https://bugzilla.wikimedia.org/show_bug.cgi?id=52283
Tyler Romeo <[email protected]> changed: What |Removed |Added ---------------------------------------------------------------------------- Priority|Normal |Low Status|NEW |PATCH_TO_REVIEW See Also| |https://bugzilla.wikimedia. | |org/show_bug.cgi?id=29898 Assignee|[email protected]. |[email protected] |org | Severity|normal |enhancement --- Comment #4 from Tyler Romeo <[email protected]> --- The reason it shouldn't be removed is because it's completely outside the scope of the feature. $wgSecureLogin is intended as a means of forcing private data, specifically passwords, over a secure transport layer connection. It is not intended as a means of forcing specific users to use TLS. Furthermore, I'd like to point out that no reason has been presented for actually removing the option. (In reply to comment #3) > Unless login truly does not work for some users if forced to use HTTPS, I > think > there is no reason to allow insecure login sessions as an option. It's a > fundamental account security issue. If you want to edit via an insecure > connection, you can continue to do so anonymously. This is by no means a "fundamental account security issue". Using Wikipedia over HTTP does not in-and-of-itself pose a major security concern (unless you count session hijacking, which could be avoided if the session key was renegotiated more often). Sending passwords over HTTP, on the other hand, does, which is why this feature exists. (In reply to comment #0) > and if there's going to be an option to turn it off, it should likely be > in user preferences, not on the login page every time you view it. Now with all of that said, I agree I'd much rather this be a user preference than have it cluttering the login page. Because then at least the user can still use HTTP if they really want to. And conveniently enough: https://gerrit.wikimedia.org/r/47089 -- You are receiving this mail because: You are the assignee for the bug. You are on the CC list for the bug. _______________________________________________ Wikibugs-l mailing list [email protected] https://lists.wikimedia.org/mailman/listinfo/wikibugs-l
