On 20 August 2013 13:12, Greg Grossmeier <greg(a)wikimedia.org> wrote:
<quote name="Tyler Romeo"
date="2013-08-20" time="10:50:23 -0400">
On Tue, Aug 20, 2013 at 10:34 AM, MZMcBride
<z(a)mzmcbride.com> wrote:
(And if the user preference isn't meant to
serve those who can't use
HTTPS, who is it intended to serve?)
My point is that it doesn't matter what your user preference is. Whether
it's false or true, you still have to log in over HTTPS. In other words,
the user preference has no effect on your ability to use the site.
One group of users that is always being forgotten in this discussion is
the group who use Wikipedia over really crappy connections that aren't
censoring them. These users will have a hard time using an SSL
connection due to the added resources/round trips and have a legitimate
non-China/NSA excuse to disable HTTPS after they login (where the added
roundtrips are probably worthwhile to keep their username/password
safe).
This is correct, but it is still not addressing the question of what
happens to users who are completely unable to use HTTPS, and whether or not
they will remain logged in if they try to reach another HTTPS-standard
project if they start off from Chinese/Farsi projects.
We have project-specific IPBE user-rights for users who are affected by
blocked IP addresses (which include but aren't limited to TOR nodes or
other blocked proxies). Is it possible to create a similar user-right for
"HTTPS not default for login" for this users?
We are talking about a non-negligible number of high-activity users on
multiple projects being adversely affected here, including several stewards
(cross-project issues), administrators, and high-productivity editors. It
is important to find a way that is certain to allow them to log in and to
move across multiple projects, and doing so should not be considered an
*enhancement*, it should be considered a required feature of the new
process. (It may not be a blocker, but I'd hope to see this "fixed" before
the end of the month.)
Risker