To clarify, the default value for this HTTPS option is false, meaning you have to explicitly turn it on in order to force HTTPS. In other words, the only functional change being made by this deployment is that *login* on certain projects will be over HTTPS. So for those who do not have HTTPS, they will have to log in through a project that does not have secure login enabled. And once they do log in, they should be fine thereafter.
*-- * *Tyler Romeo* Stevens Institute of Technology, Class of 2016 Major in Computer Science www.whizkidztech.com | tylerro...@gmail.com On Tue, Aug 20, 2013 at 1:54 PM, Risker <risker...@gmail.com> wrote: > On 20 August 2013 13:12, Greg Grossmeier <g...@wikimedia.org> wrote: > > > <quote name="Tyler Romeo" date="2013-08-20" time="10:50:23 -0400"> > > > On Tue, Aug 20, 2013 at 10:34 AM, MZMcBride <z...@mzmcbride.com> wrote: > > > > > > > (And if the user preference isn't meant to serve those who can't use > > > > HTTPS, who is it intended to serve?) > > > > > > > > > > My point is that it doesn't matter what your user preference is. > Whether > > > it's false or true, you still have to log in over HTTPS. In other > words, > > > the user preference has no effect on your ability to use the site. > > > > One group of users that is always being forgotten in this discussion is > > the group who use Wikipedia over really crappy connections that aren't > > censoring them. These users will have a hard time using an SSL > > connection due to the added resources/round trips and have a legitimate > > non-China/NSA excuse to disable HTTPS after they login (where the added > > roundtrips are probably worthwhile to keep their username/password > > safe). > > > This is correct, but it is still not addressing the question of what > happens to users who are completely unable to use HTTPS, and whether or not > they will remain logged in if they try to reach another HTTPS-standard > project if they start off from Chinese/Farsi projects. > > We have project-specific IPBE user-rights for users who are affected by > blocked IP addresses (which include but aren't limited to TOR nodes or > other blocked proxies). Is it possible to create a similar user-right for > "HTTPS not default for login" for this users? > > We are talking about a non-negligible number of high-activity users on > multiple projects being adversely affected here, including several stewards > (cross-project issues), administrators, and high-productivity editors. It > is important to find a way that is certain to allow them to log in and to > move across multiple projects, and doing so should not be considered an > *enhancement*, it should be considered a required feature of the new > process. (It may not be a blocker, but I'd hope to see this "fixed" before > the end of the month.) > > Risker > _______________________________________________ > Wikitech-l mailing list > Wikitech-l@lists.wikimedia.org > https://lists.wikimedia.org/mailman/listinfo/wikitech-l > _______________________________________________ Wikitech-l mailing list Wikitech-l@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/wikitech-l
