While we await the deprecation of login https (
MDL-42834), we should make the following changes (that don't involve removing the setting completely)
- Warn in the loginhttps' help text not to use it.
- When it's on, warn in the security report about it.
- Change the setting name to "Use HTTPS only for logins"
- Disable it if you are already using HTTPS site wide. (It makes it seem like without the option checked HTTP will be used for logins, which is not correct.
I'm seeing more and more posts about loginhttps on the security forums and it's bringing up a bunch of other problems.
- People don't know that they won't be able to use their site behind a proxy if they use loginhttps (MDL-45539 will stop this being a problem)
- It confuses people, making them think their site is more secure than it is (in general)