Wikipedia Wants a More Secure Web, But It's Not Encrypted By Default

​On March 10, Wikipedia took a stand for its users, in particular its anonymous volunteers, and sued the NSA, accusing it of mass surveillance.

On Friday, founder Jimmy Wales, along with others, hosted a Red​dit AMA to talk about the lawsuit and other issues. When someone asked him what the perfect internet would look like, Wales s​aid that "a secure internet (encryption everywhere) would be a good start."

Yet, Wikipedia itself is not encrypted by default, despite the ever-increasing calls to encrypt all the things on the internet. Even the White House recently switched to default encryption, and called on the rest of the government to make the transition as well.

It's not just an issue of surveillance. When a website is encrypted by default—meaning all its content is served over the more secure HTTPS protocol—censorship-happy countries like China and Iran can't do selective blocking of Wikipedia pages without blocking the whole site.

So I asked Wales if Wikipedia was ever going to implement HTTPS encryption by default to counter this selective censorship and give users more privacy. (It has to be noted that Wikipedia offers an encrypted version of its site, but it doesn't force all visitors to use it, unlike Facebook, for example).

"We would like to see all internet traffic encrypted," Lila Tretikov, Wikimedia Foundation's executive director, ​responded, also noting that logged-in users do get it by default.

But the rest don't because "HTTPS has performance implications for users especially in low bandwidth or poor connections areas. Our Engineering team calibrates forcing HTTPS configuration on a case-by-case basis to minimize negative impacts for these readers."

And while performance is a legitimate concern, companies like Facebook, which has made reaching developing countries a big priority, have shown that it's possible to deliver sites quickly over HTTPS.

I asked her if she was worried about censorship, but did not get an answer. After this story was published, Wikimedia spokesperson Katherine Maher told me that they "reject censorship," but offering HTTPS for all users is a challenge.

"We're interested in being able to offer HTTPS by default to all of our users," Maher told Motherboard in an email. "But we recognize that there can be performance issues around HTTPS that negatively impact our users, especially in places with poor connectivity."

In Iran, for example, the censorship of Wikipedia is a huge issue. In a study published in 2013, two researchers ​found that Iran uses a heavy hand when blocking access to numerous Wikipedia Farsi pages, including some about Iran's human rights violations, or its politics.

Despite this, Collin Anderson, one of the researchers who studied Iran's Wikipedia censorship, told me that performance is indeed an issue.

If Wikipedia was HTTPS by default, Anderson explained, there is a chance that it would be slower, especially for users in developing countries, where not only the internet is slower, but also where Wikipedia servers might be far.

"They have to balance between accessibility and privacy and surveillance," Anderson said. ""I would prefer to see more encrypted web traffic, but i don't think they're doing something demonstrably contrary to the demands of their user base—I think they're just making a choice within an economical framework."

There's also another balance to strike. If Wikipedia turned encryption on by default, it would force countries like Iran to make a choice: let citizens access a few controversial pages that it would like to censor, or block the entire site.

Some countries, Anderson said, "would probably choose to block the entirety of Wikipedia."

So if Wikipedia really wants more encryption all over the web, including its own site, it might have to make some tough choices.

UPDATE: This story was updated to add Katherine Maher's comments.