HTTPS (also called HTTP over Transport Layer Security (TLS), HTTP over SSL, and HTTP Secure) is a communications protocol for secure communication over a computer network which is widely used on the Internet. The Wikimedia family of wikis and services use HTTPS encryption to prevent eavesdropping and man-in-the-middle attacks. This page and its related subpages attempt to document the current best practices and standards for both server and client side protections.
Current Policies and Standards
For all public-facing HTTP[S] sites and services under Wikimedia control
These policies and standards apply to all services having hostnames within our canonical domains (see below), even for sites run by third parties on our behalf. Most of these (and many related issues) can usually be caught by auditing with external tools such as https://www.ssllabs.com/ssltest/ . If you're not getting an A+ there, there's probably an issue with policies below:
- HTTPS enabled - ...with a minimum allowed protocol version of TLSv1.0 (no SSLv2/SSLv3), and supporting at least version TLSv1.2 (TLSv1.3 still experimental)
- Good Certs - Certificates must validate correctly in all common browsers, must send chain certs attaching them to known roots, and must meet current crypto minimum best practices (currently RSA:2048 + SHA-256).
- Decent Ciphers - Must not offer ancient/broken ciphers, which currently means any of the "export-grade" ciphers as well as anything using RC4 or MD5. The minimum (least-secure) reasonable ciphers allowed are AES128-SHA and DES-CBC3-SHA. Must offer at least one modern Forward Secret AEAD cipher, e.g. ECDHE-RSA-AES128-SHA256, which is prioritized higher than legacy ciphers if cipher selection is done by the server. Should prioritize modern ciphers over older ones in general.
- HTTP service - If available at all, must exist solely for the purpose of redirecting to HTTPS and not serve actual content. Preferred mechanics are that all GET and HEAD requests emit a 301 redirect to the same URL over HTTPS, and all other methods emit a 403 error.
- HSTS - All HTTPS responses must include an HSTS header with a minimum max-age value of 1 year, which includes subdomains and allows preloading. Example:
Strict-Transport-Security: max-age=31536000; includeSubDomains; preload.
For the Foundation's canonical domainnames
While the Foundation may own many other domains for trademark, legal, or project/redirect reasons, there is only one small set which are considered to be the canonical set for our actual projects and content, which are subjected to higher standards.
The current list of canonical domains is:
In addition to the basic per-service standards above for all services hosted within these domains, the domains themselves must comply with additional policy at the domain level:
- Must be registered to the Wikimedia Foundation, and must be delegated by the registrar directly to the Foundation's nameservers (currently
- Must have valid CAA records denoting one or more legitimate certificate vendors designated by the Operations team.
- Must be submitted to (and eventually successfully included in) the STS preload list maintained by the Chromium project at https://hstspreload.org/ .
- HTTPS/Browser Recommendations - Browser security recommendations aimed at end-users.
- HTTPS/Domains - Some tracking/auditing on minor non-standard sites that are in-scope.
- TLS cipher suite stats dashboard
- Blog announcement of our switch to HTTPS-only back in mid-2015
- Task T104681 - Phabricator task tracking the long tail of securing minor sites in the wake of the switch above for major projects.
- HTTPS/Archived-Pre-2015 - Old outdated information from this page, mostly predating the above.