https://bugzilla.wikimedia.org/show_bug.cgi?id=38516
Roan Kattouw <[email protected]> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |[email protected] --- Comment #4 from Roan Kattouw <[email protected]> 2012-07-20 22:05:46 UTC --- (In reply to comment #3) > We can turn it on by default for logged-in users right now. We can easily > handle that load. > You should realize that that means that once a browser is used by a logged-in user *once*, it will use HTTPS for *everyone* *forever* (really until the STS header expires, usually that's a year), even if they're not logged in. So in practice that means that every shared computer (libraries, internet cafes) in the world is gonna be hitting us exclusively via HTTPS within a few days of deploying this change. This is not necessarily a huge problem, but I just wanted to point this out. Also, STS forbids accepting invalid certs, and we're currently serving wrong certs for domains like wikipedia.com and wikidata.org; essentially all the misc domains we have are sent to wikimedia-lb, which means they get the star-wikimedia cert, which is bad. Serving STS fro those domains would be deadly. > To enable it for all users we'd need to expand the cluster so that every > squid/varnish node is also an HTTPS node. That would be a requirement for > HSTS. > Indeed HSTS is the last in the chain for this. > Why is Squid/Varnish-side SSL termination required for STS? Why can't we just scale up our current nginx cluster? > Also, it isn't necessary for squid/varnish to send these headers. It would > actually be nice if MediaWiki handled this, since then anyone could enable it. Yes, MW should send these headers. -- Configure bugmail: https://bugzilla.wikimedia.org/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are the assignee for the bug. You are on the CC list for the bug. _______________________________________________ Wikibugs-l mailing list [email protected] https://lists.wikimedia.org/mailman/listinfo/wikibugs-l
