SSL in the casual case relies on all CAs being uncompromised. I understand this is not the case.
In any case, both technical and legal approaches are appropriate. And you know as well as I do that everyone at WMF desperately wants SSL for everything, and that this is a thing they are specifically working toward (but it turns out to be a bit more complicated than just switching everyone to SSL) - there is no way in which the legal approach precludes the technical approach.
I mean, you're right, this has been a problem for ages and you personally yelled really loudly and quite appropriately at them for it, and I really wish WMF had moved forward sooner. But if yesterday was the best day to act, then today is the next-best day.
> SSL in the casual case relies on all CAs being uncompromised.
Not really, -- it pushes the monitoring into active interception, which is much more costly (and thus does not work as well to hoover up everyone's data) and it is incredibly risky because it is detectable and if detected leaves cryptographic proof of the attack (and which CA was compromised or complicit with it.)
I'm all for other tools as well, which can provide protections that SSL cannot; but shuffling all the readers through Tor isn't practical today while HTTPS _is_ (as demonstrated by most of the other large web properties) and provides pretty decent protection against pervasive surveillance.
> In any case, both technical and legal approaches are appropriate.
Sure. I wanted to litigate about this in the past as well. But I am concerned that the complete failure to take the issue seriously historically weakens the claim of damages here.
> And you know as well as I do that everyone at WMF desperately wants SSL for everything
I don't know what to believe on that front anymore.
There is a simple clear metric for "want" in an institution, whats the funding level? This project has not been raised to a level of importance where its receiving line item disclosed funding, as far as I can tell. There was a plan for deployment in 2013 which hasn't been completed, https://blog.wikimedia.org/2013/08/01/future-https-wikimedia... ... and in the time since then Wikimedia has received another hundred million in funding from the public-- with fundraising running something like 17% ahead of expenditures.
> but it turns out to be a bit more complicated
Yes, it's complicated. Don't forget that I contributed to making it possible too. I'm not waxing away the technical details.
> But if yesterday was the best day to act, then today is the next-best day.
Similar things were said when I raised a similar complaint when Wikimedia posted denying providing any assistance to prism in 2013. (A position that I consider to be a lie by omission)
Continuing to deny that there is a problem here will not result in the problem being resolved.
Simply by obtaining private keys for Google/Facebook/YouTube/Yahoo/Baidu, the NSA can passively decrypt a HUGE percentage of the world's traffic. Any server encrypting for Google will need to have these keys so it's quite difficult to keep all these servers secure, and given the keys' values, the NSA would have no trouble budgeting infiltrating companies to get them.
In any case, both technical and legal approaches are appropriate. And you know as well as I do that everyone at WMF desperately wants SSL for everything, and that this is a thing they are specifically working toward (but it turns out to be a bit more complicated than just switching everyone to SSL) - there is no way in which the legal approach precludes the technical approach.
I mean, you're right, this has been a problem for ages and you personally yelled really loudly and quite appropriately at them for it, and I really wish WMF had moved forward sooner. But if yesterday was the best day to act, then today is the next-best day.