Page MenuHomePhabricator

Notification emails should link to https, not http
Closed, ResolvedPublic

Description

Just got a new message notification:

Dear Multichill,

The Wikipedia page "User talk:Multichill" has been changed on
2 December 2011 by Magicpiano, with the edit summary: /* Bot is breaking
on National Register of Historic Places in Lowell, Massachusetts */ link
fix

See
http://en.wikipedia.org/w/index.php?title=User_talk:Multichill&diff=0&oldid=463665500
for all changes since your last visit. See
http://en.wikipedia.org/wiki/User_talk:Multichill for the current
revision.

To contact the editor, visit
http://en.wikipedia.org/wiki/User:Magicpiano

Note that additional changes to the page "User talk:Multichill" will not
result in any further notifications, until you have logged in and
visited the page.

Your friendly Wikipedia notification system

This email notification feature was enabled on English Wikipedia in May
2011 - see http://en.wikipedia.org/wiki/Help:Email_notification. If you
would like to switch off your notifications, visit
http://en.wikipedia.org/wiki/Special:Preferences

Feedback and further assistance:
http://en.wikipedia.org/wiki/Help:Contents

(end)

All links should be https now we properly implemented ssl.
If this is a bridge too far for now a user setting to prefer http or https would probably be a good intermediate solution.


Version: unspecified
Severity: normal

Details

Reference
bz32769
ReferenceSource BranchDest BranchAuthorTitle
repos/data-engineering/airflow-dags!512update_analytics_referer_dailymainjoalUpdate analytics referrer_daily DAG
Customize query in GitLab

Event Timeline

bzimport raised the priority of this task from to Medium.Nov 22 2014, 12:08 AM
bzimport set Reference to bz32769.
bzimport added a subscriber: Unknown Object (MLST).

*** This bug has been marked as a duplicate of bug 29878 ***

This is not a duplicate. #29878 is about user preferences. This bug is about setting everything to https by default (instead of the current http).

(In reply to comment #2)

This is not a duplicate. #29878 is about user preferences. This bug is about
setting everything to https by default (instead of the current http).

The two bugs cannot both be solved, though. I do prefer this solution. We'll have to choose one.

I say fix this one. It's a pretty easy fix ;-)

You should leave #29878 open as a MediaWiki enhancement.

Marking works for me, it is a duplicate of several other bugs:

  • (bug 29898) User preference for enforcing HTTPS (see also bug 29898 comment 11)
  • (bug 29878) Fix inconsistency in resolution of protocol-independent wgServer for email messages.

Note that to enable https by default, all we need to do is set wgCanonicalServer to https. That's just a configuration change, no software change. The reason this is not going to be done soon is because the SSL cluster is not big or stable enough to take a default load for everyone. There is a bug open about that already. See also the tracking bug about secure access (bug 27946).

You can't just close this as worksforme because it doesn't work.
Where do you base your assumption on that the SSL cluster can't handle the load? How many logged in users are now use http and how many users https? In this day in age logged in users should never use http.

Added this one to the tracker

WORKSFORME would be a valid resolution if this were attached to a general component. Since it's already possible to configure $wgCanonicalServer to put https links into the emails.

LATER would be the valid resolution here. Since this bug isn't going to change anything since this will automatically be handled when the https rollout is finished to a degree that we can default to https for a number of things. And this bug sitting here isn't going to change that schedule.
And naturally this isn't a bug tracking when https will be fully deployed.

And just since you said it. The fact that people "should never use http" isn't really relevant. Even though they shouldn't the fact is that most people shouldn't use http doesn't change the fact that they do. The only people that pay attention to these kind of things are us techy people. And well, we're a minority.
So the point that the load on the https servers would be vastly different between now and when we default https on for logged-in users is a fact.

Notification e-mails now use HTTPS

Restricted Application added subscribers: JEumerus, Matanya. · View Herald Transcript