I would be happy to disable http completely, and always redirect http to https.
People who have an OS so old that it can't support https are welcome to open a web browser on a separate device. I don't actually know how to do this just for the login page. I think I remember an option in the dreamhost config panel to do this for the whole site, but I would have to hunt for it. A *MUCH* bigger security concern is that I can't upgrade Mediawiki anymore. It has been years since running "git pull" on a large repo in a shell script on a dreamhost shared account was a viable option. I had a clunky workaround where I would rsync the whole thing locally, upgrade it, rsync it back up to dreamhost, and then run the last stage of the upgrade. I am always terrified that I will break the whole thing every time I do that, but maybe I will give it a try today since I happen to be on a vacation day and have time. I would really like to move the whole wiki to a place where the upgrades were automatically managed for me. I haven't had time to look into that (in years) On Thu, Sep 17, 2020 at 9:57 AM Adam Perry <[email protected]> wrote: > It is not a good idea to have an HTTP login page. Your credentials are > sent in plain text when you log in via HTTP. > > I realize that the OHR wiki isn't the most high-profile target for > hackers, but it's still a bad idea. We don't need to allow wiki editing to > everyone able to use the engine if it means compromising security. > > > On Wed, Sep 16, 2020, 8:45 PM Ralph Versteegen <[email protected]> wrote: > >> Holly reported, and I can confirm, that you can't log into the wiki, or >> create an account, when accessing it over HTTP instead of HTTPS. (I think I >> remember seeing this already quite a while ago.) You get the following >> message: >> >> "There seems to be a problem with your login session; this action has >> been canceled as a precaution against session hijacking. Please resubmit >> the form." >> >> It is nice to be able to access the wiki via HTTP, since HTTPS is >> inaccessible from ancient OSes such as some of those we support. If the >> login page could redirect from HTTP to HTTPS... >> >> Hmm, maybe I should file such things on github instead... >> _______________________________________________ >> Ohrrpgce mailing list >> [email protected] >> http://lists.motherhamster.org/listinfo.cgi/ohrrpgce-motherhamster.org >> > _______________________________________________ > Ohrrpgce mailing list > [email protected] > http://lists.motherhamster.org/listinfo.cgi/ohrrpgce-motherhamster.org >
_______________________________________________ Ohrrpgce mailing list [email protected] http://lists.motherhamster.org/listinfo.cgi/ohrrpgce-motherhamster.org
