Page MenuHomePhabricator

Make Wikispore HTTPS-only
Open, Needs TriagePublic

Event Timeline

Tgr created this task.Aug 18 2020, 3:34 PM
Tgr moved this task from Backlog to Next-up on the Wikispore board.Oct 18 2020, 7:05 PM
Tgr claimed this task.Oct 18 2020, 7:14 PM
Restricted Application added a project: Traffic. · View Herald TranscriptOct 18 2020, 7:18 PM
Ladsgroup moved this task from Triage to BadHerald on the Traffic board.Oct 19 2020, 8:46 AM
Restricted Application added a project: SRE. · View Herald TranscriptOct 19 2020, 8:47 AM
Tgr added a comment.Nov 13 2020, 8:20 AM

I think this is as easy as enabling $wgForceHTTPS and maybe setting a HSTS header.

Zblace added a subscriber: Zblace.Nov 13 2020, 8:50 AM

I know tech people will not love this question, but access, sustainability and low-resource enthusiasts in me would love to ask:

What are the urgencies in pushing for HTTPS-only right now?
(we do not do any super secret info or transactions that need security)
((it basically just adds more processing and reduces or even cuts access for weak-old hardware))

Tgr added a comment.Nov 14 2020, 4:12 AM

Sure, theft of a Wikispore account is not particularly damaging, but I doubt there are many people who cannot access Wikipedia and its sister projects but would want to access Wikispore, so there isn't anything to win by leaving it open to (however unlikely) attacks.