Wikimedia has announced that all of its web properties – including the enormously popular crowd-sourced dictionary Wikipedia – will now use HTTPS encryption by default.
The step means that the half billion users of Wikimedia sites will have their browsing traffic encrypted, making interception and monitoring by third parties considerably harder. It also makes mass censorship by ISPs or governments more problematic.
In a blog post the company said that it was going to take additional steps to strengthen security still further: “We’re happy to announce that we are in the process of implementing HTTPS to encrypt all Wikimedia traffic. We will also use HTTP Strict Transport Security (HSTS) to protect against efforts to ‘break’ HTTPS and intercept traffic.”
The company said it has been working on establishing the infrastructure and technical requirements since 2011, and that logged-in users have been protected via HTTPS since 2013.
However, as the blog post makes clear, some users using lower-quality connections or in areas with restricted freedom of information may find that this “change could affect access for some Wikimedia traffic”, in spite of “efforts to minimize negative impacts related to latency, page load times, and user experience.”
The blog ends on a positive note however, stating: “We believe encryption makes the web stronger for everyone. In a world where mass surveillance has become a serious threat to intellectual freedom, secure connections are essential for protecting users around the world,”
Reporters at Forbes point out that the announcement comes just a week after US agencies were warned that their public facing sites need to use HTTPS by December 31, 2016. According to Forbes, a letter was sent to all federal agencies, stating that this move would prevent “inconsistent, subjective determinations across agencies regarding which content or browsing activity is sensitive in nature.”
While the move towards HTTPS encryption will be seen as a positive step, websites that adopt it are not completely clear from cyberthreats. Earlier this year the 'Logjam' attack exposed a flaw that left tens of thousands of HTTPS websites vulnerable.