wikipedia's decision is based on actual data. I'd love to see percentages of their negotiated TLS ciphers, per country and per client type. Back in 2015, you could see them as discussed here:</div><div class=""><br class=""></div><div class=""> <a href="https://news.ycombinator.com/item?id=10194258" class="">https://news.ycombinator.com/item?id=10194258</a><br class=""></div><div class=""><br class=""></div><div class="">... but I'm not sure where the equivalent data would be in the new Grafana data:</div><div class=""><br class=""></div><div class=""> <a href="https://grafana.wikimedia.org/?orgId=1" class="">https://grafana.wikimedia.org/?orgId=1</a><br class=""></div><div class=""><br class=""></div><div class="">Royce</div></div></div>
</div></blockquote></div><br class=""></div></div></body></html>