- Should MediaWiki support allowing some users to use http for their
login, while most users use https? If yes, what are reasonable criteria for
determining who can use http (e.g., user groups, GeoIP, or some other
criteria)?
I don't have an answer for this, but if it is done it should not be in
core, which seems to be the current approach anyway (since the current
patch just adds a CanUseHTTPS hook).
- Should MediaWiki support logged in users using HTTP, when HTTPS is
available to them but they don't want to use it (typically for performance
reasons-- low end devices, lack of caching, etc)?
I think so. I mean the difficulty of allowing a user to go back to HTTP is
not that difficult.
- Should MediaWiki support requiring HTTPS for users with advanced
privileges?
You mean like my $wgSecureGroups approach? Because if people actually still
want that I can attempt to revive that part of my patch. I think it'd be of
especial interest to require HTTPS for checkusers and oversight people, due
to the legal problems associated with breaches to those accounts.
*-- *
*Tyler Romeo*
Stevens Institute of Technology, Class of 2016
Major in Computer Science
www.whizkidztech.com | tylerromeo(a)gmail.com
On Fri, Aug 23, 2013 at 1:46 PM, Chris Steipp <csteipp(a)wikimedia.org> wrote:
Hi all,
With all the talk about turning on $wgSecureLogin for WMF sites, there has
been a lot of misconceptions about how the option works, and difference of
opinions about how they should work in the future.
I started:
https://www.mediawiki.org/wiki/Requests_for_comment/Login_security
It would be great to get feedback on the "Longer Term Questions" section.
Also, if anyone isn't entirely clear about how the preferences work,
hopefully this will provide some clarification.
_______________________________________________
Wikitech-l mailing list
Wikitech-l(a)lists.wikimedia.org
https://lists.wikimedia.org/mailman/listinfo/wikitech-l