----- Original Message -----
From: "Zack Weinberg" <zackw(a)cmu.edu>
The first step really must be to enable HTTPS
unconditionally for
everyone (whether or not logged in). I see on the roadmap that there
is concern that this will lock out large groups of users, e.g. from
China; a workaround simply *must* be found for this. Everything else that is
worth doing is rendered ineffective if *any* application layer data is
*ever* transmitted over an insecure channel. There is no point
worrying about traffic analysis when an active man-in-the-middle can inject
malicious JavaScript into unsecured pages, or a passive one can steal
session cookies as they fly by in cleartext.
I understand your goal, and your argument, but I've just this week been
reminded that It Isn't Always China.
I found myself stuck on a non-rooted Android phone, and having to use
a demo version of a tethering app ... which wouldn't pass HTTPS on
purpose. Ironically, that's why it was the demo: I couldn't get through
it to PayPal to buy it from them.
My point here, of course, is that you have to decide whether you're
forcing HTTPS *for the user's good* or *for the greater good*... and
if you think it's the former, remember that the user sometimes knows
better than you do.
If it's the latter, well, you have to decide what percentage of false
positives you're willing to let get away: are there any large populations
of WP users *who cannot use HTTPS*? EMEA users on cheap non-smart phones
that have a browser, but it's too old -- or the phone too slow -- to
do HTTPS?
Cheers,
-- jra
--
Jay R. Ashworth Baylink jra(a)baylink.com
Designer The Things I Think RFC 2100
Ashworth & Associates
http://baylink.pitas.com 2000 Land Rover DII
St Petersburg FL USA #natog +1 727 647 1274