On Wed, Oct 15, 2014 at 2:57 PM, Alexandros Kosiaris akosiaris@wikimedia.org wrote:
On Wed, Oct 15, 2014 at 3:39 PM, Chris Steipp csteipp@wikimedia.org wrote:
Updating the hook would be possible. Probably better than not turning off ssl3 to the main sites though. What about just running a banner on the site for IE <6 users, telling them that ssl is disabled and soon they won't be able to login at all, we disable ssl3, and we temporarily put the CanIPUseHTTPS hook in to not force IE <6 users to https. After 90 days or so, we pull that part out of the hook, and IE6 users just have to deal with not being able to login?
Given the numbers Christian pointed out, I think the 90 days interval is pretty irrelevant. It is not like those users will rush to upgrade/change to something not being IE6. I'd be delighted if we convinced something like 5% (~200k people if my numbers are right) of those users to do that. That being said, the plan sounds fine to me.
How many -logins- are we seeing from non-TLS capable browsers? I'd expect that to be much lower. Likely the majority of IE5/6 users are from very out of date corporate environments, which is probably not a place where most of our users are editing from.