Hi.
https://bugzilla.wikimedia.org/show_bug.cgi?id=29898 is about adding a user preference for HTTP vs. HTTPS while a user is logged in.
I'd really like to see this bug resolved, as I regularly encounter HTTP links and the lack of auto-redirection is becoming a larger and larger usability problem for me. (I don't use HTTPS-Everywhere on my personal computer.)
I have a few questions for this list:
* Does a user preference make sense here? I argued on that bug that adding an intermediate user preference seems a bit silly (letting the user shoot themselves in the foot), but it's apparently common to give the user a choice (Gmail, Twitter, Facebook, etc. all allow a choice).
(This next question is for Wikimedia ops.)
* If a user preference is implemented and the default is set to HTTPS, is the current infrastructure ready for the increased load? That is, if the code were magically ready tomorrow, could HTTPS be immediately deployed as a default for logged-in users without causing any problems?
MZMcBride
I like this idea, but I think that it should be done as a global preference (https://bugzilla.wikimedia.org/show_bug.cgi?id=14950).
Krenair
On 10/03/12 18:58, MZMcBride wrote:
Hi.
https://bugzilla.wikimedia.org/show_bug.cgi?id=29898 is about adding a user preference for HTTP vs. HTTPS while a user is logged in.
I'd really like to see this bug resolved, as I regularly encounter HTTP links and the lack of auto-redirection is becoming a larger and larger usability problem for me. (I don't use HTTPS-Everywhere on my personal computer.)
I have a few questions for this list:
- Does a user preference make sense here? I argued on that bug that adding
an intermediate user preference seems a bit silly (letting the user shoot themselves in the foot), but it's apparently common to give the user a choice (Gmail, Twitter, Facebook, etc. all allow a choice).
(This next question is for Wikimedia ops.)
- If a user preference is implemented and the default is set to HTTPS, is
the current infrastructure ready for the increased load? That is, if the code were magically ready tomorrow, could HTTPS be immediately deployed as a default for logged-in users without causing any problems?
MZMcBride
Wikitech-l mailing list Wikitech-l@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/wikitech-l
On Sat, 10 Mar 2012 10:58:19 -0800, MZMcBride z@mzmcbride.com wrote:
Hi.
https://bugzilla.wikimedia.org/show_bug.cgi?id=29898 is about adding a user preference for HTTP vs. HTTPS while a user is logged in.
I'd really like to see this bug resolved, as I regularly encounter HTTP links and the lack of auto-redirection is becoming a larger and larger usability problem for me. (I don't use HTTPS-Everywhere on my personal computer.)
I have a few questions for this list:
- Does a user preference make sense here? I argued on that bug that
adding an intermediate user preference seems a bit silly (letting the user shoot themselves in the foot), but it's apparently common to give the user a choice (Gmail, Twitter, Facebook, etc. all allow a choice).
(This next question is for Wikimedia ops.)
- If a user preference is implemented and the default is set to HTTPS, is
the current infrastructure ready for the increased load? That is, if the code were magically ready tomorrow, could HTTPS be immediately deployed as a default for logged-in users without causing any problems?
MZMcBride
I believe the idea of a HTTPS preference was WONTFIXed under the premise that the final goal is to have all logged in users unconditionally using https.
Daniel Friesen wrote:
I believe the idea of a HTTPS preference was WONTFIXed under the premise that the final goal is to have all logged in users unconditionally using https.
https://bugzilla.wikimedia.org/show_bug.cgi?id=29898 looks open to me. Do you have a link to the bug you're referring to?
Krenair wrote:
I like this idea, but I think that it should be done as a global preference (https://bugzilla.wikimedia.org/show_bug.cgi?id=14950).
Well, sure, but perfect is the enemy of the done. For right now, it can at least be added as a local user preference (or just be implemented unconditionally)... I think. That's why I started the thread: to clarify what needs to be done and who's ready for what. :-)
MZMcBride
Well, sure, but perfect is the enemy of the done. For right now, it can at least be added as a local user preference (or just be implemented unconditionally)... I think. That's why I started the thread: to clarify what needs to be done and who's ready for what. :-)
Please let's not add a silly preference like this. Let's just keep operating under the idea that all logged in users will use HTTPS, and keep moving towards that goal.
As for the "will the servers handle it" question: yes, I'm sure they'll handle it fine:
http://ganglia.wikimedia.org/latest/?r=hour&cs=&ce=&m=&s=by+...
http://ganglia.wikimedia.org/latest/?r=hour&cs=&ce=&m=&s=by+...
http://ganglia.wikimedia.org/latest/?r=hour&cs=&ce=&m=&s=by+...
We have 12 servers for this, and they are so very bored right now. We have the ability to add load to them by moving wikis over gradually as well, so we'll see if we need to add more capacity.
- Ryan
Ryan Lane wrote:
Well, sure, but perfect is the enemy of the done. For right now, it can at least be added as a local user preference (or just be implemented unconditionally)... I think. That's why I started the thread: to clarify what needs to be done and who's ready for what. :-)
Please let's not add a silly preference like this. Let's just keep operating under the idea that all logged in users will use HTTPS, and keep moving towards that goal.
Okay, I don't disagree. Do you think https://bugzilla.wikimedia.org/show_bug.cgi?id=29898 should have a different bug summary (current summary is "User preference for HTTP vs HTTPS while logged in") or should the bug simply be resolved "wontfix" and a separate bug filed?
As for the "will the servers handle it" question: yes, I'm sure they'll handle it fine:
[...]
We have 12 servers for this, and they are so very bored right now. We have the ability to add load to them by moving wikis over gradually as well, so we'll see if we need to add more capacity.
Thanks for the info!
MZMcBride
Please let's not add a silly preference like this. Let's just keep operating under the idea that all logged in users will use HTTPS, and keep moving towards that goal.
Okay, I don't disagree. Do you think https://bugzilla.wikimedia.org/show_bug.cgi?id=29898 should have a different bug summary (current summary is "User preference for HTTP vs HTTPS while logged in") or should the bug simply be resolved "wontfix" and a separate bug filed?
I have no preference either way, whatever you guys want to do.
- Ryan
On 10/03/12 19:58, MZMcBride wrote:
Hi.
https://bugzilla.wikimedia.org/show_bug.cgi?id=29898 is about adding a user preference for HTTP vs. HTTPS while a user is logged in.
I'd really like to see this bug resolved, as I regularly encounter HTTP links and the lack of auto-redirection is becoming a larger and larger usability problem for me. (I don't use HTTPS-Everywhere on my personal computer.)
I have a few questions for this list:
- Does a user preference make sense here? I argued on that bug that adding
an intermediate user preference seems a bit silly (letting the user shoot themselves in the foot), but it's apparently common to give the user a choice (Gmail, Twitter, Facebook, etc. all allow a choice).
It doesn't make much sense to implement HTTPS as a (normal) user preference. If you go to http and you are logged in (so that your preferences can be honored), your session is not much safer by having an immediate redirect to HTTPS, I'd consider it a placebo more than an impprovement*. OTOH, it could be implemented with a cookie meaning "redirect me to https" (and nothing else). This would make both http:// and https://, show the logged in interface, having just secure cookies. We could also use Strict Transport Security, but that's harder to set for all our domains (I think it'd have to be set from the root one), and it's harder to reset if we have to go back. Still, it's something to enable on the future.
* It'd be _slightly_ safer, mostly with read-only enemies and short-lived sessions; but not anywhere near what expect from a "https login".
On Sun, Mar 11, 2012 at 5:58 AM, MZMcBride z@mzmcbride.com wrote:
Hi.
https://bugzilla.wikimedia.org/show_bug.cgi?id=29898 is about adding a user preference for HTTP vs. HTTPS while a user is logged in.
I'd really like to see this bug resolved, as I regularly encounter HTTP links and the lack of auto-redirection is becoming a larger and larger usability problem for me. (I don't use HTTPS-Everywhere on my personal computer.)
Why isnt HTTPS Everywhere a good solution for you?
John Vandenberg wrote:
On Sun, Mar 11, 2012 at 5:58 AM, MZMcBride z@mzmcbride.com wrote:
Hi.
https://bugzilla.wikimedia.org/show_bug.cgi?id=29898 is about adding a user preference for HTTP vs. HTTPS while a user is logged in.
I'd really like to see this bug resolved, as I regularly encounter HTTP links and the lack of auto-redirection is becoming a larger and larger usability problem for me. (I don't use HTTPS-Everywhere on my personal computer.)
Why isnt HTTPS Everywhere a good solution for you?
I've been using Google Chrome lately. :-(
But it looks like HTTPS Everywhere now finally supports Chrome: https://www.eff.org/https-everywhere, so I suppose I can resolve this for myself.
Still, it'd be nice if it were done for everyone. When users customize their own browsers like this, it actually slows down widespread adoption of a "new feature" like HTTPS. That is, if HTTPS Everywhere didn't exist at all, the large number of techy Firefox users getting annoyed by hitting http links would be more helpful in getting auto-redirection working.
Anyway, off I go to install that extension.
MZMcBride
On Sat, Mar 10, 2012 at 7:44 PM, MZMcBride z@mzmcbride.com wrote:
... and the extension installs without even needing a browser restart. This is why Chrome is so fucking irresistible.
Yes. I've been using it for about a week now and it seems to be flawless for just about all the wikis we have, including outreach, meta, etc. Good stuff.
Steven
On Sun, Mar 11, 2012 at 8:41 AM, MZMcBride z@mzmcbride.com wrote:
I've been using Google Chrome lately. :-(
But it looks like HTTPS Everywhere now finally supports Chrome: https://www.eff.org/https-everywhere, so I suppose I can resolve this for myself.
:o Finally! (Although it's still in beta) *installs*
wikitech-l@lists.wikimedia.org