Talk:Requests for comment/Login security

Archive
There is a discussion about this RfC on wikitech-l starting on August 23, 2013 (gmane).

Policy-based rules
The code to implement the current plan of record was somewhat hacky, and I think the entire process, and what is encrypted or not could be much more clearly understood (and implemented) as a set of policies around the 4 areas (anonymous browsing, user login, logged-in browsing, sensitive activities) where we can use HTTPS.

For each area, we could define a site policy which specifies of https is required, recommended (defaults to https, but user pref can override), or unspecified. At the 2 where we have an identified user, we can have a user preference to allow the user to specify their choice for when the site policy only recommends or doesn't specify. For the 2 areas where we deal with anonymous users, we could allow a way for the anonymous visitor to specify a preference with a cookie, possibly. —The preceding unsigned comment was added by 50.136.243.106 (talk • contribs) 03:04‎, Aug 25, 2013 (UTC)
 * I find it interesting that so many folks are talking about cookies at the same time as talking about login security. I don't think I'm unique in wiping cookies when shutting down a browser, and people who have multiple "computers" (including smartphones, tablets, laptops and desktops) won't gain any benefit if preferences are cookie-based, since they'll have to be set on all that different equipment.  Risker (talk) 02:41, 27 August 2013 (UTC)