Wikipedia, one of the most popular websites in the world, will now be encrypted by default, a change that will better protect its hundreds of millions of visitors from surveillance and censorship.
The Wikimedia foundation, the nonprofit that runs the online encyclopedia, announced that it has started switching all its sites to HTTPS by default starting on Friday. The site becomes the latest to join an ever-growing movement that promotes more encryption across the web to protect users’ privacy and freedom of speech.
“To be truly free, access to knowledge must be secure and uncensored,” Wikimedia’s Yana Welinder, Victoria Baranetsky, and Brandon Black, wrote in the announcement. “With this change, the nearly half a billion people who rely on Wikipedia and its sister projects every month will be able to share in the world’s knowledge more securely.”
Switching HTTPS by default on a website creates a secure, encrypted connection between the user and the site, making it harder for spies and malicious hackers to monitor what pages the user visits on the website. With HTTPS encryption turned on, it’s also harder for repressive governments to block and filter selected pages on the site. With HTTPS, spies and censors can see that a user is visiting Wikipedia, but not which specific page.
“To be truly free, access to knowledge must be secure and uncensored.”
In Iran, for example, two researchers found that the government censors a number of pages on the Farsi version of Wikipedia, such as some about Iran’s human rights violations or sensitive political topics. Iran applied similar selective censorship techniques to Instagram too, until the social network recently turned on HTTPS by default, fooling the country’s censors.
If a website turns on HTTPS by default, it leaves censors with only two choices: either allow users to visit the whole site, or block it entirely.
Internet freedom advocates, such as the human rights organization Access with its “Encrypt All the Things” campaign, have been advocating for more websites to turn HTTPS by default. They’re not the only ones.
The internet’s main international standards organization, the World Wide Web Consortium (W3C) said in a recent paper that HTTPS should be deployed more widely. Even the White House has been pushing for more encryption on US government sites, recently setting a deadline to make the switch.
And it’s not just civil society or government organizations. Google has been pushing for more encryption too by favoring HTTPS websites over non-encrypted ones in search results. Just this week, Apple told its developers that they better start using HTTPS in their apps in the future, signalling that it’s going to deprecate the traditional, more insecure HTTP protocol—just like Mozilla is already doing.
Until Friday, Wikipedia was a holdout on the movement, despite the fact that it had sued the NSA for mass surveillance, which in many cases is enabled by the lack of encryption across the internet.
In March, Wikipedia’s founder Jimmy Wales said he wanted a more secure internet during a Reddit AMA, but when I asked him if the was ever going to be HTTPS by default, Lila Tretikov, Wikimedia Foundation’s executive director, dodged the question, saying turning HTTPS by default might slow down connections to the site “especially in low bandwidth or poor connections areas.”
“We believe that the time for HTTPS by default is now.”
This was a real, legitimate concern, as Wikimedia acknowledged in its announcement.
“People around the world access Wikimedia sites from a diversity of devices, with varying levels of connectivity and freedom of information,” Wikimedia wrote in the announcement. “Although we have optimized the experience as much as possible with this challenge in mind, this change could affect access for some Wikimedia traffic in certain parts of the world.”
But it looks like they’re ready to take the risk, and they’re pushing others to follow.
“We believe that the time for HTTPS by default is now. We encourage others to join us as we move forward with this commitment.”
UPDATE, 06/12/2015, 2:29 p.m. ET: Katherine Maher, a spokesperson for the Wikimedia Foundation, confirmed that the switch to HTTPS will eventually affect "all language versions" of Wikipedia.
The first ones to be HTTPS-only are the English, Chinese, Russian, Hebrew, Italian, Catalan and Uyghur versions, with others soon to follow.
"While we did this on behalf of users first, we're excited to join the movement for a more secure web!" Maher told Motherboard in an email.