Re: Wikipedia drops support for old Android smartphones; mandates TLSv1.2 to read

[John Von Essen <john () essenz com>]

There are really two arguments here.

1. TLSv1.0 is insecure and should never be used in an HTTPS scenario - cant argue with this
2. Alot of static content sites are forcing HTTPS even though “technically” there is nothing that needs to be secured 
in transit - this is where the argument lies.

Why does access to wikipedia need to go over https? There is no login, no credit card  or SSNs being transferred, 
etc.,. Part of the blame is google, they started penalize sites in their index if they didn’t do https, as a result, 
almost every website now does ssl - everything from allrecipes.com <http://allrecipes.com/> to a mommy blog, literally 
you cant find a non-ssl website anymore, everybody wants the better google rank, so they all gave in and went 100% ssl.

There is a reason however for search engines to enforce https, its a privacy issue, everyone is snooping on you, so if 
you dont want your ISP knowing what your searching for (http://search.com/?q=looking+for+a+divorce+lawyer) and then 
selling that info to advertisers, you need https - and yes Wiki is sort of search engine.

What I foresee happening is people will come up with a 3rd party solution, basically, you’ll start seeing people offer 
http->https proxy services, it will be interesting to see if the content source providers try to clamp down on this or 
let it happen…

-John


> On Dec 31, 2019, at 11:11 AM, Royce Williams <royce () techsolvency com> wrote:
>
> On Tue, Dec 31, 2019 at 6:12 AM Seth Mattinen <sethm () rollernet us <mailto:sethm () rollernet us>> wrote:
> On 12/31/19 12:50 AM, Ryan Hamel wrote:
> > Just let the old platforms ride off into the sunset as originally 
> > planned like the SSL implementations in older JRE installs, XP, etc. You 
> > shouldn't be holding onto the past.
>
>
> Because poor people anywhere on earth that might not have access to the 
> newer technology don't deserve access to Wikipedia, right? Gotta make 
> sure information is only accessible to those with means to keep "lesser" 
> people out.
>
> This. 
>
> I visited a rural school in South Africa around 2008. 
>
> For many things - such as using their cellphone provider's billing infrastructure to pay for third-party services via 
> SMS - a switch to TLS 1.2 only would probably have no impact. 
>
> But for educational purposes, their reliance on Wikipedia was dramatic - and they could *only* get to it from 
> outdated phones that had been donated, scavenged, or cobbled together from parts.
>
> In the intervening years, the disposable-electronics culture has probably been a great boon to them, bringing better 
> and more tech - but much of it is probably still pre Android 4.4.2
>
> But perhaps Wikipedia's decision is based on actual data. I'd love to see percentages of their negotiated TLS 
> ciphers, per country and per client type. Back in 2015,  you could see them as discussed here:
>
>     https://news.ycombinator.com/item?id=10194258 <https://news.ycombinator.com/item?id=10194258>
>
> ... but I'm not sure where the equivalent data would be in the new Grafana data:
>
>     https://grafana.wikimedia.org/?orgId=1 <https://grafana.wikimedia.org/?orgId=1>
>
> Royce