Wikipedia to start using secure HTTPS by default for all users

Wikipedia will soon have HTTPS enabled by default, creating a more secure connection between a user’s Internet device and Wikipedia.

In an announcement earlier today, Wikipedia’s parent organization, the Wikimedia Foundation, said: “We believe that you should be able to use Wikipedia and the Wikimedia sites without sacrificing privacy or safety.”

HTTPS is a communications protocol often used by security-conscious bodies such as banks, with encryption adding an extra layer of security atop the traditional HTTP protocol for online customers. But other companies have increasingly adopted HTTPS in recent times, including the likes of Twitter, which has had it switched on by default since 2012.

Today’s news isn’t entirely surprising — Jimmy Wales, founder of the Wikimedia Foundation, has been an ardent, outspoken critic of the National Security Agency (NSA) and mass surveillance. The co-penned announcement post from the organization’s legal counsels today stated:

In a world where mass surveillance has become a serious threat to intellectual freedom, secure connections are essential for protecting users around the world. Without encryption, governments can more easily surveil sensitive information, creating a chilling effect, and deterring participation, or in extreme cases they can isolate or discipline citizens.

Accounts may also be hijacked, pages may be censored, other security flaws could expose sensitive user information and communications. Because of these circumstances, we believe that the time for HTTPS by default is now.

The Wikimedia Foundation has been working behind the scenes to implement the requirements for HTTPS by default. Since 2013, those who are logged in to Wikipedia have had HTTPS on by default, and anyone could manually enter the “HTTPS” in the address bar if they wished. Search engines would also include HTTPS when redirecting an Internet user to a page operated by the Wikimedia Foundation.

In addition to HTTPS, the Wikimedia Foundation is using HTTP Strict Transport Security (HSTS), a mechanism that helps prevent “downgrade attacks” which attempt to intercept traffic.

The HTTPS rollout kicks off today, but it will take a few weeks for the process to be complete.