I’m currently posting this over hotel WiFi, over HTTP (since you don’t give me a choice) and am thus risking my session cookies.
Please consider moving Wikia to HTTPS. This can happen in two steps:
1. Stop redirecting HTTPS to HTTP. This gives people the option to browser Wikia over HTTPS instead of HTTP while still allowing HTTP.
2. At a later stage, when you’re ready, start redirecting HTTP requests to HTTPS (and implement HSTS, etc.).
A good first step would be to disable the HTTPS → HTTP redirect. Regular users would still end up on the HTTP version of the site through their bookmarks, search results, etc. But those who prefer HTTPS can try it out, and start fixing mixed content (if any) to help prepare the wiki for an eventual HTTPS-by-default mode.
There are some special challenges involved for us with secure certificates and domains (in particular). We are still working to have content transmitted securely in the near future. In the meantime, as you said, the part that really needs to be securely encrypted (your login) is indeed delivered by HTTPS.
I can't provide an ETA, unfortunately.
Just pointing out this was said a whole two years ago... Has there been a test site yet?
FishTank wrote: … In the meantime, as you said, the part that really needs to be securely encrypted (your login) is indeed delivered by HTTPS.
This would only be an improvement if we would only be concerned about the security of the password choices of the users and not their accounts:
If you would want to illegitimately use an account, it makes little difference whether you know its login details, or are able to read unencrypted traffic between the server and the browser and hijack the session. Having access to the client's local area network (including merely being able to somehow circumvent its encryption e.g. KRACK) or any other exposed point between the server and the browser makes it possible to eavesdrop on all traffic that is not encrypted between the two.
On top of that, I can't come up with another site that to this day, can't be normally used with "Block all unencrypted requests" toggled on from HTTPS Everywhere