On 20 August 2013 13:12, Greg Grossmeier greg@wikimedia.org wrote:
<quote name="Tyler Romeo" date="2013-08-20" time="10:50:23 -0400"> > On Tue, Aug 20, 2013 at 10:34 AM, MZMcBride <z@mzmcbride.com> wrote: > > > (And if the user preference isn't meant to serve those who can't use > > HTTPS, who is it intended to serve?) > > > > My point is that it doesn't matter what your user preference is. Whether > it's false or true, you still have to log in over HTTPS. In other words, > the user preference has no effect on your ability to use the site.
One group of users that is always being forgotten in this discussion is the group who use Wikipedia over really crappy connections that aren't censoring them. These users will have a hard time using an SSL connection due to the added resources/round trips and have a legitimate non-China/NSA excuse to disable HTTPS after they login (where the added roundtrips are probably worthwhile to keep their username/password safe).
This is correct, but it is still not addressing the question of what happens to users who are completely unable to use HTTPS, and whether or not they will remain logged in if they try to reach another HTTPS-standard project if they start off from Chinese/Farsi projects.
We have project-specific IPBE user-rights for users who are affected by blocked IP addresses (which include but aren't limited to TOR nodes or other blocked proxies). Is it possible to create a similar user-right for "HTTPS not default for login" for this users?
We are talking about a non-negligible number of high-activity users on multiple projects being adversely affected here, including several stewards (cross-project issues), administrators, and high-productivity editors. It is important to find a way that is certain to allow them to log in and to move across multiple projects, and doing so should not be considered an *enhancement*, it should be considered a required feature of the new process. (It may not be a blocker, but I'd hope to see this "fixed" before the end of the month.)
Risker