On 29 April 2013 09:12, Brion Vibber <bvibber(a)wikimedia.org> wrote:
Just curious -- what's the state of forcing HTTPS
for all user sessions?
It's simple common sense at this point to protect all our users from
session hijacking on local networks or MITM attacks.
Now a bug:
https://bugzilla.wikimedia.org/show_bug.cgi?id=47832 (how
did we not have one already?).
I see some Gerrit activity on adding
"preferences" or special groups for
HTTPS, which seems a horrid practice when we could just protect everyone...
Agreed; this was a nice idea back in the day when SSL was expensive, but now…
J.
--
James D. Forrester
Product Manager, VisualEditor
Wikimedia Foundation, Inc.
jforrester(a)wikimedia.org | @jdforrester