On Aug 23, 2013 7:46 PM, "Chris Steipp" csteipp@wikimedia.org wrote:
Hi all,
With all the talk about turning on $wgSecureLogin for WMF sites, there has been a lot of misconceptions about how the option works, and difference of opinions about how they should work in the future.
I started: https://www.mediawiki.org/wiki/Requests_for_comment/Login_security
It would be great to get feedback on the "Longer Term Questions" section. Also, if anyone isn't entirely clear about how the preferences work, hopefully this will provide some clarification.
Requiring https for advanced privileges seems odd. Would that require a second set of credentials over a https only page? If not, the most important consideration is already lost, the credentials. If yes, will people actually use different credentials? Should that be enforced? Is that worth the software complexity? What are the advantages here?
_______________________________________________
Wikitech-l mailing list Wikitech-l@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/wikitech-lht