SSL is requiring more CPU, both on server and client and disable all kinds of cache (such as squid or varnish), and some browsers may have problems with it OR in some countries encryption may be even illegal.
Whatever you are going to do, you should let people turn it off. Wikimedia project itself has horrible security (in this thread I started some time ago - http://www.gossamer-threads.com/lists/wiki/wikitech/277357?do=post_view_threaded#277357 I was even told that wikimedia doesn't need good security at all, because user accounts aren't so critical there), forcing SSL will not improve it much On Tue, Apr 30, 2013 at 6:30 AM, Paul Selitskas <[email protected]> wrote: > On Tue, Apr 30, 2013 at 5:55 AM, Tyler Romeo <[email protected]> wrote: >> On Mon, Apr 29, 2013 at 9:07 PM, Paul Selitskas <[email protected]>wrote: >> >>> There are some situations when HTTPS won't work (for example, blocked >>> by provider or government). How does one disable HTTPS without >>> actually accessing a HTTPS version if the user is redirected from HTTP >>> automatically? >>> >>> HTTPS was once blocked in Belarus, thus disabling access to above >>> mentioned GMail, Facebook, Twitter and so on. There should be always >>> an option (like ?noSecure=1). >>> >> >> Well, with $wgSecureLogin the idea is that it is completely disallowed to >> log in, i.e., enter a password, over an insecure connection. >> > > Ah, I missed that moment. Thanks. > > -- > З павагай, > Павел Селіцкас/Pavel Selitskas > Wizardist @ Wikimedia projects > > _______________________________________________ > Wikitech-l mailing list > [email protected] > https://lists.wikimedia.org/mailman/listinfo/wikitech-l _______________________________________________ Wikitech-l mailing list [email protected] https://lists.wikimedia.org/mailman/listinfo/wikitech-l
