Catch up on stories from the past week (and beyond) at the Slashdot story archive

 



Forgot your password?
typodupeerror
×
Wikipedia Censorship Encryption Government Privacy Security

Wikipedia's Switch To HTTPS Has Successfully Fought Government Censorship (vice.com) 170

Determining how to prevent acts of censorship has long been a priority for the non-profit Wikimedia Foundation, and thanks to new research from the Harvard Center for Internet and Society, the foundation seems to have found a solution: encryption. From a report: HTTPS prevents governments and others from seeing the specific page users are visiting. For example, a government could tell that a user is browsing Wikipedia, but couldn't tell that the user is specifically reading the page about Tiananmen Square. Up until 2015, Wikipedia offered its service using both HTTP and HTTPS, which meant that when countries like Pakistan or Iran blocked the certain articles on the HTTP version of Wikipedia, the full version would still be available using HTTPS. But in June 2015, Wikipedia decided to axe HTTP access and only offer access to its site with HTTPS. [...] The Harvard researchers began by deploying an algorithm which detected unusual changes in Wikipedia's global server traffic for a year beginning in May 2015. This data was then combined with a historical analysis of the daily request histories for some 1.7 million articles in 286 different languages from 2011 to 2016 in order to determine possible censorship events. [...] After a painstakingly long process of manual analysis of potential censorship events, the researchers found that, globally, Wikipedia's switch to HTTPS had a positive effect on the number censorship events by comparing server traffic from before and after the switch in June of 2015.
This discussion has been archived. No new comments can be posted.

Wikipedia's Switch To HTTPS Has Successfully Fought Government Censorship

Comments Filter:
  • Delusional (Score:5, Interesting)

    by gravewax ( 4772409 ) on Monday May 29, 2017 @08:40PM (#54508249)
    It is completely delusional to think this effectively prevents government censorship as if they can't selectively block content they simply take the sledgehammer approach and ban the site altogether.
    • Re: Delusional (Score:5, Informative)

      by Anonymous Coward on Monday May 29, 2017 @08:48PM (#54508277)

      It's a little worse than that. Because the url's are different, the Chinese government has blocked the zh.wikipedia.org but not the en.wikipedia.org, presumably because most Chinese people can not read English too a high enough level. They should move the language into the end part of the URL i.e. wikipedia.org/en/some-article

      • Re: Delusional (Score:5, Insightful)

        by Anonymous Coward on Monday May 29, 2017 @10:58PM (#54508665)

        It's a lot worse than that. Governments as powerful as the U.S. and China have a dozen different ways to snoop on what citizens are ingesting. Remember that snowden slide about "we unencrypt and reencrypt ssl here" bit? Now yes, ssl is like, the first obvious step towards doing things the right way. But Snowden revealed to us that several not so completely trustworthy governments are a dozen steps ahead of that and have been for many years. Time has since revealed that the situation isn't getting better. Now if in 2014 Amazon had gone https only, I might have the faintest hope that we have a realistic chance of seeing a decent path in our lifetimes. But here it is in 2017, and the Amazon quasi-monopoly (AWS holy shit) is cementing the expectation of lack of privacy of much of our purchasing logs. Remember that biblical bit about the number of the beast, it had more than a passing reference to commerce tracking the likes of which we've been living with for many years now.

        For a few moments we had hope that someone like Snowden could legitimately turn things around. Now I'm quite convinced it's going to take another Holocaust. No joke. And even then it's not going to get better, it will just regress to something much different with new possible directions for the long term, and perhaps hope that people then will have better learned the lessons of history.

        Wikipedia is definitely part of the problem as well as Amazon. There is no good reason why they need to have a centralized infrastructure that NO DOUBT is being tracked WHOLESALE by at least the U.S., Russia, and China. Censorship of the sort this summary talks about is a red herring. China after getting the U.S. to help whitewash the Tiananmen Square Massacre in '89 has so much power over their citizens that they can go ahead and let people have unfettered access to information. People learn that it's smarter not to go choosing to ingest the 'wrong' type of information. The government is quite effective at educating the people over their lifetimes as to what the 'wrong' types of information are.

        It's so much worse than you think.

      • Comment removed based on user account deletion
    • Re:Delusional (Score:4, Insightful)

      by Anonymous Coward on Monday May 29, 2017 @09:04PM (#54508327)

      any decent overlord is using SSL inspection (seemlessly via compromised root certs), so this is a non-issue

      • Pretty much. It makes https trivially easy to attack.
      • by Anonymous Coward

        Modded insightful because that's what my boss overlord does.

      • Re:Delusional (Score:5, Informative)

        by swillden ( 191260 ) <shawn-ds@willden.org> on Monday May 29, 2017 @09:21PM (#54508383) Journal

        any decent overlord is using SSL inspection (seemlessly via compromised root certs)

        Cite?

        There have been occasional instances of compromised root certs, which have fairly quickly been removed from default trust stores, but I see no evidence of ongoing vulnerability -- excepting when the overlord controls the trust store. That is common in corporate scenarios but not really possible without removing admin rights from users' computers, which is hard for any nation other than North Korea to do.

        • by Anonymous Coward

          You're likely delusional to believe that there are no CA Root or Intermediate certificates in possession of various governments of the world. Let's assume you're rose-colored glasses are right, though... how about all of those domain certificates - along with their private keys - held by Akamai, Amazon and Azure for their SSL-enabled load balancers and content distribution services?

          • Re:Delusional (Score:4, Informative)

            by swillden ( 191260 ) <shawn-ds@willden.org> on Tuesday May 30, 2017 @12:22AM (#54508875) Journal

            You're likely delusional to believe that there are no CA Root or Intermediate certificates in possession of various governments of the world.

            I wouldn't claim there are none, but we have pretty strong evidence that if there are any, they're used sparingly and in a very targeted way. If such unauthorized keys were being used broadly, someone would notice that the public key certificates received by end users are not the same ones being served by the sites.

        • by AHuxley ( 892839 )
          Re Cite
          Project Bullrun, Cheesy Name, Edgehill
          "Revealed: how US and UK spy agencies defeat internet privacy and security" (6 September 2013)
          https://www.theguardian.com/wo... [theguardian.com]
          ".. agency has capabilities against widely used online protocols, such as HTTPS, voice-over-IP and Secure Sockets Layer (SSL), used to protect online shopping and banking."
          • Yes, we know they exploited the widely-known vulnerabilities in SSLv2 and v3. The recently-published NSA hacking tools contained no new capabilities, though. There's no evidence that they can exploit properly-configured TLS.
          • by AmiMoJo ( 196126 )

            If you look at the detail of the exploits they use, none of them involve getting a root certificate to compromise large portions of the public internet. They are all work-arounds, like malware installing bogus certs on machines, flaws in SSL implementations or intercepting traffic being transferred between servers in an unencrypted state.

            Beyond that, they save some HTTPS traffic for offline analysis. If it turns out to be important later, e.g. identified as belonging to a very valuable target, they apply so

      • Having a pet CA seriously weakens SSL(and definitely makes relying on it downright crazy for anyone who could get in trouble for going to the wrong sites); but there has been some, not terribly adequate, work to ameliorate the worst of 'Yeah! Any CA is just as trusted as any other!'. Deployment of pinning is deeply patchy, and essentially only open to vendors who have some other mechanism(usually a pet software updater) to push their pinned settings; and 'SSL Observatory' type stuff can only catch attacks a
    • It is completely delusional to think this effectively prevents government censorship as if they can't selectively block content they simply take the sledgehammer approach and ban the site altogether.

      That is an option; but only if you want to (quite visibly) be caught interfering with your citizen's access to intriguing trivia, fun facts; and the best friend of last-minute-'researchers' everywhere.

      Sure, against somebody who doesn't give a damn, at all; and has no domestic opposition even close to being able to make him do so, "You'll have to ban it all to ban any of it!" will just get you a "Challenge Accepted." and a ban. That cuts down on the list of potential censors, and raises the cost they pay

  • by NotSoHeavyD3 ( 1400425 ) on Monday May 29, 2017 @08:46PM (#54508271) Journal
    censorship from the Wikipedia "mods" who've decided which pages are "theirs" and only they are allowed to update them?
  • by PAjamian ( 679137 ) on Monday May 29, 2017 @09:22PM (#54508387)

    The only reason this is working for now is because the censoring governments haven't implemented a workaround for it yet. There are various ways they can still censor Wikipedia:

    They can use their own CA (don't even think that a country like China doesn't have access to be able to generate certs for any hostnames they want from a trusted CA) to generate a wikipedia.com cert and proxy wikipedia traffic through their own servers censoring it in the process.

    They can proxy traffic from http to https and locally block the https traffic so the people in their country are foced to use the http version which is censored.

    They can block Wikipedia alltogether by various different means.

    • If a trusted CA ever creates a fake certificate so that a party may perform MITM then will leave a positive artifact.

      If you can ever find this artifact, then post in on Slashdot and I guarantee it will be first page and it will also result in at least one browser revoking that CA.

      • by PAjamian ( 679137 ) on Monday May 29, 2017 @10:49PM (#54508637)

        When China provides not only the browser, but the entire OS that the majority of people there run, don't you think they can insert their own trusted CA into the mix? How hard is it for a country to require users to access essential government services online, and oh look, they might just have their own trusted CA that you have to accept. If the certs are only presented to connections in their own country it becomes that much harder for security researchers to detect. There are so many ways to pull this off it's ridiculous, and countries that can't can still use one of the other methods I outlined.

        • When China provides not only the browser, but the entire OS that the majority of people there run,

          The *majority* of the people do not run some government provided OS. There's a reason piracy rates are so incredibly high in China.

          A few mandated businesses run Chinese mandated OSes. Educational institutions do too. And all of this is completely irrelevant since every idiot on the street has workarounds to blocked content anyway. The Chinese censorship can be best described as "casual".

        • by AmiMoJo ( 196126 )

          The most popular operating system in China are Android and Windows. China doesn't supply a browser; the most popular one is Chrome by a long shot.

          http://gs.statcounter.com/brow... [statcounter.com]

          Maybe you are confusing them with North Korea?

      • You mean like they didn't when Symantec [softpedia.com] did it?
  • Hard to believe. (Score:5, Insightful)

    by BitterOak ( 537666 ) on Monday May 29, 2017 @09:29PM (#54508413)
    The article makes the following claim:

    For example, a government could tell that a user is browsing Wikipedia, but couldn't tell that the user is specifically reading the page about Tiananmen Square.

    This is hard to believe. The vast majority of Wikipedia pages contain several images and the file sizes for each of these images is different. When you load a page, the browser first loads the text of the page, then in separate https requests, it loads each of the images, usually in the order listed in the page's HTML. Each page then has a unique signature: the size of the text, and the sizes of each of the images in order. It would be very easy for an adversary to build up a database of these signatures, simply by analyzing their own traffic when they examine various pages. Even if the traffic is encrypted, by looking at the amount of data transferred and the timing, it seems it would be almost trivial to figure out which pages a user was visiting.

    • That is a legitimate attack, of course it can be more easily protected against then it can be exploited. Gzip compression (and tweaking the settings behind the compression per stream) of streams or padding with junk data in either direction can be used to adjust sizes of resources.

      Also a slight technical correction, a client can make multiple requests per stream. But that does not affect your concern.

    • Wikipedia could pad every (page, image, or paragraph) with random junk so that traffic quantity analysis is useless. Also they could hesitate a random time between (page, image, or paragraph). I recon they do something like this now.
    • Re:Hard to believe. (Score:5, Informative)

      by PAjamian ( 679137 ) on Monday May 29, 2017 @10:39PM (#54508597)

      The web client will reuse the connection to the server, and to a 3rd-party observer it will all look like one massive blob of data so that all they could really get out of it is the content length of the whole thing, which due to gzip compression (which is enabled for Wikipedia, I checked), caching of resources, etc, means it will vary considerably from one fetch of a given page to the next.

      If that isn't enough, http servers and TLS ciphers themselves actively hide the length of the content they transmit with techniques such as padding and adding additional random bytes to the beginning or end of a HTTPS transmission.

      All up, I'd say this vector would be pretty much impossible to exploit.

  • https://en.wikipedia.org/wiki/Special:Search?search=dumb+ass

  • by Anonymous Coward

    I'm fed up of looking up information and seeing it deleted as "not notable". Information wants to be free, and shouldnt be held to arbitary "notability" standards. The day a notability free version of Wikipedia gets popular I will donate again.

  • Real world effects (Score:4, Informative)

    by Dunbal ( 464142 ) * on Tuesday May 30, 2017 @02:33AM (#54509083)
    Of course countries simply respond by censoring ALL of Wikipedia [independent.co.uk].
  • > For example, a government could tell that a user is browsing Wikipedia, but couldn't tell that the user is specifically reading the page about Tiananmen Square.

    Well, until now. Gee thanks, guys.

  • So the government(s) "no rikey" encryption hiding user use from them? Windows 10 will take care of that for them. Er... has already taken care of that for them.

  • For people that live in China, please use TOR.

    Take your security into your own hands. Don't depend on external sites to protect you. SSL has been compromised in the past, browser exploits do occur and your computer will keep logs of what you visit.

    It's much better to use TOR and setup to tunnel through a bridge to get the information you want. Your country will not be able to monitor your information gathering, your browser will erase all logs on exit and wikipedia will not have an IP log of your visit. You

Per buck you get more computing action with the small computer. -- R.W. Hamming

Working...