WordPress.com Enables HTTPS Encryption For All Websites

← Back to Stories (view on slashdot.org)

WordPress.com Enables HTTPS Encryption For All Websites

Posted by msmash on Friday April 8, 2016 @07:30AM from the affinity-for-https dept.

On Friday, WordPress announced that it is bringing free HTTPS to all -- "million-plus" -- custom domains, essentially ramping up security on every blog and website. The publishing platform says it partnered with Let's Encrypt project to implement HTTPS across such a voluminous number of sites. From the blog: For you, the users, that means you'll see secure encryption automatically deployed on every new site within minutes. We are closing the door to un-encrypted web traffic (HTTP) at every opportunity.

42 of 86 comments (clear)

Min score:

Reason:

Sort:

so, hungary just banned wordpress. by Anonymous Coward · 2016-04-08 07:35 · Score: 1

smart move, monkeys
HTTPS real meaning by fbobraga · 2016-04-08 07:39 · Score: 3, Insightful

"Hopefully Talking To People Securely" (sorry by the joke, but it was stronger than me :P)
1. Re:HTTPS real meaning by bluefoxlucid · 2016-04-08 07:56 · Score: 3
  
  The big push for HTTPS is a technological one as far as I can see. Back in the day, you'd buy a separate SSL endpoint to handle the encryption; today, TLS encryption of HTTP causes latency increases of a statistical 5mS at worst (i.e. there's a lot of overlap and it looks like 0, but a lot of math tells us there's 5mS lost on average somewhere in there if you look hard enough), and the CPU toll is about 2% more computational overhead in the most complex part of the key exchange. TLS costs a fraction of a percent of CPU now for the ongoing session.
  In other words: HTTPS is approximately identical to HTTP in terms of cost, and the likelihood that your site dies under load at any given time is roughly equivalent when using either protocol. Suddenly it's a big dialogue.
  
  --
  Support my political activism on Patreon.
2. Re:HTTPS real meaning by tepples · 2016-04-08 08:25 · Score: 3, Interesting
  
  Back in the day, you'd buy a separate SSL endpoint to handle the encryption
  Also back in the day, you'd buy a separate IP address for each customer that wants to employ TLS. That became very expensive in the era of IPv4 address exhaustion. This requirement ended on April 8, 2014, when Windows XP reached the end of extended support. Internet Explorer for Windows XP had been the last major web browser not to support Server Name Indication, which makes name-based virtual hosting practical for HTTPS and other TLS-based protocols.
  
  In other words: HTTPS is approximately identical to HTTP in terms of cost
  This is true so long as you either A. have root on your web server or B. have a means of automating installation of renewed certificates. Some shared hosting providers are so far behind on Let's Encrypt implementation that people have become passive-aggressive, making a Ruby script to automatically send an e-mail to the host's support department to get a renewed cert installed.
  There is another cost: mixed content blocking. A lot of sites rely on external resources not yet available through HTTPS, and web browsers block HTTP resources embedded in an HTTPS page. Sponsors are a big one; not until September 2013 did a major ad network become available through HTTPS.
3. Re:HTTPS real meaning by bluefoxlucid · 2016-04-08 08:46 · Score: 1
  
  This is true so long as you either A. have root on your web server or B. have a means of automating installation of renewed certificates.
  (A) is a matter of service and marketing; (B) is a matter of technology. That it's cheap to do something (i.e. technology) doesn't mean people have done it (else everything would have gone TLS in the mid-2000s, when this privacy dialogue had gotten nice and hot--remember PGP in the 90s?).
  
  --
  Support my political activism on Patreon.
4. Re:HTTPS real meaning by tepples · 2016-04-08 12:26 · Score: 1
  
  VPN is a tunnel; VPS is a server. With a VPS, you "A. have root on your web server". But for someone currently paying $5 to $8 per month for web hosting, which VPS providers in that price range are any good?
5. Re:HTTPS real meaning by oddware · 2016-04-08 12:59 · Score: 1
  
  I currently use vultr.com, have found them nice and reliable. The cheapest full VPS they have is $5 for 768MB Ram & 15GB ssd. If you only have a small user base you can get away with hosting it on a home/business connection using DynDns's dns while using the updater client on your server.
6. Re:HTTPS real meaning by oddware · 2016-04-08 13:26 · Score: 1
  
  Sorry, i meant to say $5 Per month
7. Re:HTTPS real meaning by pepsikid · 2016-04-08 15:27 · Score: 1
  
  Yeah, remote HTTP and HTTPS resources embedded on our HTTPS page didn't work any more. This is why I haven't implemented an HTTP forward to HTTPS rule yet, though I do have TLS certs for my websites now.
  Weirdly enough, Google's Calendar and some other things are Iframed HTTPS but work whether embedded in an encrypted page or not. I would love to know how they do that.
8. Re:HTTPS real meaning by pepsikid · 2016-04-08 15:32 · Score: 1
  
  We've been using Virtualmin 'virtual hosts' management software, on a virtual machine for double virtuosity, for several years with great results. These are the guys who did Webmin and Usermin which are like open source cPanel. The layout is awful and I keep finding goodies buried in strange places, but hey, free is free!
  It includes a one-click control panel to get Let's Encrypt certs.
9. Re:HTTPS real meaning by fbobraga · 2016-04-09 00:05 · Score: 1
  
  my bad: was a joke :P
10. Re:HTTPS real meaning by tepples · 2016-04-09 01:54 · Score: 1
  
  Weirdly enough, Google's Calendar and some other things are Iframed HTTPS but work whether embedded in an encrypted page or not. I would love to know how they do that.
  An HTTPS frame inside an HTTP page always works. The reverse does not.
Incoming Security Errors by JourneymanMereel · 2016-04-08 07:54 · Score: 2, Insightful

Sadly this probably means tons of mixed content security errors are about to start happening. Everybody who linked to an image in their blog with the full URL (http://site.com/image.png) will have images that used to load with no problem start throwing up security errors. I had this problem when I got the Let's Encrypt certificate for my blog. Had to go back and change all the images I had loaded in my previous posts to use my new https URLs. Fortunately, I don't post often so there weren't too many...

--
Life has many choices. Eternity has two. What's yours?
1. Re:Incoming Security Errors by lesincompetent · 2016-04-08 08:12 · Score: 3, Informative
  
  Awesome, it also forces you to correct your mistakes.
2. Re:Incoming Security Errors by chihowa · 2016-04-08 08:53 · Score: 3, Informative
  
  Awesome, it also forces you to correct your mistakes.
  From his post:
  
  Had to go back and change all the images I had loaded in my previous posts to use my new https URLs.
  Apparently not.
  
  --
  If you want a vision of the future, imagine a youtube comments section scrolling - forever.
3. Re:Incoming Security Errors by omnichad · 2016-04-08 08:56 · Score: 4, Informative
  
  You can do a full URL without specifying protocol. Instead of http:/// or https:/// you can just use //
4. Re:Incoming Security Errors by lesincompetent · 2016-04-08 09:45 · Score: 1
  
  Humanity has failed me again.
5. Re: Incoming Security Errors by omnichad · 2016-04-08 09:54 · Score: 1
  
  I'm talking about full external links. One/ is not enough. Example - use //Google.com/file instead of http://google.com/file or https://google.com/file
6. Re:Incoming Security Errors by carleton · 2016-04-08 09:54 · Score: 1
  
  because if your webpage is on www.foo.com and you want to pull a js library from www.bar.com, you can do src="//www.bar.com/cdn/bogus.js" and not have to worry if foo switches over to https only (as long as bar.com supports https) (or did a joke just go over my head)
7. Re:Incoming Security Errors by ptaff · 2016-04-08 11:06 · Score: 4, Insightful
  
  you want to pull a js library from www.bar.com
  Don't do that. You're introducing latency, you're violating the privacy of your visitors (bar.com knows about them) and you're putting them at risk, security-wise (bar.com gets 0wn3d? your visitors get 0wn3d as well). Don't be a lazy hacker and just spend the 2 minutes needed to store a local copy.
8. Re:Incoming Security Errors by U2xhc2hkb3QgU3Vja3M · 2016-04-08 11:18 · Score: 1
  
  +5 insightful, +25 informative
9. Re:Incoming Security Errors by oddware · 2016-04-08 13:06 · Score: 1
  
  This.
  Reduce the requirement/dependency for 3rd party server to be involved
10. Re:Incoming Security Errors by pepsikid · 2016-04-08 15:39 · Score: 1
  
  If this is in a Wordpress blog, I suggest using Velvet Blues plugin to mass update your links, or
  Image Teleporter to download remote images to local; it also updates urls.
11. Re:Incoming Security Errors by omnichad · 2016-04-08 16:45 · Score: 1
  
  There's also the case of images being on a different subdomain or CDN (all run by you)
12. Re:Incoming Security Errors by burbilog · 2016-04-15 06:40 · Score: 1
  
  Awesome, it also forces you to correct your mistakes.
  Unfortunately, it can't force me to correct mistakes on other people's sites. And they will remain broken. A lot. And people are going to get used to "broken" mark and nobody will care about it after all.
  Great. Exactly what we needed.
perception of security by kiviQr · 2016-04-08 07:56 · Score: 2

Great all sites that should have been "static" are sent over encrypted channel while WP is still a Swiss cheese.
1. Re:perception of security by __aaclcg7560 · 2016-04-08 08:14 · Score: 2
  
  I started converting my older WordPress websites into static websites. My main website used to get 4,000+ script kiddies per day from Russia and Asia. After it became a static website with no PHP or SQL calls, they went somewhere else.
2. Re:perception of security by __aaclcg7560 · 2016-04-08 12:13 · Score: 1
  
  I have never had php installed on my server because I am not an incompetent fuckwit.
  Every ISP and web hosting company that I ever used had PHP installed by default for the LAMP stack. Sometimes you don't have a choice in the matter.
3. Re:perception of security by __aaclcg7560 · 2016-04-09 09:06 · Score: 1
  
  You have a choice if you are smart enough to use a VPS host.
  Which is what I have in 2016.
4. Re:perception of security by __aaclcg7560 · 2016-04-09 12:41 · Score: 1
  
  Grats on only being a decade behind!
  I got started with web hosting in 1997. Opened a text file, put some HTML code in it, and uploaded to my account folder on a UNIX server.
5. Re:perception of security by __aaclcg7560 · 2016-04-09 13:16 · Score: 1
  
  I bet that was extremely difficult for you.
  Uploaded from an IBM AT with a 2400 baud modem.
6. Re:perception of security by __aaclcg7560 · 2016-04-10 04:20 · Score: 1
  
  So you were a decade behind even in 1997?
  As the seventh grade girls pointed out in the early 1980's, I came from a poor family because we didn't have an Apple ][ computer and cable to get MTV. I learned to work with what I got and not what I don't have.
IdenTrust also not widely supported by tepples · 2016-04-08 08:29 · Score: 1

The Let's Encrypt intermediate certificates are cross-signed by IdenTrust, an established CA. From which major web browser's default certificate store is IdenTrust missing?
1. Re:IdenTrust also not widely supported by Actually,+I+do+RTFA · 2016-04-08 09:06 · Score: 1
  
  It was FireFox 44 or Chrome as of last month.
  
  --
  Your ad here. Ask me how!
What is the point by Anonymous Coward · 2016-04-08 09:56 · Score: 1

of encrypting 99.99% of blog traffic, when that traffic - the blog posts - is visible to the whole Internet anyway?
1. Re:What is the point by pepsikid · 2016-04-08 15:46 · Score: 1
  
  The more TLS traffic we get flooding the Internet, the less indiscriminate hoovering the spooks will do?
Re:vulnerabilities by vilanye · 2016-04-08 10:15 · Score: 1

no
HTTP/2 actual main reason by xororand · 2016-04-08 10:52 · Score: 1

HTTP/2 might be the actual main motive for this switch. HTTP/2 is more efficient than HTTP/1 but requires TLS encryption.
Indeed, wordpress.com does offer HTTP/2:
url="https://www.wordpress.com" curl -v --http2 -I -o /dev/null "$url" 2>&1 |grep ALPN * ALPN, offering h2 * ALPN, offering http/1.1 * ALPN, server accepted to use h2
1. Re: HTTP/2 actual main reason by corychristison · 2016-04-08 11:56 · Score: 1
  
  Actually TLS is not a requirement for HTTP/2.
  See https://http2.github.io/faq/#does-http2-require-encryption
2. Re: HTTP/2 actual main reason by Anonymous Coward · 2016-04-08 12:49 · Score: 1
  
  In practice no browser will load http2 unless it's running under tls and picked up via alpn/npn TLS extensions.
Given Unicode, encodings, etc escape on output by raymorris · 2016-04-08 11:32 · Score: 1

In 1998, a security- conscious person would sanitize input, and blacklist certain characters. strip_slashes(), quote_meta() and friends were best practice.
Today, there are so many well-known ways around that using different encodings and such, it's virtually impossible to do securely. Instead, today we recognize that user input is potentially malicious and treat it that way - forever. It's NEVER considered sanitized , because it never can be. That means when storing data to a database, we use bound parameters, never interpolated strings. User input can't be used for sql injection because the input isn't part of the query, it's a data parameter that the query carries. On output, encode.
In other words, the user agent SHOULD be stored as-is in the database, because it can't possibly be made clean. Just remember that and don't echo it straight to the html output. Encode it first because it's binary data of unknown origin.
Wont someone think of the hosting companies by AHuxley · 2016-04-08 14:38 · Score: 1

That as a value added service, with per year costs they could add onto low upfront priced hosting and domain packages.

--
Domestic spying is now "Benign Information Gathering"