Slashdot Mirror

← Back to Stories (view on slashdot.org)

WordPress.com Enables HTTPS Encryption For All Websites

Posted by msmash on from the affinity-for-https dept.

On Friday, WordPress announced that it is bringing free HTTPS to all -- "million-plus" -- custom domains, essentially ramping up security on every blog and website. The publishing platform says it partnered with Let's Encrypt project to implement HTTPS across such a voluminous number of sites. From the blog: For you, the users, that means you'll see secure encryption automatically deployed on every new site within minutes. We are closing the door to un-encrypted web traffic (HTTP) at every opportunity.

10 of 86 comments (clear)

  1. HTTPS real meaning by fbobraga · · Score: 3, Insightful

    "Hopefully Talking To People Securely" (sorry by the joke, but it was stronger than me :P)

    1. Re:HTTPS real meaning by bluefoxlucid · · Score: 3

      The big push for HTTPS is a technological one as far as I can see. Back in the day, you'd buy a separate SSL endpoint to handle the encryption; today, TLS encryption of HTTP causes latency increases of a statistical 5mS at worst (i.e. there's a lot of overlap and it looks like 0, but a lot of math tells us there's 5mS lost on average somewhere in there if you look hard enough), and the CPU toll is about 2% more computational overhead in the most complex part of the key exchange. TLS costs a fraction of a percent of CPU now for the ongoing session.

      In other words: HTTPS is approximately identical to HTTP in terms of cost, and the likelihood that your site dies under load at any given time is roughly equivalent when using either protocol. Suddenly it's a big dialogue.

      --
      Support my political activism on Patreon.
    2. Re:HTTPS real meaning by tepples · · Score: 3, Interesting

      Back in the day, you'd buy a separate SSL endpoint to handle the encryption

      Also back in the day, you'd buy a separate IP address for each customer that wants to employ TLS. That became very expensive in the era of IPv4 address exhaustion. This requirement ended on April 8, 2014, when Windows XP reached the end of extended support. Internet Explorer for Windows XP had been the last major web browser not to support Server Name Indication, which makes name-based virtual hosting practical for HTTPS and other TLS-based protocols.

      In other words: HTTPS is approximately identical to HTTP in terms of cost

      This is true so long as you either A. have root on your web server or B. have a means of automating installation of renewed certificates. Some shared hosting providers are so far behind on Let's Encrypt implementation that people have become passive-aggressive, making a Ruby script to automatically send an e-mail to the host's support department to get a renewed cert installed.

      There is another cost: mixed content blocking. A lot of sites rely on external resources not yet available through HTTPS, and web browsers block HTTP resources embedded in an HTTPS page. Sponsors are a big one; not until September 2013 did a major ad network become available through HTTPS.

  2. Incoming Security Errors by JourneymanMereel · · Score: 2, Insightful

    Sadly this probably means tons of mixed content security errors are about to start happening. Everybody who linked to an image in their blog with the full URL (http://site.com/image.png) will have images that used to load with no problem start throwing up security errors. I had this problem when I got the Let's Encrypt certificate for my blog. Had to go back and change all the images I had loaded in my previous posts to use my new https URLs. Fortunately, I don't post often so there weren't too many...

    --
    Life has many choices. Eternity has two. What's yours?
    1. Re:Incoming Security Errors by lesincompetent · · Score: 3, Informative

      Awesome, it also forces you to correct your mistakes.

    2. Re:Incoming Security Errors by chihowa · · Score: 3, Informative

      Awesome, it also forces you to correct your mistakes.

      From his post:

      Had to go back and change all the images I had loaded in my previous posts to use my new https URLs.

      Apparently not.

      --
      If you want a vision of the future, imagine a youtube comments section scrolling - forever.
    3. Re:Incoming Security Errors by omnichad · · Score: 4, Informative

      You can do a full URL without specifying protocol. Instead of http:/// or https:/// you can just use //

    4. Re:Incoming Security Errors by ptaff · · Score: 4, Insightful

      you want to pull a js library from www.bar.com

      Don't do that. You're introducing latency, you're violating the privacy of your visitors (bar.com knows about them) and you're putting them at risk, security-wise (bar.com gets 0wn3d? your visitors get 0wn3d as well). Don't be a lazy hacker and just spend the 2 minutes needed to store a local copy.

  3. perception of security by kiviQr · · Score: 2

    Great all sites that should have been "static" are sent over encrypted channel while WP is still a Swiss cheese.

    1. Re:perception of security by __aaclcg7560 · · Score: 2

      I started converting my older WordPress websites into static websites. My main website used to get 4,000+ script kiddies per day from Russia and Asia. After it became a static website with no PHP or SQL calls, they went somewhere else.