After NSA's XKeyscore, Wikipedia Switches To Secure HTTPS

The Wikimedia Foundation has announced it's pushing ahead with plans to secure its online systems due to NSA targeting.

The Wikimedia Foundation has announced it will soon be switching its services over to the secure—i.e., unsnoopable—HTTPS protocol. It's a move that's been planned for a while, but the foundation has been pushed to implement it now because of the revelations about the NSA's global Internet surveillance system. The foundation notes that it is being "specifically targeted by XKeyscore."

In a statement, the foundation says it "believes strongly in protecting the privacy of its readers and editors. Recent leaks of the NSA’s XKeyscore program have prompted our community members to push for the use of HTTPS by default for the Wikimedia projects." Starting from August 21st the HTTPS protocol will be turned on for all logged-in users. The site also outlined six further technical steps it has to take to protect all its user data and activities from surveillance, although it acknowledges that it can't predict a timescale for the moves to be completed. Instead the foundation urges its users to use other secure browsing services.

The NSA is embroiled in an international controversy at the moment, after revelations of its widespread surveillance of phone calls and Net activity of citizens all around the world.

[Image via Flickr user: Jessica Paterson]

Add New Comment

6 Comments

  • anonymous

    HTTPS is as good as broken because it relies on certificates being issued by central authorities.  In addition to the ability to forge certificates, I fully expect the NSA to already have stolen or been given the secret keys from those who create them.

  • Mark A. Hershberger

    From the article: "The attacker just has to ... trick marks into visiting a
    website under the miscreant's control."  HTTPS can't protect against targeted attacks as someone with the means could get a cert created that would allow them to run MITM attacks.

  • Jared W

    this is not so black and white as you make it seem... sorry. https is still assumed a good and secure protocol for the time being when implemented mindfully.

  • Craig

    And then you go on to make it seem black and white yourself. He picked black, you picked white.

    All SSL versions are broken. There are known attacks against all cipher suites supported by TLS 1.0 and TLS 1.1 and now that they're public, they'll get worse fairly fast. Then there's downgrade vulnerabilities, MITM attack and the fact that the CAs are beholden to the U.S. (so the notion that they form a "trust network" is laughable).

    So "https" may be "assumed good" by *you*, but not so good by anyone that knows much about cryptography. TLS 1.2 is still "assumed good" for now, but even that has some of the flaws above and you still have to pick the right cipher suite and the user's browser still has to support it (~70% still don't).

    This is just what's known publicly. Who know's what the NSA is up to in secret? There are rumours that they've been paying open source developers to include obfuscated back doors in network-facing software. Obviously such rumours are quickly covered up and labelled as a "conspiracy theory" though. Just like XKeyscore was a conspiracy theory, until it wasn't.

  • Cowboy Coder

    But but but...  I was told xkeyscore, prism doesn't exist and all those people are "conspiracy theorists".

    "America is free" herp derp. Repeat after me so you don't seem suspicious. 'America is free."