Just curious -- what's the state of forcing HTTPS for all user sessions? It's simple common sense at this point to protect all our users from session hijacking on local networks or MITM attacks.
I see some Gerrit activity on adding "preferences" or special groups for HTTPS, which seems a horrid practice when we could just protect everyone...
-- brion