They don't have a goal of blocking iPads or poor people, they have a goal of blocking old TLS versions.
But yes, I would like to see their reasoning for this decision. How many people were using <= TLS1.1? If it was near-0 then it should be fine, but if a lot of people were using it (probably yes), then they should have a strong reason to block them. This page[1] seems to say the reason is for PCI-DSS compliance. I dislike compliance-based decisions. We should base decisions on real user impact, not on compliance.
Can you explain why blocking old TLS versions is even necessary? Didn't all the browser vendors announced that they're disabling old TLS versions in their browsers in a few months now?
Blocking poor people is the only thing that is accomplished by this policy employed by Wikipedia. It's very sad that everyone's celebrating all these actions, instead of calling Wikipedia out for widening the digital gap, and quite literally expiring your right to read.
But there are certain risks from supporting the old versions. Take a look at this table[1]. In the TLS 1.0 and TLS 1.1 columns not a single cipher is listed as secure. Some can be secure with mitigations, but I'm not familiar with the difficulty of those mitigations, and whether the mitigations would have to be serverside or clientside. If clientside, then by blocking old versions, they might actually be closing vulnerabilities.
Supporting more stuff means more surface area for new attacks. Also the older stuff was designed with less knowledge of current attack strategies, so there might be a higher likelihood of vulnerabilities being found there.
Just because new browsers disable old TLS versions doesn't mean everyone is safe. As you've already pointed out, some people use old browsers, so to protect those people there might need to be serverside changes.
> Blocking poor people is the only thing that is accomplished by this policy employed by Wikipedia.
That seems like an exaggeration. One thing they accomplished was PCI-DSS compliance. I don't value that, but some people probably do.
> It's very sad that everyone's celebrating all these actions
That's all fine and dandy, but why does it matter? This is not some sort of personal messaging, banking or financial transactions that we're talking about; this is literally an online resource where any anonymous user can come and edit anything they please without any sort of authentication or peer review whatsoever — on English Wikipedia, all edits are immediately shown to all subsequent visitors/readers, even the vandalism made by anonymous users, which on some articles goes undetected for months or even years at a time, especially in cases where the vandalism is subtle-enough.
Put it simply, it's literally a big dump of unverified information, even if some of it appears to be relatively reliable and of good quality most of the time; how is preventing me from accessing it from my iPad or Android magically makes it so great and "secure"? Don't they have any bigger problems to worry about?
And what does PCI-DSS compliance has to do with an encyclopaedia? How does it benefit Wikipedia from being PCI-DSS compliant? What's next — is Wikipedia going to adopt EDD-KYC, too?
The most sensitive thing on Wikipedia I would think is the passwords. People often reuse passwords, so a password stolen from Wikipedia could maybe be reused against the victim's email or bank account.
Another possible sensitive item is the mapping of a username to an email. If there's an edit or account that a government doesn't like, that government might want to find what email is associated with the account, and then use information on that email to arrest the person. (Email accounts often contain phone numbers.) This reminds me of this comment[1], in which a vulnerability in Twitter allowed the Chinese government to map a username to a phone number, and then use that phone number to arrest the person.
https://mailman.nanog.org/pipermail/nanog/2019-December/1050...
Any news stories about such development? Or do they only care about Turkey?