On 23 August 2013 17:10, Marc A. Pelletier <marc(a)uberbox.org> wrote:
On 08/23/2013 04:35 PM, Risker wrote:
I'd like to see what can be developed,
however, to support
Checkusers/Oversighters/Stewards who have difficulty using HTTPS
Pretty much by definition the accounts holding those bits are the one we
/least/ want to have their password snooped, and the ones most likely to
be targeted by malicious eavesdroppers. If we could only support some
accounts to use HTTPS, those are the ones we would need to force.
Yes, it does mean that there could not be checkusers in mainland China,
for instance as long as they are unable to log in through HTTPS. That
would be a /good/ thing.
As I said, Marc, there's already an offline discussion happening looking
for ways to effectively manage this without outright banning editors from
those geographical regions from serving Wikimedia communities. A decision
to prevent users from certain countries or with certain technical
challenges from holding these permissions is as much a policy issue as it
is a security issue (it's also a cross-wiki one), so that aspect needs to
be considered from a broad community perspective.
If a technical solution can be found that facilitates affected users being
able to securely use the tools, then the policy discussion would focus on
whether we require those editors to use the technical solution, instead of
recommending outright bans to granting advanced permissions to those
affected by HTTPS issues. Solutions are already being considered and
examined for this; granted, the discussion is occurring off-wiki so you
wouldn't have been aware.
Risker/Anne