On 29 April 2013 09:12, Brion Vibber bvibber@wikimedia.org wrote:
Just curious -- what's the state of forcing HTTPS for all user sessions? It's simple common sense at this point to protect all our users from session hijacking on local networks or MITM attacks.
Now a bug: https://bugzilla.wikimedia.org/show_bug.cgi?id=47832 (how did we not have one already?).
I see some Gerrit activity on adding "preferences" or special groups for HTTPS, which seems a horrid practice when we could just protect everyone...
Agreed; this was a nice idea back in the day when SSL was expensive, but now…
J. -- James D. Forrester Product Manager, VisualEditor Wikimedia Foundation, Inc.
jforrester@wikimedia.org | @jdforrester