Security and privacy

I disagree with the sentiment that loginhttps and http are of equivalent security. Leaked credentials and leaked sessions are of differing value because:

• Sessions are limited life - they have to be used within a relatively short timeframe of capture, and cannot be reused at a later date.
  
• Sites that have unified credentials (LDAP, AD, etc), the credentials give you access to all sites, while a session wouldn't.
  
• Users may reuse credentials on other sites - while it's bad practice, it is still very common.
  

Sites may use http content for performance reasons (https take CPU time, and is non-cachable), embedding, etc reasons, or the content within Moodle maybe considered of low value if compromised, but the credentials would allow access to much higher value systems.

I don't really have an opinion or not if loginhttps is dropped (we only use full https systems), but I don't necessarily agree with the premise that it is of equivalent security to plain http.

I would also note that many sites prevent embeds of https pages to prevent click jacking. We ultimately tell most of our users to not use embeds.

Eric is right. Login https is more secure than http, partly because credentials which probably work for other systems are much more sensitive than a transient session ID. We should be very clear that the proposal is to remove the "medium security" option and force users to choose between "low security" and "high security".  Not that any site running Moodle is actually "high security", but that's slowly being improved.

There are occasionally issues with https only, for example last week Chrome had an issue with popups and https, IE has a long standing issue where it doesn't close https connections which results in a minor "DOS", etc.  For these reasons, there certainly may be cases where an admin does not wish to use TLS for everything, or where that simply is not an option, where it breaks things.  My career is primarily in internet security, and from my viewpoint there are some advantages of using TLS for everything*, all the time, but it just doesn't quite work sometimes with real-world browsers and all.

* In the general case, there is also the argument that marking everything as "secure" by using TLS weakens security by blurring the line between what's confidential and what's not. Similar to the fact that marking every document in your office "confidential" guarantees that employees become accustomed to ignoring the designation. Better to have your public pages https://www.site.com and your credit card payment form on https://secure.site.com, running on a secured server, the argument goes. There is some merit to that.

A filter to convert http to https in links to external content is trivial to implement. Would be surprised if there wasn't one out in the community already, freely available.

Could it be easily expanded to include other common sites used for embeds such as issuu and others people suggest (see what I wrote further down before spotting this post of yours)? Then moodle HQ could make it core as part of the  loginhttps-devoid version(s).

For the check, I wonder if the ruleset provided by the EFF for HTTPS Everywhere could be used by Moodle - I'm unsure on the licencing of the ruleset they provide however - but it would certainly be easier than Moodle maintaining it's own rules.

https://www.eff.org/https-everywhere

They also have an "Atlas" of all the sites they know of which support http/https at https://www.eff.org/https-everywhere/atlas/ which could be a starting point - but using their list would certainly be easier if the licencing is permissive enough.