Use Wikipedia's HTTPS search by default for Firefox desktop and Android

VERIFIED FIXED in Firefox 34

Status

()

Firefox
Search
VERIFIED FIXED
5 years ago
3 years ago

People

(Reporter: cpeterson, Assigned: Andre Klapper)

Tracking

(Blocks: 1 bug, {feature, privacy, relnote})

unspecified
Firefox 35
feature, privacy, relnote
Points:
---
Dependency tree / graph

Firefox Tracking Flags

(firefox32 wontfix, firefox33 wontfix, firefox34+ verified, firefox35 verified, relnote-firefox 34+)

Details

(URL)

Attachments

(1 attachment, 1 obsolete attachment)

(Reporter)

Description

5 years ago
Wikipedia now supports HTTPS at https://www.wikipedia.org, not just https://secure.wikimedia.org.

Would Mozilla need to coordinate with Wikimedia before switching from HTTP to HTTPS?
(Reporter)

Comment 1

5 years ago
Created attachment 627450 [details] [diff] [review]
bug-758857-wikipedia-https.patch

This patch changes both Firefox and Mobile's Wikipedia search plugins. Other locales would need to be changed, too.
Assignee: nobody → cpeterson
Status: NEW → ASSIGNED
Attachment #627450 - Flags: review?(gavin.sharp)
Comment on attachment 627450 [details] [diff] [review]
bug-758857-wikipedia-https.patch

Yes, we'll need to coordinate this with them before landing this. Kev can probably help with that.
Attachment #627450 - Flags: review?(gavin.sharp) → review+
(Reporter)

Comment 3

5 years ago
Thanks, Gavin.

Kev, do you have a contact with Wikimedia's web team? What is the process for coordinating a code change that affects an external org like this?

Comment 4

5 years ago
Reply from Ryan Lane, Wikimedia ops:

"Please don't do so. HTTPS is a new service, and we haven't properly
load tested it yet. The first target for production load testing is
for logged-in users.

I'm not opposed to the change completely, but I'd prefer to let you
guys know when we're ready."
Resolving this WORKSFORME for now, then.

Would you reopen this bug once Ryan gives us a go?
Status: ASSIGNED → RESOLVED
Last Resolved: 5 years ago
Resolution: --- → WORKSFORME
Whiteboard: reopen if wikipedia is fine with it.

Comment 6

5 years ago
(In reply to Axel Hecht [:Pike] from comment #5)
> Would you reopen this bug once Ryan gives us a go?

OK.
Assignee: cpeterson → amir.aharoni
It's about half a year, just checking in. Any news here from the wikipedia front, Amir?

Comment 8

4 years ago
(In reply to Axel Hecht [:Pike] from comment #7)
> It's about half a year, just checking in. Any news here from the wikipedia
> front, Amir?

I pinged. Thanks for the reminder. I'm reopening; I only know about https stuff as a user, but AFAIK it's been for over a year and it's quite stable. Other people may have a different perspective, though.
Status: RESOLVED → REOPENED
Resolution: WORKSFORME → ---
CCing Ryan, I hope I reverse-engineered the right email address.

Ryan, if you're the wikipedia operations Ryan, are you OK to use https for Firefox search from an infrastructure-load-pov?
Flags: needinfo?(rlane32)
Whiteboard: reopen if wikipedia is fine with it.

Comment 10

4 years ago
We're still waiting on some core changes in MediaWiki to switch logged-in users to HTTPS. I'd prefer to have that happen first.
Hi Ryan, thanks for the update.

Can I leave it up to you to reopen this bug once you're good from the infra side?

I'd leave that as a needinfo in this bug on you. That way, you'll have a reminder in your "My Requests" section. If that ends up sending you whine emails once a week, feel free to cancel that request, I don't know as my whine emails end up in the Trash anyway :-/.

Moving back to RESOLVED and WORKSFORME until we get something actionable.
Status: REOPENED → RESOLVED
Last Resolved: 5 years ago4 years ago
Flags: needinfo?(rlane32) → needinfo?(rlane)
Resolution: --- → WORKSFORME
(Assignee)

Updated

4 years ago
(Reporter)

Comment 12

4 years ago
hi Ryan, I just read your blog post about "The future of HTTPS on Wikimedia projects". [1] That's great news!

When your team is ready for Firefox's search bar to switch to Wikipedia's HTTPS search, just let me know. Mozilla only needs to flip a switch. :)

[1] https://blog.wikimedia.org/2013/08/01/future-https-wikimedia-projects/

Comment 13

4 years ago
I think we still need a while for this. We've seen a fairly substantial increase in HTTPS traffic and need to make some architecture adjustments. We'll probably need to wait until we move our terminators to our frontends.
Flags: needinfo?(rlane)
I filed another bug for this: bug 958877. I was just told about this bug.

It doesn't make sense to resolve a bug WORKSFORME if the problem/enhancement isn't resolved. It makes it harder for people to track the issue and results in duplicate work. Let's either reopen this bug and resolve bug 958877 as a dupe of it, or resolve this bug as a duplicate of bug 958877 and leave bug 958877 open so we can track it. In particular, we need a bug that stays open for the purposes of tracking the overall (unofficial) project to have all these things HTTPS in bug 771788.
Blocks: 771788
Status: RESOLVED → REOPENED
Resolution: WORKSFORME → ---
Duplicate of this bug: 958877
I suspect that the vast majority of people leave the default search provider at Google or whatever they use for general-purpose search. Could we share the numbers for "org.mozilla.searches.counts" / "wikipedia.searchbar" and "wikipedia.contextmenu" here, or with Wikimedia privately? I think if we could give them "the average number of wikipedia searches per day that would be impacted by this change," that would be helpful to them.
Flags: needinfo?(gps)
mconnor is both the gatekeeper and the keymaster for FHR search data.
Flags: needinfo?(gps) → needinfo?(mconnor)
Wikipedia was not on the list of engines we were reporting separately (verified that wikipedia searches bucket into "other" in Fx26).  The fix to unfilter those was in bug 925521, but that won't hit release until Fx27 ships in early February.  I'd say that we can't get a decent estimate until February 28th at the earliest (time enough to get a reasonably representative population on Fx27).
Flags: needinfo?(mconnor)
Thanks Mike. I will NEEDINFO myself as a reminder of this.
Flags: needinfo?(brian)
(Reporter)

Comment 20

3 years ago
To determine the number of requests that would be switched to HTTPS, can't Wikipedia just search their server logs for page requests that include Firefox's "Mozilla-search" URL parameter?
Clearing NEEDINFO.
Flags: needinfo?(brian)
Hi Ryan, does Wikimedia still want us to hold off?
Flags: needinfo?(rlane)
(Assignee)

Comment 23

3 years ago
:Ms2ger: According to WMF Technical Operations, Wikimedia isn't there yet when it comes to scaling. 
I've posted a longer version in https://bugzilla.wikimedia.org/show_bug.cgi?id=45765#c15

I'll assign this to myself for the time being, until this is sorted out on the Wikimedia side.
Assignee: amir.aharoni → a9016009
Flags: needinfo?(rlane)
Thanks Andre, much appreciated.
Andre, is there any updated timelines?  We're considering making SSL a requirement for all bundled search providers, and Wikipedia is one of the bigger question marks.  Is there anything we can do on our end to move this along?
Flags: needinfo?(a9016009)
(Assignee)

Comment 26

3 years ago
Hi, thank you for the ping (and patience).

Brought this up again and Wikimedia Operations said you can go ahead and use HTTPS for Wikipedia search.

(For my own records: WMF ops@ list; thread named "Firefox search and HTTPS access to Wikipedia search")
(Assignee)

Updated

3 years ago
Flags: needinfo?(a9016009)
(Reporter)

Comment 27

3 years ago
Created attachment 8489505 [details] [diff] [review]
wikipedia-https.patch

Use Wikipedia's HTTPS search by default for Firefox desktop and Android.

Gavin, this is a rebased version of a patch you r+'d in 2012. I'm asking for re-review because I wanted to give you and mfinkle a heads up because this is a small but important product change. The Wikimedia Operations team gave us the OK to move forward in comment 26.
Attachment #627450 - Attachment is obsolete: true
Attachment #8489505 - Flags: review?(mark.finkle)
Attachment #8489505 - Flags: review?(gavin.sharp)
(Reporter)

Updated

3 years ago
Keywords: feature
Summary: Use Wikipedia's HTTPS search by default → Use Wikipedia's HTTPS search by default for Firefox desktop and Android
Comment on attachment 8489505 [details] [diff] [review]
wikipedia-https.patch

mobile part LGTM
Attachment #8489505 - Flags: review?(mark.finkle) → review+
(Reporter)

Comment 29

3 years ago
Landed Android change while waiting for Gavin's desktop review.

https://hg.mozilla.org/integration/mozilla-inbound/rev/612fedcc26e1
status-firefox32: --- → affected
status-firefox33: --- → affected
status-firefox34: --- → affected
status-firefox35: --- → affected
https://hg.mozilla.org/mozilla-central/rev/612fedcc26e1
Status: REOPENED → RESOLVED
Last Resolved: 4 years ago3 years ago
Resolution: --- → FIXED
Target Milestone: --- → Firefox 35
Attachment #8489505 - Flags: review?(gavin.sharp) → review+
(Reporter)

Comment 31

3 years ago
Landed desktop changes:
https://hg.mozilla.org/integration/mozilla-inbound/rev/13c6ae2f5f3e

Andre: this change should land in tomorrow's Firefox Nightly 35 build (with a couple million users) and reach all Firefox users on 2015-01-06. If you see any HTTPS problems on the server side, please let me know. Because this is a small but important change, I would like to uplift this fix to Firefox Aurora 34 (which would reach all Firefox users sooner, on 2014-11-25) if you don't see any problems.
status-firefox35: affected → fixed
(Reporter)

Comment 32

3 years ago
(In reply to Chris Peterson (:cpeterson) from comment #31)
> Andre: this change should land in tomorrow's Firefox Nightly 35 build (with
> a couple million users) ...

Correction: the Nightly user population is only about 250K users. The total prerelease user population (Nightly, Aurora, and Beta) is about 8M.
Is this en.wikipedia only?
(Reporter)

Comment 34

3 years ago
(In reply to Masatoshi Kimura [:emk] from comment #33)
> Is this en.wikipedia only?

Thanks for asking! My patch only changed the en-US search plugin in mozilla-central, but (based on my brief testing) I think Wikipedia can support HTTPS for all its *.wikipedia.org properties.

emk: what is the process for letting localizers know that they should update their locale's Wikipedia search plugin?
Flags: needinfo?(VYV03354)
(Reporter)

Comment 35

3 years ago
Release Note Request (optional, but appreciated)
[Why is this notable]: Improved security
[Suggested wording]: Firefox's Wikipedia search now uses HTTPS for secure searching on desktop and Android.
[Links (documentation, blog post, etc)]:
relnote-firefox: --- → ?
Keywords: relnote
(In reply to Chris Peterson (:cpeterson) from comment #34)
> (In reply to Masatoshi Kimura [:emk] from comment #33)
> > Is this en.wikipedia only?
> 
> Thanks for asking! My patch only changed the en-US search plugin in
> mozilla-central, but (based on my brief testing) I think Wikipedia can
> support HTTPS for all its *.wikipedia.org properties.
> 
> emk: what is the process for letting localizers know that they should update
> their locale's Wikipedia search plugin?

Announcing at dev-l10n?
Flags: needinfo?(VYV03354)
(Reporter)

Comment 37

3 years ago
Thanks. I just posted an announcement on dev-l10n:

https://groups.google.com/d/msg/mozilla.dev.l10n/KL4R3FnN_64/4d9tHa_DbJoJ
https://tbpl.mozilla.org/?tree=Try&rev=f38e6352d079
https://hg.mozilla.org/mozilla-central/rev/13c6ae2f5f3e

Comment 40

3 years ago
(In reply to Chris Peterson (:cpeterson) from comment #37)
> Thanks. I just posted an announcement on dev-l10n:
> 
> https://groups.google.com/d/msg/mozilla.dev.l10n/KL4R3FnN_64/4d9tHa_DbJoJ

Thank you. Is there some place where to check progress for the various locales? Is this something where others (native speakers?) can help, or some matter of self-governance where the decision is delegated to localisers?

(In reply to Chris Peterson (:cpeterson) from comment #35)
> Release Note Request (optional, but appreciated)
> [Why is this notable]: Improved security
> [Suggested wording]: Firefox's Wikipedia search now uses HTTPS for secure
> searching on desktop and Android.

Rectius: "English Wikipedia".

Given it's about security, what's the process to update all the addons for Wikipedia's sister projects *.wiktionary.org, *.wikiquote.org etc.? Are https://addons.mozilla.org/firefox/search/?q=wiktionary etc. complete lists or are there other significant distribution channels? If those can't be changed centrally, is there a way to provide "official" options, using HTTPS (and with more complete coverage; plugins are very partial).

Sorry for the many questions... A consistent behaviour for Wikimedia projects would be very appreciated.
(In reply to Chris Peterson (:cpeterson) from comment #37)
> Thanks. I just posted an announcement on dev-l10n:
> https://groups.google.com/d/msg/mozilla.dev.l10n/KL4R3FnN_64/4d9tHa_DbJoJ

Next time ask someone from the l10n-drivers before jumping the gun? The guy who usually fixes these bugs (me) would be a good choice ;-)

All productization files (searchplugins, region.properties, etc.) are subject to rules: you can't change anything unless you file a bug and get a patch reviewed, but in some cases we whitelist those changes. 

But even in that case I still need a tracking bug and checks to see which locales out of 114 didn't update the files (and I'll have to do it for most of them).
Depends on: 1069123
(Reporter)

Comment 42

3 years ago
(In reply to Francesco Lodolo [:flod] from comment #41)
> Next time ask someone from the l10n-drivers before jumping the gun? The guy
> who usually fixes these bugs (me) would be a good choice ;-)

Sorry, Francesco! I was not familiar with Firefox's localization process. I thought dev-l10n was the appropriate venue. I don't see an l10n-drivers mailing list or newsgroup. If there is anything I can do to help now, just let me know.


> But even in that case I still need a tracking bug and checks to see which
> locales out of 114 didn't update the files (and I'll have to do it for most
> of them).

Also, Wikipedia may not support the same 114 locales as Firefox. :)


(In reply to Federico from comment #40)
> Given it's about security, what's the process to update all the addons for
> Wikipedia's sister projects *.wiktionary.org, *.wikiquote.org etc.? Are
> https://addons.mozilla.org/firefox/search/?q=wiktionary etc. complete lists
> or are there other significant distribution channels? If those can't be
> changed centrally, is there a way to provide "official" options, using HTTPS
> (and with more complete coverage; plugins are very partial).

This change only applies to the "search plugins" [1] bundled with Firefox, not third-party search add-ons from AMO. Mozilla does not maintain or bundle search plugins for wiktionary.org or wikiquote.org. Any add-on developers with Wikipedia-related add-ons are responsible for updating their add-ons to Wikipedia HTTPS URLs.

[1] http://kb.mozillazine.org/Search_Bar
(In reply to Chris Peterson (:cpeterson) from comment #42)
> Sorry, Francesco! I was not familiar with Firefox's localization process. I
> thought dev-l10n was the appropriate venue. I don't see an l10n-drivers
> mailing list or newsgroup. If there is anything I can do to help now, just
> let me know.

No problem. For future reference (see Contact at the end of the page)
https://wiki.mozilla.org/L10n:Mozilla_Team

> This change only applies to the "search plugins" [1] bundled with Firefox,
> not third-party search add-ons from AMO. Mozilla does not maintain or bundle
> search plugins for wiktionary.org or wikiquote.org. Any add-on developers
> with Wikipedia-related add-ons are responsible for updating their add-ons to
> Wikipedia HTTPS URLs.

We actually ship some Wiktionary searchplugins, but I'd need confirmation from Wikimedia that's fine to use HTTPS for those as well
http://mxr.mozilla.org/l10n-mozilla-aurora/search?string=wiktionary&find=list.txt

Comment 44

3 years ago
(In reply to Francesco Lodolo [:flod] from comment #43)
> We actually ship some Wiktionary searchplugins, but I'd need confirmation
> from Wikimedia that's fine to use HTTPS for those as well
> http://mxr.mozilla.org/l10n-mozilla-aurora/
> search?string=wiktionary&find=list.txt

Traffic on those wiktionaries is negligible, no problem for Wikimedia.
QA Contact: camelia.badau
(Reporter)

Comment 45

3 years ago
Comment on attachment 8489505 [details] [diff] [review]
wikipedia-https.patch

Approval Request Comment

[Feature/regressing bug #]: New feature, not a regression.

[User impact if declined]: Aurora 34's Wikipedia search bar will continue to use HTTP instead of HTTPS.

[Describe test coverage new/current, TBPL]: Tested on Nightly for 5 days without problems reported by Nightly users or Wikipedia's server ops team.

[Risks and why]: This change has been a long time in the making. Firefox's search bar uses HTTPS for Google, Yahoo, and Twitter (but HTTP for Amazon, Bing, and eBay). Wikipedia has supported HTTPS for years, but their server ops team asked us to hold our change until their server infrastructure was ready for more HTTPS users. They say they are now ready (comment 26).

[String/UUID change made/needed]: I made the following string changes and have communicated them to l10n drivers (bug 1069123):
1. Changed Wikipedia search URL from http to https.
2. Capitalized the word "free" in "Free Encyclopedia" like Wikipedia's logo does.
Attachment #8489505 - Flags: approval-mozilla-aurora?
(Reporter)

Updated

3 years ago
Keywords: privacy
status-firefox32: affected → wontfix
status-firefox33: affected → wontfix
tracking-firefox34: --- → +
Comment on attachment 8489505 [details] [diff] [review]
wikipedia-https.patch

Thank you for working with l10n on this. Given that l10n is already working on the changes, this is approved for Aurora.
Attachment #8489505 - Flags: approval-mozilla-aurora? → approval-mozilla-aurora+
https://hg.mozilla.org/releases/mozilla-aurora/rev/44c19edf82f3
status-firefox34: affected → fixed
Firefox Desktop: verified on Windows 7 64bit, Ubuntu 13.10 32bit and Mac OS X 10.9.5 using:
                 - latest Nightly 35.0a1 (buildID: 20140924030204) - it works ok
                 - latest Aurora 34.0a2 (buildID: 20140925004001) - one mention should be done here: if I write "wikipedia.org" on the url bar and then press Enter -> the opened page doesn't use https ("http://www.wikipedia.org/") - this is ok? 

Firefox Android: - verified on build 35.0a1 (2014-09-24) - it works ok 
                 - verified on build 34.0a2 (2014-09-25) - it doesn't work. Wikipedia search bar continue to use HTTP instead of HTTPS. The fix for this bug is also on Aurora 34.0a2 (2014-09-25) on Android?
(Reporter)

Comment 49

3 years ago
(In reply to Camelia Badau, QA [:cbadau] from comment #48)
> Firefox Desktop: verified on Windows 7 64bit, Ubuntu 13.10 32bit and Mac OS
> X 10.9.5 using:
>                  - latest Nightly 35.0a1 (buildID: 20140924030204) - it
> works ok
>                  - latest Aurora 34.0a2 (buildID: 20140925004001) - one
> mention should be done here: if I write "wikipedia.org" on the url bar and
> then press Enter -> the opened page doesn't use https
> ("http://www.wikipedia.org/") - this is ok? 

That is the expected behavior. This change only affects the search bar, not the address bar. Entering "http://www.wikipedia.org/" in the address bar is not expected to redirect to "https://www.wikipedia.org/".

> Firefox Android: - verified on build 35.0a1 (2014-09-24) - it works ok 
>                  - verified on build 34.0a2 (2014-09-25) - it doesn't work.
> Wikipedia search bar continue to use HTTP instead of HTTPS. The fix for this
> bug is also on Aurora 34.0a2 (2014-09-25) on Android?

Oops! You are correct. This was an oversight.

My patch on this bug included both Firefox desktop and Android changes, but I split the patch into separate Android and desktop changesets (comment 29 and comment 31, respectively) when I landed (because the Android and desktop changes were r+'d at different times). Ryan's uplift (comment 47) only caught the desktop changeset.

I just uplifted the Android change to mozilla-aurora, so the next Android build 34.0a2 should work correctly:

https://hg.mozilla.org/releases/mozilla-aurora/rev/36f2693ea7c1
(Reporter)

Updated

3 years ago
status-firefox35: fixed → verified
Thank you for your answer, Chris! 

Verified on Firefox Android on build 34.0a2 (2014-09-26) and it works ok now.
Status: RESOLVED → VERIFIED
status-firefox34: fixed → verified
Added to the release notes with "Wikipedia search now uses HTTPS for secure searching" as wording.
relnote-firefox: ? → 34+
You need to log in before you can comment on or make changes to this bug.