WordPress.com Enables HTTPS Encryption For All Websites

On Friday, WordPress announced that it is bringing free HTTPS to all -- "million-plus" -- custom domains, essentially ramping up security on every blog and website. The publishing platform says it partnered with Let's Encrypt project to implement HTTPS across such a voluminous number of sites. From the blog: For you, the users, that means you'll see secure encryption automatically deployed on every new site within minutes. We are closing the door to un-encrypted web traffic (HTTP) at every opportunity.

HTTPS real meaning

[fbobraga]

"Hopefully Talking To People Securely" (sorry by the joke, but it was stronger than me :P)

Re:HTTPS real meaning

[bluefoxlucid]

The big push for HTTPS is a technological one as far as I can see. Back in the day, you'd buy a separate SSL endpoint to handle the encryption; today, TLS encryption of HTTP causes latency increases of a statistical 5mS at worst (i.e. there's a lot of overlap and it looks like 0, but a lot of math tells us there's 5mS lost on average somewhere in there if you look hard enough), and the CPU toll is about 2% more computational overhead in the most complex part of the key exchange. TLS costs a fraction of a percent of CPU now for the ongoing session.

In other words: HTTPS is approximately identical to HTTP in terms of cost, and the likelihood that your site dies under load at any given time is roughly equivalent when using either protocol. Suddenly it's a big dialogue.

Re:HTTPS real meaning

[tepples]

Back in the day, you'd buy a separate SSL endpoint to handle the encryption

Also back in the day, you'd buy a separate IP address for each customer that wants to employ TLS. That became very expensive in the era of IPv4 address exhaustion. This requirement ended on April 8, 2014, when Windows XP reached the end of extended support. Internet Explorer for Windows XP had been the last major web browser not to support Server Name Indication, which makes name-based virtual hosting practical for HTTPS and other TLS-based protocols.

In other words: HTTPS is approximately identical to HTTP in terms of cost

This is true so long as you either A. have root on your web server or B. have a means of automating installation of renewed certificates. Some shared hosting providers are so far behind on Let's Encrypt implementation that people have become passive-aggressive, making a Ruby script to automatically send an e-mail to the host's support department to get a renewed cert installed.

There is another cost: mixed content blocking. A lot of sites rely on external resources not yet available through HTTPS, and web browsers block HTTP resources embedded in an HTTPS page. Sponsors are a big one; not until September 2013 did a major ad network become available through HTTPS.

Re:Incoming Security Errors

[lesincompetent]

Awesome, it also forces you to correct your mistakes.

Re:Incoming Security Errors

[chihowa]

Awesome, it also forces you to correct your mistakes.

From his post:

Had to go back and change all the images I had loaded in my previous posts to use my new https URLs.

Apparently not.

Re:Incoming Security Errors

[omnichad]

You can do a full URL without specifying protocol. Instead of http:/// or https:/// you can just use //

Re:Incoming Security Errors

[ptaff]

you want to pull a js library from www.bar.com

Don't do that. You're introducing latency, you're violating the privacy of your visitors (bar.com knows about them) and you're putting them at risk, security-wise (bar.com gets 0wn3d? your visitors get 0wn3d as well). Don't be a lazy hacker and just spend the 2 minutes needed to store a local copy.