Page MenuHomePhabricator

Remove checkbox on userlogin to "Stay connected to HTTPS after login"
Closed, ResolvedPublic

Description

Author: swalling

Description:
Currently with wgSecureLogin set to true, it adds a checkbox on Special:UserLogin (which is checked by default) to let the user "Stay connected to HTTPS after login" or not.

I think it is probably not necessary. HTTPS is a sane default, and if there's going to be an option to turn it off, it should likely be in user preferences, not on the login page every time you view it.


Version: 1.22.0
Severity: enhancement
See Also:
https://bugzilla.wikimedia.org/show_bug.cgi?id=29898

Details

Reference
bz52283

Event Timeline

bzimport raised the priority of this task from to Low.Nov 22 2014, 2:04 AM
bzimport set Reference to bz52283.
bzimport created this task.Jul 30 2013, 6:27 PM

Agreed. It should either be a sane default or moved to preferences. It should definitely not be on the log-in page, especially not with the arcane message "Stay connected to HTTPS after login".

The functionality should not be removed, but I'll let you guys decide how to create the best experience.

Some users are very touchy about being forced to use https, so we need to maintain a way to (insecurely) use the site after they login.

swalling wrote:

(In reply to comment #2)

The functionality should not be removed, but I'll let you guys decide how to
create the best experience.
Some users are very touchy about being forced to use https, so we need to
maintain a way to (insecurely) use the site after they login.

Why are they touchy?

Unless login truly does not work for some users if forced to use HTTPS, I think there is no reason to allow insecure login sessions as an option. It's a fundamental account security issue. If you want to edit via an insecure connection, you can continue to do so anonymously.

The reason it shouldn't be removed is because it's completely outside the scope of the feature. $wgSecureLogin is intended as a means of forcing private data, specifically passwords, over a secure transport layer connection. It is not intended as a means of forcing specific users to use TLS. Furthermore, I'd like to point out that no reason has been presented for actually removing the option.

(In reply to comment #3)

Unless login truly does not work for some users if forced to use HTTPS, I
think
there is no reason to allow insecure login sessions as an option. It's a
fundamental account security issue. If you want to edit via an insecure
connection, you can continue to do so anonymously.

This is by no means a "fundamental account security issue". Using Wikipedia over HTTP does not in-and-of-itself pose a major security concern (unless you count session hijacking, which could be avoided if the session key was renegotiated more often). Sending passwords over HTTP, on the other hand, does, which is why this feature exists.

(In reply to comment #0)

and if there's going to be an option to turn it off, it should likely be
in user preferences, not on the login page every time you view it.

Now with all of that said, I agree I'd much rather this be a user preference than have it cluttering the login page. Because then at least the user can still use HTTP if they really want to.

And conveniently enough:
https://gerrit.wikimedia.org/r/47089

swalling wrote:

(In reply to comment #4)

Now with all of that said, I agree I'd much rather this be a user preference
than have it cluttering the login page. Because then at least the user can
still use HTTP if they really want to.
And conveniently enough:
https://gerrit.wikimedia.org/r/47089

Thanks for the link. I agree this is the best interim solution, while we argue about whether it should be a preference at all. ;)

Change 47089 had a related patch set uploaded by Parent5446:
Change secure login to use a user preference; add secure groups option.

https://gerrit.wikimedia.org/r/47089

The checkbox should definitely be removed from the login screen. It's not clear to me why it was ever added there in the first place. We did this once before with some other (non-SSL-related) checkbox on the login screen. I thought we'd learned our lesson.

Just to be clear: I think the checkbox should be removed (and I don't think there's anybody who thinks it should stay); I just think it should have a replacement because the functionality is still important.

Sure, maybe the MediaWiki software should have a replacement in the preferences, but for Wikimedia sites it should be hidden.

(In reply to comment #9)

Sure, maybe the MediaWiki software should have a replacement in the
preferences, but for Wikimedia sites it should be hidden.

Agreed on this as well. With my patch, this would be done by adding the 'user' group to the list of required HTTPS groups. Right now it only disables the preference, but it would be trivial to add a special case to remove it entirely if all users have it disabled.

Change 76823 abandoned by Demon:
Remove "stick HTTPS" option from login page

https://gerrit.wikimedia.org/r/76823

Change 47089 merged by jenkins-bot:
Change secure login to use a user preference

https://gerrit.wikimedia.org/r/47089

swalling wrote:

Thanks guys!

Change 79960 had a related patch set uploaded by Demon:
Change secure login to use a user preference

https://gerrit.wikimedia.org/r/79960

Change 79963 had a related patch set uploaded by Demon:
Change secure login to use a user preference

https://gerrit.wikimedia.org/r/79963

Change 79963 merged by jenkins-bot:
Change secure login to use a user preference

https://gerrit.wikimedia.org/r/79963

Change 79960 merged by jenkins-bot:
Change secure login to use a user preference

https://gerrit.wikimedia.org/r/79960