Extension talk:HSTS

From mediawiki.org
Jump to navigation Jump to search

Possible variations[edit]

The initial version 0.1 is very basic, but the following features could be added if they are requested:

  • let the user change the expiration time and/or date, so the users can first test with small durations and increase if it correctly works;
  • add a right for use of this extension, so possibly you can enable it independantly for anons, registrated users, or specific users (e.g. beta-testers).

~ Seb35 14:55, 18 August 2013 (UTC)

User interface questioning[edit]

I chose to add the preference in the general section (User profile/Basic information), but I wonder if it would not be better in the Misc section (in a dedicated section Security perhaps).

Related to this, perhaps a better phrasing of the preference could be better (I don’t know) and more explicit: "always use HTTPS". IIRC Twitter had once some phrasing like that (no more such preference, I checked some days ago). On the other hand, unexperienced users could completely lose access to the site in case of misconfiguration (and so "expert words" could discourage them for their good), although perhaps I’m just too much anxious about this fact (which shouldn’t happen); or some explicit warning could be written.

~ Seb35 16:19, 18 August 2013 (UTC)

In version 1.1 is added the support for the BetaFeatures extension where I chose simple words by keeping in mind the real benefits of HSTS compared to the preferhttps preference added in MediaWiki 1.22:
  • mainly after the logout
  • no way to spy the user since there is absolutely no HTTP connection, which could leak the requested page and/or POST variables, contrary to the forceHTTPS mechasnism
  • possibly better security alerts ("HTTPS-Everywhere" integrated with the browser, so it can be guessed the browsers can better explain security alerts linked to HSTS).
For the latter point, as an example, with Opera 12.16, if I change the certificate for a certificate with a wrong server name, hence defeating the TLS connection, an HTTP connection with the forceHTTPS/preferhttps mechanism first redirects to HTTPS and shows a certificate error ("wrong server name"), and an HTTP connection with HSTS activated shows a fatal error with no way to connect either in HTTP or in HTTPS (once the HSTS time period is finished it shows a certificate error as the previous case). Possibly newer browsers have a better explanation of the security error.
~ Seb35 [^_^] 17:02, 17 September 2014 (UTC)