On Mon, Apr 29, 2013 at 9:12 AM, Brion Vibber bvibber@wikimedia.org wrote:
Just curious -- what's the state of forcing HTTPS for all user sessions? It's simple common sense at this point to protect all our users from session hijacking on local networks or MITM attacks.
I see some Gerrit activity on adding "preferences" or special groups for HTTPS, which seems a horrid practice when we could just protect everyone...
A handful of people have made comments that they really want the option to not use HTTPS. And in MediaWiki, some sites may still be concerned about the performance.
So I think the question is in MediaWiki, do we want to support sites that allow users to disable SSL after login (which is the current use of $wgSecureLogin)? If not, we can alter the functionality to make it force all logged in sessions to use SSL. If so, is that something the WMF wants to enable (https://bugzilla.wikimedia.org/show_bug.cgi?id=39380), or do we want another flag ($wgReallySuperSecureLogin) that forces sessions into SSL?
Personally, I think giving users safe defaults, but the option to shoot themselves *often* is the most secure option, because most users will use the secure defaults, and people who want another option will go to great, ugly lengths to circumvent your feature. This is the direction I've been working towards, but if there is strong support for another option, I'm happy to adjust.