On 10/03/12 19:58, MZMcBride wrote:
Hi.
https://bugzilla.wikimedia.org/show_bug.cgi?id=29898 is about adding a user preference for HTTP vs. HTTPS while a user is logged in.
I'd really like to see this bug resolved, as I regularly encounter HTTP links and the lack of auto-redirection is becoming a larger and larger usability problem for me. (I don't use HTTPS-Everywhere on my personal computer.)
I have a few questions for this list:
- Does a user preference make sense here? I argued on that bug that adding
an intermediate user preference seems a bit silly (letting the user shoot themselves in the foot), but it's apparently common to give the user a choice (Gmail, Twitter, Facebook, etc. all allow a choice).
It doesn't make much sense to implement HTTPS as a (normal) user preference. If you go to http and you are logged in (so that your preferences can be honored), your session is not much safer by having an immediate redirect to HTTPS, I'd consider it a placebo more than an impprovement*. OTOH, it could be implemented with a cookie meaning "redirect me to https" (and nothing else). This would make both http:// and https://, show the logged in interface, having just secure cookies. We could also use Strict Transport Security, but that's harder to set for all our domains (I think it'd have to be set from the root one), and it's harder to reset if we have to go back. Still, it's something to enable on the future.
* It'd be _slightly_ safer, mostly with read-only enemies and short-lived sessions; but not anywhere near what expect from a "https login".