HTTPS (also called HTTP over Transport Layer Security (TLS), HTTP over SSL, and HTTP Secure) is a communications protocol for secure communication over a computer network which is widely used on the Internet. The Wikimedia family of wikis and services use HTTPS encryption to prevent eavesdropping and man-in-the-middle attacks. This page and its related subpages attempt to document the current best practices and standards for both server and client side protections.
Current Policies and Standards
For all public-facing HTTP[S] sites and services under Wikimedia control
These policies and standards apply to all services having hostnames within our canonical domains (see below), even for sites run by third parties on our behalf.
We currently rely on https://www.ssllabs.com/ssltest/ to audit sites for basic TLS security issues. Sites must get an A+ rating there. Failing to reach A+ on that audit can happen for a very long list of reasons detailed in: https://github.com/ssllabs/research/wiki/SSL-Server-Rating-Guide . A few more-specific issues (or issues that are not explicitly validated at by having an A+) are listed here:
- HTTPS enabled - ...with a minimum allowed protocol version of TLSv1.0 (no SSLv2/SSLv3), and supporting at least version TLSv1.2.
- Good Certs - Certificates must validate correctly in all common browsers, must send chain certs attaching them to known roots.
- Decent Ciphers - Must offer forward secret AEAD ciphers (e.g. ECDHE-*-AES128-GCM), should offer only forward-secret ciphers, and should server-prefer AEAD ciphers over non-AEAD ciphers.
- HTTP service - If available at all, must exist solely for the purpose of redirecting to HTTPS and not serve actual content. Preferred mechanics are that all GET and HEAD requests emit a 301 redirect to the same URL over HTTPS, and all other methods emit a 403 error.
- HSTS - All HTTPS responses must include an HSTS header with a minimum max-age value of 1 year, which includes subdomains and allows preloading. Example:
Strict-Transport-Security: max-age=31536000; includeSubDomains; preload.
Coming Changes: Soon™ these standards will be updated to disallow TLS versions < 1.2 and DHE key exchanges, and will eventually disallow non-AEAD ciphers (e.g. AES CBC modes).
For the Foundation's canonical domainnames
While the Foundation may own many other domains for trademark, legal, or project/redirect reasons, there is only one small set which are considered to be the canonical set for our actual projects and content, which are subjected to higher standards.
The current list of canonical domains is:
In addition to the basic per-service standards above for all services hosted within these domains, the domains themselves must comply with additional policy at the domain level:
- Must be registered to the Wikimedia Foundation, and must be delegated by the registrar directly to the Foundation's nameservers (currently
- Must have valid CAA records denoting one or more legitimate certificate vendors designated by the Operations team.
- Must be submitted to (and eventually successfully included in) the STS preload list maintained by the Chromium project at https://hstspreload.org/ .
- HTTPS/Browser Recommendations - Browser security recommendations aimed at end-users.
- HTTPS/Domains - Some tracking/auditing on minor non-standard sites that are in-scope.
- TLS cipher suite stats dashboard
- Blog announcement of our switch to HTTPS-only back in mid-2015
- task T104681 - Phabricator task tracking the long tail of securing minor sites in the wake of the switch above for major projects.
- HTTPS/Archived-Pre-2015 - Old outdated information from this page, mostly predating the above.
- The X-Analytics header contains a "https" field.
- Creating TLS certificates with cergen (for envoyproxy et al)
- Adding TLS on Kubernetes