Talk:Requests for comment/Login security

Archive
There is a discussion about this RfC on wikitech-l starting on August 23, 2013 (gmane).

Policy-based rules
The code to implement the current plan of record was somewhat hacky, and I think the entire process, and what is encrypted or not could be much more clearly understood (and implemented) as a set of policies around the 4 areas (anonymous browsing, user login, logged-in browsing, sensitive activities) where we can use HTTPS.

For each area, we could define a site policy which specifies of https is required, recommended (defaults to https, but user pref can override), or unspecified. At the 2 where we have an identified user, we can have a user preference to allow the user to specify their choice for when the site policy only recommends or doesn't specify. For the 2 areas where we deal with anonymous users, we could allow a way for the anonymous visitor to specify a preference with a cookie, possibly.