Ryan Lane wrote: > There's a bunch of things that we should likely do in the future as > well. We should likely set a non-secure cookie for HTTPS logged in > users that indicates the user requests HTTPS only (via a preference, > enabled by default), that will redirect them to HTTPS if they somehow > arrive at an HTTP page. Strict Transport Security (STS) should also be > a consideration at some point in time, at least for users that have > already logged in. This doesn't protect the user from initial site > spoofing attacks, but could protect against later spoofing attacks > (thanks Aryeh for this idea). > > I don't think we'll ever get to a point where we can/should use HTTPS > for all anon users, but SPDY could be a consideration in the future > for anons. After I finish HTTPS I may look at setting up SPDY for > testing.
These all sound like good ideas to investigate. Just make sure they're in Bugzilla at some point so they don't get lost in a mailman archive. :-) I think there's a tracking bug for https or secure login somewhere. MZMcBride _______________________________________________ Wikitech-l mailing list [email protected] https://lists.wikimedia.org/mailman/listinfo/wikitech-l
