Re: [Wikitech-l] HTTPS preference?

2012-03-10 Thread K. Peachey 
On Sun, Mar 11, 2012 at 8:41 AM, MZMcBride  wrote:
> I've been using Google Chrome lately. :-(
>
> But it looks like HTTPS Everywhere now finally supports Chrome:
> , so I suppose I can resolve this for
> myself.


:o Finally! (Although it's still in beta) *installs*

___
Wikitech-l mailing list
Wikitech-l@lists.wikimedia.org
https://lists.wikimedia.org/mailman/listinfo/wikitech-l

Re: [Wikitech-l] HTTPS preference?

2012-03-10 Thread Ryan Lane 
>> Please let's not add a silly preference like this. Let's just keep
>> operating under the idea that all logged in users will use HTTPS, and
>> keep moving towards that goal.
>
> Okay, I don't disagree. Do you think
> https://bugzilla.wikimedia.org/show_bug.cgi?id=29898 should have a different
> bug summary (current summary is "User preference for HTTP vs HTTPS while
> logged in") or should the bug simply be resolved "wontfix" and a separate
> bug filed?
>

I have no preference either way, whatever you guys want to do.

- Ryan

___
Wikitech-l mailing list
Wikitech-l@lists.wikimedia.org
https://lists.wikimedia.org/mailman/listinfo/wikitech-l

Re: [Wikitech-l] HTTPS preference?

2012-03-10 Thread MZMcBride 
Ryan Lane wrote:
>> Well, sure, but perfect is the enemy of the done. For right now, it can at
>> least be added as a local user preference (or just be implemented
>> unconditionally)... I think. That's why I started the thread: to clarify
>> what needs to be done and who's ready for what. :-)
> 
> Please let's not add a silly preference like this. Let's just keep
> operating under the idea that all logged in users will use HTTPS, and
> keep moving towards that goal.

Okay, I don't disagree. Do you think
https://bugzilla.wikimedia.org/show_bug.cgi?id=29898 should have a different
bug summary (current summary is "User preference for HTTP vs HTTPS while
logged in") or should the bug simply be resolved "wontfix" and a separate
bug filed?
 
> As for the "will the servers handle it" question: yes, I'm sure
> they'll handle it fine:
> 
> [...]
>  
> We have 12 servers for this, and they are so very bored right now. We
> have the ability to add load to them by moving wikis over gradually as
> well, so we'll see if we need to add more capacity.

Thanks for the info!

MZMcBride



___
Wikitech-l mailing list
Wikitech-l@lists.wikimedia.org
https://lists.wikimedia.org/mailman/listinfo/wikitech-l

Re: [Wikitech-l] HTTPS preference?

2012-03-10 Thread Ryan Lane 
> Well, sure, but perfect is the enemy of the done. For right now, it can at
> least be added as a local user preference (or just be implemented
> unconditionally)... I think. That's why I started the thread: to clarify
> what needs to be done and who's ready for what. :-)
>

Please let's not add a silly preference like this. Let's just keep
operating under the idea that all logged in users will use HTTPS, and
keep moving towards that goal.

As for the "will the servers handle it" question: yes, I'm sure
they'll handle it fine:

http://ganglia.wikimedia.org/latest/?r=hour&cs=&ce=&m=&s=by+name&c=SSL%2520cluster%2520eqiad&tab=m&vn=

http://ganglia.wikimedia.org/latest/?r=hour&cs=&ce=&m=&s=by+name&c=SSL%2520cluster%2520esams&tab=m&vn=

http://ganglia.wikimedia.org/latest/?r=hour&cs=&ce=&m=&s=by+name&c=SSL%2520cluster%2520pmtpa&tab=m&vn=

We have 12 servers for this, and they are so very bored right now. We
have the ability to add load to them by moving wikis over gradually as
well, so we'll see if we need to add more capacity.

- Ryan

___
Wikitech-l mailing list
Wikitech-l@lists.wikimedia.org
https://lists.wikimedia.org/mailman/listinfo/wikitech-l

Re: [Wikitech-l] HTTPS preference?

2012-03-10 Thread MZMcBride 
MZMcBride wrote:
> Anyway, off I go to install that extension.

... and the extension installs without even needing a browser restart. This
is why Chrome is so fucking irresistible.

MZMcBride



___
Wikitech-l mailing list
Wikitech-l@lists.wikimedia.org
https://lists.wikimedia.org/mailman/listinfo/wikitech-l

Re: [Wikitech-l] HTTPS preference?

2012-03-10 Thread MZMcBride 
John Vandenberg wrote:
> On Sun, Mar 11, 2012 at 5:58 AM, MZMcBride  wrote:
>> Hi.
>> 
>> https://bugzilla.wikimedia.org/show_bug.cgi?id=29898 is about adding a user
>> preference for HTTP vs. HTTPS while a user is logged in.
>> 
>> I'd really like to see this bug resolved, as I regularly encounter HTTP
>> links and the lack of auto-redirection is becoming a larger and larger
>> usability problem for me. (I don't use HTTPS-Everywhere on my personal
>> computer.)
> 
> Why isnt HTTPS Everywhere a good solution for you?

I've been using Google Chrome lately. :-(

But it looks like HTTPS Everywhere now finally supports Chrome:
, so I suppose I can resolve this for
myself.

Still, it'd be nice if it were done for everyone. When users customize their
own browsers like this, it actually slows down widespread adoption of a "new
feature" like HTTPS. That is, if HTTPS Everywhere didn't exist at all, the
large number of techy Firefox users getting annoyed by hitting http links
would be more helpful in getting auto-redirection working.

Anyway, off I go to install that extension.

MZMcBride



___
Wikitech-l mailing list
Wikitech-l@lists.wikimedia.org
https://lists.wikimedia.org/mailman/listinfo/wikitech-l

Re: [Wikitech-l] HTTPS preference?

2012-03-10 Thread John Vandenberg 
On Sun, Mar 11, 2012 at 5:58 AM, MZMcBride  wrote:
> Hi.
>
> https://bugzilla.wikimedia.org/show_bug.cgi?id=29898 is about adding a user
> preference for HTTP vs. HTTPS while a user is logged in.
>
> I'd really like to see this bug resolved, as I regularly encounter HTTP
> links and the lack of auto-redirection is becoming a larger and larger
> usability problem for me. (I don't use HTTPS-Everywhere on my personal
> computer.)

Why isnt HTTPS Everywhere a good solution for you?

-- 
John Vandenberg

___
Wikitech-l mailing list
Wikitech-l@lists.wikimedia.org
https://lists.wikimedia.org/mailman/listinfo/wikitech-l

Re: [Wikitech-l] HTTPS preference?

2012-03-10 Thread MZMcBride 
Daniel Friesen wrote:
> I believe the idea of a HTTPS preference was WONTFIXed under the premise
> that the final goal is to have all logged in users unconditionally using
> https.

https://bugzilla.wikimedia.org/show_bug.cgi?id=29898 looks open to me. Do
you have a link to the bug you're referring to?

Krenair wrote:
> I like this idea, but I think that it should be done as a global preference
> (https://bugzilla.wikimedia.org/show_bug.cgi?id=14950).

Well, sure, but perfect is the enemy of the done. For right now, it can at
least be added as a local user preference (or just be implemented
unconditionally)... I think. That's why I started the thread: to clarify
what needs to be done and who's ready for what. :-)

MZMcBride



___
Wikitech-l mailing list
Wikitech-l@lists.wikimedia.org
https://lists.wikimedia.org/mailman/listinfo/wikitech-l

Re: [Wikitech-l] HTTPS preference?

2012-03-10 Thread Platonides 
On 10/03/12 19:58, MZMcBride wrote:
> Hi.
> 
> https://bugzilla.wikimedia.org/show_bug.cgi?id=29898 is about adding a user
> preference for HTTP vs. HTTPS while a user is logged in.
> 
> I'd really like to see this bug resolved, as I regularly encounter HTTP
> links and the lack of auto-redirection is becoming a larger and larger
> usability problem for me. (I don't use HTTPS-Everywhere on my personal
> computer.)
> 
> I have a few questions for this list:
> 
> * Does a user preference make sense here? I argued on that bug that adding
> an intermediate user preference seems a bit silly (letting the user shoot
> themselves in the foot), but it's apparently common to give the user a
> choice (Gmail, Twitter, Facebook, etc. all allow a choice).

It doesn't make much sense to implement HTTPS as a (normal) user
preference. If you go to http and you are logged in (so that your
preferences can be honored), your session is not much safer by having an
immediate redirect to HTTPS, I'd consider it a placebo more than an
impprovement*.
OTOH, it could be implemented with a cookie meaning "redirect me to
https" (and nothing else). This would make both http:// and https://,
show the logged in interface, having just secure cookies.
We could also use Strict Transport Security, but that's harder to set
for all our domains (I think it'd have to be set from the root one), and
it's harder to reset if we have to go back. Still, it's something to
enable on the future.


* It'd be _slightly_ safer, mostly with read-only enemies and
short-lived sessions; but not anywhere near what expect from a "https
login".


___
Wikitech-l mailing list
Wikitech-l@lists.wikimedia.org
https://lists.wikimedia.org/mailman/listinfo/wikitech-l

Re: [Wikitech-l] HTTPS preference?

2012-03-10 Thread Daniel Friesen 

On Sat, 10 Mar 2012 10:58:19 -0800, MZMcBride  wrote:


Hi.

https://bugzilla.wikimedia.org/show_bug.cgi?id=29898 is about adding a  
user

preference for HTTP vs. HTTPS while a user is logged in.

I'd really like to see this bug resolved, as I regularly encounter HTTP
links and the lack of auto-redirection is becoming a larger and larger
usability problem for me. (I don't use HTTPS-Everywhere on my personal
computer.)

I have a few questions for this list:

* Does a user preference make sense here? I argued on that bug that  
adding

an intermediate user preference seems a bit silly (letting the user shoot
themselves in the foot), but it's apparently common to give the user a
choice (Gmail, Twitter, Facebook, etc. all allow a choice).

(This next question is for Wikimedia ops.)

* If a user preference is implemented and the default is set to HTTPS, is
the current infrastructure ready for the increased load? That is, if the
code were magically ready tomorrow, could HTTPS be immediately deployed  
as a

default for logged-in users without causing any problems?

MZMcBride


I believe the idea of a HTTPS preference was WONTFIXed under the premise  
that the final goal is to have all logged in users unconditionally using  
https.


--
~Daniel Friesen (Dantman, Nadir-Seen-Fire) [http://daniel.friesen.name]

___
Wikitech-l mailing list
Wikitech-l@lists.wikimedia.org
https://lists.wikimedia.org/mailman/listinfo/wikitech-l

Re: [Wikitech-l] HTTPS preference?

2012-03-10 Thread Krenair 

I like this idea, but I think that it should be done as a global preference 
(https://bugzilla.wikimedia.org/show_bug.cgi?id=14950).

Krenair

On 10/03/12 18:58, MZMcBride wrote:


Hi.

https://bugzilla.wikimedia.org/show_bug.cgi?id=29898 is about adding a user
preference for HTTP vs. HTTPS while a user is logged in.

I'd really like to see this bug resolved, as I regularly encounter HTTP
links and the lack of auto-redirection is becoming a larger and larger
usability problem for me. (I don't use HTTPS-Everywhere on my personal
computer.)

I have a few questions for this list:

* Does a user preference make sense here? I argued on that bug that adding
an intermediate user preference seems a bit silly (letting the user shoot
themselves in the foot), but it's apparently common to give the user a
choice (Gmail, Twitter, Facebook, etc. all allow a choice).

(This next question is for Wikimedia ops.)

* If a user preference is implemented and the default is set to HTTPS, is
the current infrastructure ready for the increased load? That is, if the
code were magically ready tomorrow, could HTTPS be immediately deployed as a
default for logged-in users without causing any problems?

MZMcBride



___
Wikitech-l mailing list
Wikitech-l@lists.wikimedia.org
https://lists.wikimedia.org/mailman/listinfo/wikitech-l


___
Wikitech-l mailing list
Wikitech-l@lists.wikimedia.org
https://lists.wikimedia.org/mailman/listinfo/wikitech-l