On Mon, Apr 29, 2013 at 9:12 AM, Brion Vibber <bvibber(a)wikimedia.org> wrote:
Just curious -- what's the state of forcing HTTPS
for all user sessions?
It's simple common sense at this point to protect all our users from
session hijacking on local networks or MITM attacks.
I see some Gerrit activity on adding "preferences" or special groups for
HTTPS, which seems a horrid practice when we could just protect everyone...
A handful of people have made comments that they really want the
option to not use HTTPS. And in MediaWiki, some sites may still be
concerned about the performance.
So I think the question is in MediaWiki, do we want to support sites
that allow users to disable SSL after login (which is the current use
of $wgSecureLogin)? If not, we can alter the functionality to make it
force all logged in sessions to use SSL. If so, is that something the
WMF wants to enable
(
https://bugzilla.wikimedia.org/show_bug.cgi?id=39380), or do we want
another flag ($wgReallySuperSecureLogin) that forces sessions into
SSL?
Personally, I think giving users safe defaults, but the option to
shoot themselves *often* is the most secure option, because most users
will use the secure defaults, and people who want another option will
go to great, ugly lengths to circumvent your feature. This is the
direction I've been working towards, but if there is strong support
for another option, I'm happy to adjust.