WordPress.com Enables HTTPS Encryption For All Websites

On Friday, WordPress announced that it is bringing free HTTPS to all -- "million-plus" -- custom domains, essentially ramping up security on every blog and website. The publishing platform says it partnered with Let's Encrypt project to implement HTTPS across such a voluminous number of sites. From the blog: For you, the users, that means you'll see secure encryption automatically deployed on every new site within minutes. We are closing the door to un-encrypted web traffic (HTTP) at every opportunity.

so, hungary just banned wordpress.

smart move, monkeys

Re:so, hungary just banned wordpress.

It will be if the entire internetz move to https. people in hungary won't be able to access much (assuming they keep blocking more https only sites). Then they'll eventually be likened to north korea or pr china.

HTTPS real meaning

[fbobraga]

"Hopefully Talking To People Securely" (sorry by the joke, but it was stronger than me :P)

Re:HTTPS real meaning

Sites switching to https might stop casual sniffing, but if the CAs they use (versign et al) allow access by NSA, it really doesn't matter.

Re:HTTPS real meaning

[bluefoxlucid]

The big push for HTTPS is a technological one as far as I can see. Back in the day, you'd buy a separate SSL endpoint to handle the encryption; today, TLS encryption of HTTP causes latency increases of a statistical 5mS at worst (i.e. there's a lot of overlap and it looks like 0, but a lot of math tells us there's 5mS lost on average somewhere in there if you look hard enough), and the CPU toll is about 2% more computational overhead in the most complex part of the key exchange. TLS costs a fraction of a percent of CPU now for the ongoing session.

In other words: HTTPS is approximately identical to HTTP in terms of cost, and the likelihood that your site dies under load at any given time is roughly equivalent when using either protocol. Suddenly it's a big dialogue.

Re:HTTPS real meaning

[tepples]

Back in the day, you'd buy a separate SSL endpoint to handle the encryption

Also back in the day, you'd buy a separate IP address for each customer that wants to employ TLS. That became very expensive in the era of IPv4 address exhaustion. This requirement ended on April 8, 2014, when Windows XP reached the end of extended support. Internet Explorer for Windows XP had been the last major web browser not to support Server Name Indication, which makes name-based virtual hosting practical for HTTPS and other TLS-based protocols.

In other words: HTTPS is approximately identical to HTTP in terms of cost

This is true so long as you either A. have root on your web server or B. have a means of automating installation of renewed certificates. Some shared hosting providers are so far behind on Let's Encrypt implementation that people have become passive-aggressive, making a Ruby script to automatically send an e-mail to the host's support department to get a renewed cert installed.

There is another cost: mixed content blocking. A lot of sites rely on external resources not yet available through HTTPS, and web browsers block HTTP resources embedded in an HTTPS page. Sponsors are a big one; not until September 2013 did a major ad network become available through HTTPS.

Re:HTTPS real meaning

[bluefoxlucid]

This is true so long as you either A. have root on your web server or B. have a means of automating installation of renewed certificates.

(A) is a matter of service and marketing; (B) is a matter of technology. That it's cheap to do something (i.e. technology) doesn't mean people have done it (else everything would have gone TLS in the mid-2000s, when this privacy dialogue had gotten nice and hot--remember PGP in the 90s?).

Re:HTTPS real meaning

There is no reason to use shared hosting. You can get more for the same price with a VPN

Re:HTTPS real meaning

[tepples]

VPN is a tunnel; VPS is a server. With a VPS, you "A. have root on your web server". But for someone currently paying $5 to $8 per month for web hosting, which VPS providers in that price range are any good?

Re:HTTPS real meaning

[oddware]

I currently use vultr.com, have found them nice and reliable. The cheapest full VPS they have is $5 for 768MB Ram & 15GB ssd. If you only have a small user base you can get away with hosting it on a home/business connection using DynDns's dns while using the updater client on your server.

Re:HTTPS real meaning

[oddware]

Sorry, i meant to say $5 Per month

Re:HTTPS real meaning

[pepsikid]

Yeah, remote HTTP and HTTPS resources embedded on our HTTPS page didn't work any more. This is why I haven't implemented an HTTP forward to HTTPS rule yet, though I do have TLS certs for my websites now.

Weirdly enough, Google's Calendar and some other things are Iframed HTTPS but work whether embedded in an encrypted page or not. I would love to know how they do that.

Re:HTTPS real meaning

[pepsikid]

We've been using Virtualmin 'virtual hosts' management software, on a virtual machine for double virtuosity, for several years with great results. These are the guys who did Webmin and Usermin which are like open source cPanel. The layout is awful and I keep finding goodies buried in strange places, but hey, free is free!
It includes a one-click control panel to get Let's Encrypt certs.

Re:HTTPS real meaning

Your HTTPS talks to people? I thought it stood for: "Hopefully Talking To Proper Server"

--sf

Re:HTTPS real meaning

[fbobraga]

my bad: was a joke :P

Re:HTTPS real meaning

[tepples]

Weirdly enough, Google's Calendar and some other things are Iframed HTTPS but work whether embedded in an encrypted page or not. I would love to know how they do that.

An HTTPS frame inside an HTTP page always works. The reverse does not.

Re:HTTPS real meaning

vps dime

Re:HTTPS real meaning

Yeah, I derped

Re:HTTPS real meaning

No such thing as a tunnel is computer science. That is just a simplistic description so the morons can understand it.

Incoming Security Errors

[JourneymanMereel]

Sadly this probably means tons of mixed content security errors are about to start happening. Everybody who linked to an image in their blog with the full URL (http://site.com/image.png) will have images that used to load with no problem start throwing up security errors. I had this problem when I got the Let's Encrypt certificate for my blog. Had to go back and change all the images I had loaded in my previous posts to use my new https URLs. Fortunately, I don't post often so there weren't too many...

Re:Incoming Security Errors

[lesincompetent]

Awesome, it also forces you to correct your mistakes.

Re:Incoming Security Errors

[chihowa]

Awesome, it also forces you to correct your mistakes.

From his post:

Had to go back and change all the images I had loaded in my previous posts to use my new https URLs.

Apparently not.

Re:Incoming Security Errors

[omnichad]

You can do a full URL without specifying protocol. Instead of http:/// or https:/// you can just use //

Re:Incoming Security Errors

geez, get with the times man. Einstein solved this problem 100 years ago already.

Re:Incoming Security Errors

[U2xhc2hkb3QgU3Vja3M]

Why use // when / is enough?

Re:Incoming Security Errors

[lesincompetent]

Humanity has failed me again.

Re: Incoming Security Errors

[omnichad]

I'm talking about full external links. One/ is not enough. Example - use //Google.com/file instead of http://google.com/file or https://google.com/file

Re:Incoming Security Errors

[carleton]

because if your webpage is on www.foo.com and you want to pull a js library from www.bar.com, you can do src="//www.bar.com/cdn/bogus.js" and not have to worry if foo switches over to https only (as long as bar.com supports https) (or did a joke just go over my head)

Re:Incoming Security Errors

At least deep linkers (to images off-site that have no https, aka "bandwidth stealers") are going to suffer from this the most

This /**might **/ be a good thing for those types of people to educate them that they should really host their own content (from the kinds of things lest someone else goatse the content they link to)

Re:Incoming Security Errors

[ptaff]

you want to pull a js library from www.bar.com

Don't do that. You're introducing latency, you're violating the privacy of your visitors (bar.com knows about them) and you're putting them at risk, security-wise (bar.com gets 0wn3d? your visitors get 0wn3d as well). Don't be a lazy hacker and just spend the 2 minutes needed to store a local copy.

Re:Incoming Security Errors

[U2xhc2hkb3QgU3Vja3M]

+5 insightful, +25 informative

Re:Incoming Security Errors

[oddware]

This.
Reduce the requirement/dependency for 3rd party server to be involved

Re:Incoming Security Errors

[pepsikid]

If this is in a Wordpress blog, I suggest using Velvet Blues plugin to mass update your links, or
Image Teleporter to download remote images to local; it also updates urls.

Re:Incoming Security Errors

[omnichad]

There's also the case of images being on a different subdomain or CDN (all run by you)

Re: Incoming Security Errors

It's not really a "full" URL if you're leaving bits out.

But more seriously, it's all very well that you can do that, but it doesn't magically fix all the existing links that specify http://.

Re: Incoming Security Errors

Is grep that difficult for you?

Re:Incoming Security Errors

[burbilog]

Awesome, it also forces you to correct your mistakes.

Unfortunately, it can't force me to correct mistakes on other people's sites. And they will remain broken. A lot. And people are going to get used to "broken" mark and nobody will care about it after all.

Great. Exactly what we needed.

perception of security

[kiviQr]

Great all sites that should have been "static" are sent over encrypted channel while WP is still a Swiss cheese.

Re:perception of security

[__aaclcg7560]

I started converting my older WordPress websites into static websites. My main website used to get 4,000+ script kiddies per day from Russia and Asia. After it became a static website with no PHP or SQL calls, they went somewhere else.

Re:perception of security

I get PHP-based attack attempts every day and I have never had php installed on my server because I am not an incompetent fuckwit.

Re:perception of security

That, right there.

Re:perception of security

[__aaclcg7560]

I have never had php installed on my server because I am not an incompetent fuckwit.

Every ISP and web hosting company that I ever used had PHP installed by default for the LAMP stack. Sometimes you don't have a choice in the matter.

Re:perception of security

Don't be silly. PHP has it's uses.
I like to compare to to Visual Basic. It's a write only language. Very easy to throw some shit together but a nightmare to maintain the result.
It has a bunch of useful built in functions that does almost what you want if it weren't for some detail that requires you to use it with a workaround.

When you want to throw together a temporary web page to do something simple and then never look back PHP is the right choice.

Re:perception of security

That is because you are an incompetent fuckwit that uses shared hosting. You have a choice if you are smart enough to use a VPS host.

Shared hosting was stupid in 2005, it is downright ridiculously stupid in 2016.

Re:perception of security

[__aaclcg7560]

You have a choice if you are smart enough to use a VPS host.

Which is what I have in 2016.

Re:perception of security

There is no valid use for PHP.

Using it is a sign of utter cluelessness. Maybe in 2003 it was acceptable even though it was more retarded then than it is now, and make no mistake PHP 7 is still full retard. Name a significant web app that started development in 2007 to the present that uses it.

Re:perception of security

If you had shared hosting at any point in the past 11 years, you are an incompetent fuckwit.

Grats on only being a decade behind!

Re:perception of security

[__aaclcg7560]

Grats on only being a decade behind!

I got started with web hosting in 1997. Opened a text file, put some HTML code in it, and uploaded to my account folder on a UNIX server.

Re:perception of security

ooh

I bet that was extremely difficult for you. That is literally the easiest thing you can possibly do on a server.

Re:perception of security

[__aaclcg7560]

I bet that was extremely difficult for you.

Uploaded from an IBM AT with a 2400 baud modem.

Re:perception of security

So you were a decade behind even in 1997?

(Ouch!)

Re:perception of security

I use PHP, though I sometimes have to hold my nose.

Why? Because I'm not a purist, I'm a pragmatist. I'm not hung up on whether the tool is "good" or "bad" but rather what it can do for me. PHP allows me to get good performance in the least time. I rarely have months of schedule and millions of dollars to build a site, so efficiency counts.

By way of rebuttal: Can Great Apps Be Written in PHP?

Re:perception of security

[__aaclcg7560]

So you were a decade behind even in 1997?

As the seventh grade girls pointed out in the early 1980's, I came from a poor family because we didn't have an Apple ][ computer and cable to get MTV. I learned to work with what I got and not what I don't have.

Re:perception of security

Yep. In business, the name of the game is fast, cheap, adequate. "Good" is often considered a luxury. That's why PHP is so popular: it's free, ubiquitous, and just about any out-of-work C programmer will find it easy to pick up.

This comment on Mailchimp's blog Ewww, You Use PHP? sums up my experience as well:

John
THANK YOU! I have heard the gripes so many times about how horrible PHP is and the snooty remarks about LAMP stacks and yet I consistently see PHP used phenomenally well in all kinds of applications I once endured a meeting that included an entourage of ASP and MS Sequel Server guys and sales people. When asked what I planning to use (prior of course to this “meeting”) the terms PHP and MySQL came up and a hardy laugh followed at my expense. I was quickly told how IIS, ASP, and MSSql are the “big brother” of prior mentioned products. Six figure dev quotes later and deciding to go it on our own, we got what we needed in place for the 3 figure quote of $100 Needless to say, I’m pleased to see you OPENLY admitting to PHP Go for it!

Re:perception of security

oooh

So it took longer to upload, big fucking whoop.

Dumbass

Re:perception of security

The answer is no. There are no great apps written in PHP.

Go look at joomla, mediawikiaka wikipedia), wordpress, facebook all of it sucks.

As someone from facebook about PHP. You won't get any positive response.

Re:perception of security

Name a language that isn't free.

People use it because they are fucking retarded.

Re:perception of security

No, people use it to spin straw into gold.

Tell me what language you use? Java? C#/ASP.NET? How much did it cost to deploy your last large web app?

Oh, who am I kidding... You've never written a large web app.

Re:perception of security

It has been over 10 years since someone used PHP to start a "large web app".

Facebook has invested 10s of million of dollars working around Zuckerburgs idiotic decision to use PHP. That is time and money gone forever needlessly.

Dumbass.

PHP: Even its creator doesn't give a shit if he has to restart his server every 10 minutes.

Re:perception of security

Yet they didn't put that time and effort into rebuilding the site on one of your "superior" solutions. I wonder why that is?

You anti-PHP snobs never manage to name an alternative that can get the job done faster and cheaper. I wonder why that is?

How many dozen replies do you need to say "here's what they should have used to build Facebook," and how and why it would be better. Nope, ya got no wisdom to offer - just "PHP teh suXX0rz!!1!!"

Re:perception of security

They did switch to better languages dumbass.

The only PHP left at Facebook is the front end server stuff, all the back end has been replaced by much better tech.

The chat server is Erlang. The other backend services are a mix of C, C++ and Java. Python is used as glue code. All 5 of those languages are superior to PHP. It is not hard to find this information.

That is the problem is PHP fucktards, they don't know enough to know that PHP is shit and get butt hurt when someone posts the truth.

Google for Facebook employees comments on PHP and see if you can find one complimentary thing.

Rasmus Lerdorf is on record as hating programming and would rather restart his servers every 10 minutes instead of coding correctly in a correct language. These are easily found using Google, who does not use PHP.

Moron

Re:perception of security

"Front end server stuff"? You just exposed how clueless you are if you don't know the difference between front end and back end. PHP is back end.

Further, none of the solutions you mentioned are replacements for PHP. They run back-end services used by the PHP and web server; you might as well say a switch to SQL from PHP-hosted files is a "replacement" for PHP because SQL is a better language for making database queries.

"Glue code" in another language is a far cry from reimplementing your MVC in C++ or Python or Java, and even if you DID create a web server module in one of those "better" languages, it would take longer and cost more.

BTW PHP has not been Rasmus's baby for a long, long time.

Re:perception of security

You are really fucking stupid.

"front end SERVER" ie generate HTML to send to the client. I am not shocked you didn't know what that means because being a PHP fan, you are uneducated and idiotic.

That is all FB does with PHP, a fucking HTML generator. The other languages are replacements because FB used to be 100% PHP before they started hiring professionals. None of the heavy lifting done on FB servers is done by PHP because PHP is too weak.

PHP requires more lines of code to do the same things in C, C++, Erlang and Python. It can probably beat Java in LoC.

Erlang and Python can be produced much faster and maintain quality over PHP. To write even 100 lines of PHP that is correct and secure takes weeks. You get both for free out of the box with Erlang and Python doesn't give you the wrong way to do things as the easiest path like PHP does.

Python is used as glue code. Erlang, C, C++ and Java are used to implement actual services. There are no FB PHP services.

Fuck, you PHP-tards are epically fucking retarded.

Re:perception of security

Actually I'm just jerking your chain, parroting things PHP fans have said. I don't know much about PHP. I played with it a bit but didn't care enough to build anything substantial with it.

Still, when I see someone frothing at the mouth, I can't help but wonder how far you are from an aneurysm.

Such colorful language, too!

incompetent fuckwit
utter cluelessness
full retard
fucking retarded
dumbass
fucktards
moron
really fucking stupid
uneducated and idiotic
epically fucking retarded

It's hard to believe you're a professional anything.

Still, however you were bullied and abused in childhood, there is help available. A few years of therapy isn't cheap but you'll be better off.

Re:perception of security

Yeah right fucktard.

You got owned and can't admit it.

I didn't even post every time in this subthread but nice try PHP amateur.

Re:perception of security

Oh, I admit it -- I know way less about this shit than you.

However, you got trolled and can't deal with it.

Because your stupid aspie, dunning-krueger reactionary pissing contest brain can't help but spew vitriol.

Seriously, get help before you end up sitting in a retirement home swearing at the TV because no one else will come near you...

Re:perception of security

You are the uneducated one but I need help?

You are too clueless to help yourself and learn something.

First step, ditch PHP. ANYTHING is better.

You are also too stupid to know that aspergers is not a valid diagnosis and no I don't have autism.

Fuckstain

vulnerabilities

Will this help reduce the severity of that slew of vulns that seems never ending??

Re:vulnerabilities

[vilanye]

no

Let's Encrypt still not widely supported

[Actually,+I+do+RTFA]

I just heard "You're going to be getting a lot of calls from people because Let's Encrypt isn't a CA they trust, and instead of it just being encrypted, people will think it's broken."

Re:Let's Encrypt still not widely supported

The LetsEncrypt Authority certificate is cross-signed by Iden Trust ("DST Root CA X3" Root CA). Let's Encrypt has issued more than a million certificates. This is not an issue.

Won't help.

Sure, HTTPS is good and all, but it won't help back-end flaws.
No levels of encryption will help that. It might make things harder to understand. For now. But it won't eliminate the flaw.

Never trust any input from a user. Doesn't matter if it is an IP or referrer, user-agent of browser version.
Everything from a user is potentially malicious. Secure it, wrap it, nullify escape sequences, whatever you need.

Wordpress already had an issue with this previously if I remember correct, where user-agents were stored as-is in a DB, which was being used to hack in some way. (I forgot how it worked, it was a while back)

IdenTrust also not widely supported

[tepples]

The Let's Encrypt intermediate certificates are cross-signed by IdenTrust, an established CA. From which major web browser's default certificate store is IdenTrust missing?

Re:IdenTrust also not widely supported

[Actually,+I+do+RTFA]

It was FireFox 44 or Chrome as of last month.

Re:IdenTrust also not widely supported

I tested this when the open beta was first announced and didn't have any browser issues with chrome or firefox trusting the cert. Perhaps you messed up your intermediate cert config somewhere.

mS versus ms

[...] today, TLS encryption of HTTP causes latency increases of a statistical 5mS at worst [...]

Five milli-Siemens?

* https://en.wikipedia.org/wiki/Siemens_(unit)

"s" is the SI symbol for seconds.

What is the point

of encrypting 99.99% of blog traffic, when that traffic - the blog posts - is visible to the whole Internet anyway?

Re:What is the point

[pepsikid]

The more TLS traffic we get flooding the Internet, the less indiscriminate hoovering the spooks will do?

HTTP/2 actual main reason

[xororand]

HTTP/2 might be the actual main motive for this switch. HTTP/2 is more efficient than HTTP/1 but requires TLS encryption.

Indeed, wordpress.com does offer HTTP/2:

url="https://www.wordpress.com"
curl -v --http2 -I -o /dev/null "$url" 2>&1 |grep ALPN
* ALPN, offering h2
* ALPN, offering http/1.1
* ALPN, server accepted to use h2

Re: HTTP/2 actual main reason

[corychristison]

Actually TLS is not a requirement for HTTP/2.

See https://http2.github.io/faq/#does-http2-require-encryption

Re: HTTP/2 actual main reason

In practice no browser will load http2 unless it's running under tls and picked up via alpn/npn TLS extensions.

Given Unicode, encodings, etc escape on output

[raymorris]

In 1998, a security- conscious person would sanitize input, and blacklist certain characters. strip_slashes(), quote_meta() and friends were best practice.

Today, there are so many well-known ways around that using different encodings and such, it's virtually impossible to do securely. Instead, today we recognize that user input is potentially malicious and treat it that way - forever. It's NEVER considered sanitized , because it never can be. That means when storing data to a database, we use bound parameters, never interpolated strings. User input can't be used for sql injection because the input isn't part of the query, it's a data parameter that the query carries. On output, encode.

In other words, the user agent SHOULD be stored as-is in the database, because it can't possibly be made clean. Just remember that and don't echo it straight to the html output. Encode it first because it's binary data of unknown origin.

Welcome to the 21st century

Took you assholes long enough. Even de-facto dead 90s roadkill sites like slashdot had already made this switch.

Of course, being encrypted doesn't mean a thing. WordPress is swiss cheese security, always has been and always will be.

So caching proxies are a bit more useless now

While HTTPS encryption is nice in terms of privacy (someone listening in on your line now only knows which server you talk to, instead of what you talk about), it kills the utility of proxies like squid. At a local school it was, before YouTube went encrypted by default, possible to have a whole class open a video - which is now history since their downlink isn't big enough to deliver 30 videos in parallel (instead of one which could be cached and distributed locally).

It is a big step back for them, sadly.

Wont someone think of the hosting companies

[AHuxley]

That as a value added service, with per year costs they could add onto low upfront priced hosting and domain packages.

So the most hacked web platform on the planet is..

Now "secure" because it is hidden behind HTTPS? If your employer wasn't doing HTTPS interception before they sure as heck better be doing it now.