https://bugzilla.wikimedia.org/show_bug.cgi?id=38516
--- Comment #5 from Ryan Lane <rlan...@gmail.com> 2012-07-20 22:28:24 UTC --- (In reply to comment #4) > (In reply to comment #3) > > We can turn it on by default for logged-in users right now. We can easily > > handle that load. > > > You should realize that that means that once a browser is used by a logged-in > user *once*, it will use HTTPS for *everyone* *forever* (really until the STS > header expires, usually that's a year), even if they're not logged in. So in > practice that means that every shared computer (libraries, internet cafes) in > the world is gonna be hitting us exclusively via HTTPS within a few days of > deploying this change. > > This is not necessarily a huge problem, but I just wanted to point this out. > Sorry, sorry. I meant send all logged-in traffic to https, not use HSTS. > Also, STS forbids accepting invalid certs, and we're currently serving wrong > certs for domains like wikipedia.com and wikidata.org; essentially all the > misc > domains we have are sent to wikimedia-lb, which means they get the > star-wikimedia cert, which is bad. Serving STS fro those domains would be > deadly. > Eh? Since when are we serving incorrect certificates? Do you mean for mobile? > > To enable it for all users we'd need to expand the cluster so that every > > squid/varnish node is also an HTTPS node. That would be a requirement for > > HSTS. > > Indeed HSTS is the last in the chain for this. > > > Why is Squid/Varnish-side SSL termination required for STS? Why can't we just > scale up our current nginx cluster? > It makes more sense to just stick HTTPS on every box, than to have a separate cluster, if we're going to do HTTPS by default. -- Configure bugmail: https://bugzilla.wikimedia.org/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are the assignee for the bug. You are on the CC list for the bug. _______________________________________________ Wikibugs-l mailing list Wikibugs-l@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/wikibugs-l
