Page MenuHomePhabricator
Create Task
Maniphest T372396

Remove mixed HTTP/HTTPS mode support from MediaWiki
Open, Needs TriagePublic
Actions

Assigned To
None
Authored By
Ebrahim
Aug 13 2024, 12:17 PM
Tags
Referenced Files
F57571829: Screenshot Capture - 2024-09-30 - 11-43-11.png
Sep 30 2024, 9:44 AM
F57271379: image.png
Aug 13 2024, 12:17 PM
Subscribers
Aklapper
Ebrahim
Krinkle
matmarex
pmiazga
Tgr
Volker_E
Tokens
"Orange Medal" token, awarded by Krinkle.

Description

MediaWiki supports a "mixed mode" where the wiki can be accessed either via HTTP or HTTPS, with a lot of code complexity trying to make it possible to browse the site in HTTP but use HTTPS during login:

image.png (236×676 px, 24 KB)

The web has moved on in the decade or so since these features were added; all serious sites are HTTPS-only now. We want to support HTTP-only sites forever because it makes CI and local development much simpler, but there isn't much need for mixed mode, and certainly not jumping through hoops to have the login and rest of the browsing in different protocols (which offers very little added security - session cookies can still be stolen, so at most it protects other websites if the user reuses passwords between sites; and even then, once the cookies are stolen, orchestrating a phishing attack for the password isn't too hard).

This would involve deprecating and eventually removing at least the following settings/features:

  • $wgSecureLogin
  • prefershttps user preference and User::requiresHTTPS()
  • Session::shouldForceHTTPS() / SessionInfo::forceHTTPS() and the forceHTTPS cookie
  • the forceHTTPS / wpForceHttps and fromhttp / wpFromhttp URL flags for juggling protocols during login
  • the "Use secure connection" link during login

and maybe replacing $wgCookieSecure with $wgForceHTTPS.

Inspired by rMWca650329eed1: Use Codex icon and color for sign with secure link. See T256095: Stop sending the forceHTTPS cookie, make the HTTPS redirect unconditional for the previous round of HTTP deprecations.

Related Objects

Event Timeline

Ebrahim created this task.Aug 13 2024, 12:17 PM
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptAug 13 2024, 12:17 PM
Ebrahim added a project: MediaWiki-General.Aug 13 2024, 12:19 PM
Ebrahim updated the task description. (Show Details)
Ebrahim updated the task description. (Show Details)
Aklapper edited projects, added MediaWiki-User-login-and-signup; removed MediaWiki-General.Aug 13 2024, 12:23 PM
matmarex subscribed.Aug 13 2024, 1:32 PM

You're right that it's archaic. We have recently removed support for this mode from CentralAuth: T348852: Remove CentralAuth support for mixed-protocol HTTP/HTTPS wikis. But that was easier than doing it in MediaWiki, since we didn't need to worry about users other than Wikimedia wikis.

There is quite a bit of code for supporting wikis hosted on both HTTP and HTTPS protocols, especially in the auth components, including several config options and public interfaces that will need to be deprecated first.

Code to review (not necessarily all of this should be deleted): https://codesearch.wmcloud.org/core/?q=SecureLogin|ForceHTTPS|CookieSecure|prefershttps|stickHTTPS|requiresHTTPS&files=php&excludeFiles=&repos=&i=fosho

Tgr renamed this task from Let's get rid of https promoting features to Remove mixed HTTP/HTTPS mode support from MediaWiki.Sep 30 2024, 9:43 AM
Tgr added a project: MediaWiki-Core-AuthManager.
Tgr updated the task description. (Show Details)
Restricted Application added a project: MediaWiki-Platform-Team. · View Herald TranscriptSep 30 2024, 9:43 AM
Tgr subscribed.Sep 30 2024, 9:44 AM

From the original task description:

See also: https://www.jefftk.com/p/history-of-https-usage

...which links to Let's Encrypt stats which has this nice chart based on Firefox telemetry:

Screenshot Capture - 2024-09-30 - 11-43-11.png (812×1 px, 160 KB)

Tgr added a comment.Sep 30 2024, 9:45 AM

(I feel like we already had a task about this but couldn't find it.)

Tgr added a comment.Sep 30 2024, 9:51 AM

Some issues that this would resolve or obsolete:

and some issues would become simpler to solve:

Also related: T118413: Wikimedia wikis should use https:// in $wgServer

pmiazga subscribed.Sep 30 2024, 11:58 AM

One of the reasons why we might need to support HTTP mode is the TLS overhead (performance cost) but I don't think it justifies the additional complexity we need to maintain. I wonder if we have any use cases or requirements to support mixed mode? Only thing that comes to my mind is dev environments - but those are just HTTP mode (without SSL).

Krinkle subscribed.Sep 30 2024, 9:33 PM

Individual cases may vary, but the delay and overhead of TLS is generally believed to be outweighed by the performance benefits of HTTP/2 and QUIC, which in practice only work over TLS.

From my experience, the only reason to operate a site over HTTP exclusively is sysadmin simplicity. I believe this is an important and worthy reason to support HTTP for. However this task is not about dropping HTTP support. It is about supporting specific sites to simultaneously decide to provide TLS and yet not want to make it an enforced default.

That would imho only make sense if there are significant server or client costs, where there no longer appear to be, with the exception of the costs associated with providing it at all, which as said are sound but not what the task is about.

Krinkle awarded a token.Sep 30 2024, 9:33 PM
Volker_E subscribed.Oct 2 2024, 10:18 AM
larissagaulia moved this task from Inbox, needs triage to Backlog: non-prioritized on the MediaWiki-Platform-Team board.Oct 7 2024, 1:46 PM
Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL · Credits
  NODES
HOME 1
Note 1
OOP 1
os 10
server 3
Users 1
web 2