- Should MediaWiki support allowing some users to use http for their
login, while most users use https? If yes, what are reasonable criteria for determining who can use http (e.g., user groups, GeoIP, or some other criteria)?
I don't have an answer for this, but if it is done it should not be in core, which seems to be the current approach anyway (since the current patch just adds a CanUseHTTPS hook).
- Should MediaWiki support logged in users using HTTP, when HTTPS is
available to them but they don't want to use it (typically for performance reasons-- low end devices, lack of caching, etc)?
I think so. I mean the difficulty of allowing a user to go back to HTTP is not that difficult.
- Should MediaWiki support requiring HTTPS for users with advanced
privileges?
You mean like my $wgSecureGroups approach? Because if people actually still want that I can attempt to revive that part of my patch. I think it'd be of especial interest to require HTTPS for checkusers and oversight people, due to the legal problems associated with breaches to those accounts.
*-- * *Tyler Romeo* Stevens Institute of Technology, Class of 2016 Major in Computer Science www.whizkidztech.com | tylerromeo@gmail.com
On Fri, Aug 23, 2013 at 1:46 PM, Chris Steipp csteipp@wikimedia.org wrote:
Hi all,
With all the talk about turning on $wgSecureLogin for WMF sites, there has been a lot of misconceptions about how the option works, and difference of opinions about how they should work in the future.
I started: https://www.mediawiki.org/wiki/Requests_for_comment/Login_security
It would be great to get feedback on the "Longer Term Questions" section. Also, if anyone isn't entirely clear about how the preferences work, hopefully this will provide some clarification. _______________________________________________ Wikitech-l mailing list Wikitech-l@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/wikitech-l