----- Original Message -----
From: "Zack Weinberg" zackw@cmu.edu
The first step really must be to enable HTTPS unconditionally for everyone (whether or not logged in). I see on the roadmap that there is concern that this will lock out large groups of users, e.g. from China; a workaround simply *must* be found for this. Everything else that is worth doing is rendered ineffective if *any* application layer data is *ever* transmitted over an insecure channel. There is no point worrying about traffic analysis when an active man-in-the-middle can inject malicious JavaScript into unsecured pages, or a passive one can steal session cookies as they fly by in cleartext.
I understand your goal, and your argument, but I've just this week been reminded that It Isn't Always China.
I found myself stuck on a non-rooted Android phone, and having to use a demo version of a tethering app ... which wouldn't pass HTTPS on purpose. Ironically, that's why it was the demo: I couldn't get through it to PayPal to buy it from them.
My point here, of course, is that you have to decide whether you're forcing HTTPS *for the user's good* or *for the greater good*... and if you think it's the former, remember that the user sometimes knows better than you do.
If it's the latter, well, you have to decide what percentage of false positives you're willing to let get away: are there any large populations of WP users *who cannot use HTTPS*? EMEA users on cheap non-smart phones that have a browser, but it's too old -- or the phone too slow -- to do HTTPS?
Cheers, -- jra