On Wed, Oct 15, 2014 at 3:39 PM, Chris Steipp csteipp@wikimedia.org wrote:
On Wed, Oct 15, 2014 at 5:32 AM, Antoine Musso hashar@free.fr wrote:
Le 15/10/2014 12:23, Filippo Giunchedi a écrit :
<snip> > I should clarify that the 1.5% figure there is http+https combined (I > think) so the actual figures for https will be lower. > > In practical terms I think no https would mean not being able to edit as > a registered user, anon edit still works over http. > > +1 to clearly communicate this, perhaps on the "https entry points" e.g. > login button at least while http is still the default.
That would prevents those users from logging in entirely since by default users have the preference 'prefershttps' set.
Worse, we always require https on the form that accepts the user's password. So all logins for IE6+XP users will be broken.
Updating the hook would be possible. Probably better than not turning off ssl3 to the main sites though. What about just running a banner on the site for IE <6 users, telling them that ssl is disabled and soon they won't be able to login at all, we disable ssl3, and we temporarily put the CanIPUseHTTPS hook in to not force IE <6 users to https. After 90 days or so, we pull that part out of the hook, and IE6 users just have to deal with not being able to login?
Given the numbers Christian pointed out, I think the 90 days interval is pretty irrelevant. It is not like those users will rush to upgrade/change to something not being IE6. I'd be delighted if we convinced something like 5% (~200k people if my numbers are right) of those users to do that. That being said, the plan sounds fine to me.