Page MenuHomePhabricator

Wrong cert on mail.wikipedia.org (as it redirects to lists.wikimedia.org)
Closed, ResolvedPublic

Details

Reference
bz44731

Event Timeline

bzimport raised the priority of this task from to Medium.Nov 22 2014, 1:38 AM
bzimport set Reference to bz44731.

Thehelpfulonewiki wrote:

Thanks for this - confirmed, this is because mail.wikipedia.org redirects to lists.wikimedia.org, not sure if this can be fixed though.

We have a wildcard cert for *.wikipedia.org (used on e.g. enwiki).

Could that be installed on mail.wikipedia.org, or would it pose a risk?

Otherwise, we could get a cert for mail.wikipedia.org and use it to serve the redirect.

I hit this since I use HTTPS Everywhere, with has a general Wikimedia rule. If a fix is not possible, I will request they disable this redirect (http://mail.wikipedia.org -> https://mail.wikipedia.org).

Also, if we can't fix it we should consider just disable accessing it by SSL (so https://mail.wikipedia.org wouldn't work).

Thehelpfulonewiki wrote:

Adding Daniel to CC to have a look at the feasibility of this.

The second Google Result for wikitech-l links to mail.wikipedia.org page, so I suspect there are probably at least a few people who have run into this issue trying to find the wikitech-l archives.

The google result might change its URL if we add a permanent HTTP redirect from mail.wikipedia.org to lists.wikimedia.org (maybe add some of its other aliases when we are at it) in the apache config.

There is a 301 redirect (permanent redirect) currently. However, for SSL=>SSL (https://mail.wikipedia.org => https://lists.wikimedia.org/), the only way you can even get the 301 is by accepting an invalid certificate.

I'm not sure of GoogleBot's behavior in this regard. (Apparently, they send warnings out through Webmaster Tools, but I'm not sure how it affects the actual index).

(In reply to Matthew Flaschen from comment #8)

I'm not sure of GoogleBot's behavior in this regard. (Apparently, they send
warnings out through Webmaster Tools, but I'm not sure how it affects the
actual index).

Just to be clear, the result Zell mentioned is HTTP (http://mail.wikipedia.org/pipermail/wikitech-l/), not HTTPS, so that particular link would only affect HTTPS Everywhere (or similar) users.

Maybe the link doesn't get updated because robots.txt has Disallow: /pipermail/ . Perhaps making http://mail.wikipedia.org/robots.txt (only for that domain) a 404 has the desirable effect.

(In reply to Jan Zerebecki from comment #10)

Maybe the link doesn't get updated because robots.txt has Disallow:
/pipermail/ . Perhaps making http://mail.wikipedia.org/robots.txt (only for
that domain) a 404 has the desirable effect.

I think that may have been the original domain, so that will probably still lead to crawling the archives.

(In reply to Matthew Flaschen from comment #11)

(In reply to Jan Zerebecki from comment #10)

Maybe the link doesn't get updated because robots.txt has Disallow:
/pipermail/ . Perhaps making http://mail.wikipedia.org/robots.txt (only for
that domain) a 404 has the desirable effect.

I think that may have been the original domain, so that will probably still
lead to crawling the archives.

Actually never mind, as long as the crawlers respect the destination robots.txt (after being redirected) it should be fine.

(In reply to Matthew Flaschen from comment #9)

(In reply to Matthew Flaschen from comment #8)

I'm not sure of GoogleBot's behavior in this regard. (Apparently, they send
warnings out through Webmaster Tools, but I'm not sure how it affects the
actual index).

Just to be clear, the result Zell mentioned is HTTP
(http://mail.wikipedia.org/pipermail/wikitech-l/), not HTTPS, so that
particular link would only affect HTTPS Everywhere (or similar) users.

HTTPS was enabled on this domain because of a HTTPS Everywhere user:
https://bugzilla.wikimedia.org/show_bug.cgi?id=33897

I would recommend not turning off HTTPS on the domain if that is the direction the discussion is heading. I like the idea of even just the simple redirect being secure.

Just to be clear, the result Zell mentioned is HTTP
(http://mail.wikipedia.org/pipermail/wikitech-l/), not HTTPS, so that
particular link would only affect HTTPS Everywhere (or similar) users.

This is correct. I use HTTPS Everywhere, and there are quite a lot of people who do, especially within the sort of community that searches for technical mailing list archives.

Change 154222 had a related patch set uploaded by Jeremyb:
fix cert mismatch on mail.wikipedia.org

https://gerrit.wikimedia.org/r/154222

Change 154223 had a related patch set uploaded by Jeremyb:
fix cert mismatch on mail.wikipedia.org

https://gerrit.wikimedia.org/r/154223

btw, I tested mail to a -request address @mail.wikipedia.org (subject="help") and got the same response I would expect for mail to the canonical address.

This change *should* keep that status quo working fine...

Change 154223 merged by Faidon Liambotis:
Redirect mail.wikipedia.org to lists.wikimedia.org

https://gerrit.wikimedia.org/r/154223

Change 154222 merged by Faidon Liambotis:
Move mail.wikipedia.org to the main cluster

https://gerrit.wikimedia.org/r/154222

This should be fixed now. Thanks Jeremy for all the work!

Thanks for updating the patches. LGTM.

https://www.google.com/search?q=site%3Amail.wikipedia.org has ~2850 results.

Let's check in a week or three and see if that has improved.