WordPress.com Enables HTTPS Encryption For All Websites

On Friday, WordPress announced that it is bringing free HTTPS to all -- "million-plus" -- custom domains, essentially ramping up security on every blog and website. The publishing platform says it partnered with Let's Encrypt project to implement HTTPS across such a voluminous number of sites. From the blog: For you, the users, that means you'll see secure encryption automatically deployed on every new site within minutes. We are closing the door to un-encrypted web traffic (HTTP) at every opportunity.

so, hungary just banned wordpress.

[Anonymous Coward]

smart move, monkeys

HTTPS real meaning

[fbobraga]

"Hopefully Talking To People Securely" (sorry by the joke, but it was stronger than me :P)

Re:HTTPS real meaning

[bluefoxlucid]

The big push for HTTPS is a technological one as far as I can see. Back in the day, you'd buy a separate SSL endpoint to handle the encryption; today, TLS encryption of HTTP causes latency increases of a statistical 5mS at worst (i.e. there's a lot of overlap and it looks like 0, but a lot of math tells us there's 5mS lost on average somewhere in there if you look hard enough), and the CPU toll is about 2% more computational overhead in the most complex part of the key exchange. TLS costs a fraction of a percent of CPU now for the ongoing session.

In other words: HTTPS is approximately identical to HTTP in terms of cost, and the likelihood that your site dies under load at any given time is roughly equivalent when using either protocol. Suddenly it's a big dialogue.

Re:HTTPS real meaning

[tepples]

Back in the day, you'd buy a separate SSL endpoint to handle the encryption

Also back in the day, you'd buy a separate IP address for each customer that wants to employ TLS. That became very expensive in the era of IPv4 address exhaustion. This requirement ended on April 8, 2014, when Windows XP reached the end of extended support. Internet Explorer for Windows XP had been the last major web browser not to support Server Name Indication [wikipedia.org], which makes name-based virtual hosting practical for HTTPS and other TLS-based protocols.

In other words: HTTPS is approximately identical to HTTP in terms of cost

This is true so long as you either A. have root on your web server or B. have a means of automating installation of renewed certificates. Some shared hosting providers are so far behind on Let's Encrypt implementation that people have become passive-aggressive, making a Ruby script to automatically send an e-mail to the host's support department to get a renewed cert installed [github.com].

There is another cost: mixed content blocking. A lot of sites rely on external resources not yet available through HTTPS, and web browsers block HTTP resources embedded in an HTTPS page. Sponsors are a big one; not until September 2013 [googleblog.com] did a major ad network become available through HTTPS.

Re:

[bluefoxlucid]

This is true so long as you either A. have root on your web server or B. have a means of automating installation of renewed certificates.

(A) is a matter of service and marketing; (B) is a matter of technology. That it's cheap to do something (i.e. technology) doesn't mean people have done it (else everything would have gone TLS in the mid-2000s, when this privacy dialogue had gotten nice and hot--remember PGP in the 90s?).

Re:

[tepples]

VPN is a tunnel; VPS is a server. With a VPS, you "A. have root on your web server". But for someone currently paying $5 to $8 per month for web hosting, which VPS providers in that price range are any good?

Re:

[oddware]

I currently use vultr.com, have found them nice and reliable. The cheapest full VPS they have is $5 for 768MB Ram & 15GB ssd. If you only have a small user base you can get away with hosting it on a home/business connection using DynDns's dns while using the updater client on your server.

Re:

[oddware]

Sorry, i meant to say $5 Per month

Re:

[pepsikid]

We've been using Virtualmin 'virtual hosts' management software, on a virtual machine for double virtuosity, for several years with great results. These are the guys who did Webmin and Usermin which are like open source cPanel. The layout is awful and I keep finding goodies buried in strange places, but hey, free is free!
It includes a one-click control panel to get Let's Encrypt certs.

Re:

[pepsikid]

Yeah, remote HTTP and HTTPS resources embedded on our HTTPS page didn't work any more. This is why I haven't implemented an HTTP forward to HTTPS rule yet, though I do have TLS certs for my websites now.

Weirdly enough, Google's Calendar and some other things are Iframed HTTPS but work whether embedded in an encrypted page or not. I would love to know how they do that.

Re:

[tepples]

Weirdly enough, Google's Calendar and some other things are Iframed HTTPS but work whether embedded in an encrypted page or not. I would love to know how they do that.

An HTTPS frame inside an HTTP page always works. The reverse does not.

Re:

[fbobraga]

my bad: was a joke :P

Incoming Security Errors

[JourneymanMereel]

Sadly this probably means tons of mixed content security errors are about to start happening. Everybody who linked to an image in their blog with the full URL (http://site.com/image.png) will have images that used to load with no problem start throwing up security errors. I had this problem when I got the Let's Encrypt certificate for my blog. Had to go back and change all the images I had loaded in my previous posts to use my new https URLs. Fortunately, I don't post often so there weren't too many...

Re:Incoming Security Errors

[lesincompetent]

Awesome, it also forces you to correct your mistakes.

Re:Incoming Security Errors

[chihowa]

Awesome, it also forces you to correct your mistakes.

From his post:

Had to go back and change all the images I had loaded in my previous posts to use my new https URLs.

Apparently not.

Re:

[lesincompetent]

Humanity has failed me again.

Re:

[burbilog]

Awesome, it also forces you to correct your mistakes.

Unfortunately, it can't force me to correct mistakes on other people's sites. And they will remain broken. A lot. And people are going to get used to "broken" mark and nobody will care about it after all.

Great. Exactly what we needed.

Re:Incoming Security Errors

[omnichad]

You can do a full URL without specifying protocol. Instead of http:/// [http] or https:/// [https] you can just use //

Re:

[U2xhc2hkb3QgU3Vja3M]

Why use // when / is enough?

Re: Incoming Security Errors

[omnichad]

I'm talking about full external links. One/ is not enough. Example - use //Google.com/file instead of http://google.com/file [google.com] or https://google.com/file [google.com]

Re:

[carleton]

because if your webpage is on www.foo.com and you want to pull a js library from www.bar.com, you can do src="//www.bar.com/cdn/bogus.js" and not have to worry if foo switches over to https only (as long as bar.com supports https) (or did a joke just go over my head)

Re:Incoming Security Errors

[ptaff]

you want to pull a js library from www.bar.com

Don't do that. You're introducing latency, you're violating the privacy of your visitors (bar.com knows about them) and you're putting them at risk, security-wise (bar.com gets 0wn3d? your visitors get 0wn3d as well). Don't be a lazy hacker and just spend the 2 minutes needed to store a local copy.

Re:

[U2xhc2hkb3QgU3Vja3M]

+5 insightful, +25 informative

Re:

[oddware]

This.
Reduce the requirement/dependency for 3rd party server to be involved

Re:

[omnichad]

There's also the case of images being on a different subdomain or CDN (all run by you)

Re:

[pepsikid]

If this is in a Wordpress blog, I suggest using Velvet Blues plugin to mass update your links, or
Image Teleporter to download remote images to local; it also updates urls.

perception of security

[kiviQr]

Great all sites that should have been "static" are sent over encrypted channel while WP is still a Swiss cheese.

Re:

[__aaclcg7560]

I started converting my older WordPress websites into static websites. My main website used to get 4,000+ script kiddies per day from Russia and Asia. After it became a static website with no PHP or SQL calls, they went somewhere else.

Re:

[__aaclcg7560]

I have never had php installed on my server because I am not an incompetent fuckwit.

Every ISP and web hosting company that I ever used had PHP installed by default for the LAMP stack. Sometimes you don't have a choice in the matter.

Re:

[__aaclcg7560]

You have a choice if you are smart enough to use a VPS host.

Which is what I have in 2016.

Re:

[__aaclcg7560]

Grats on only being a decade behind!

I got started with web hosting in 1997. Opened a text file, put some HTML code in it, and uploaded to my account folder on a UNIX server.

Re:

[__aaclcg7560]

I bet that was extremely difficult for you.

Uploaded from an IBM AT with a 2400 baud modem.

Re:

[__aaclcg7560]

So you were a decade behind even in 1997?

As the seventh grade girls pointed out in the early 1980's, I came from a poor family because we didn't have an Apple ][ computer and cable to get MTV. I learned to work with what I got and not what I don't have.

Re:

[vilanye]

no

Let's Encrypt still not widely supported

[Actually, I do RTFA]

I just heard "You're going to be getting a lot of calls from people because Let's Encrypt isn't a CA they trust, and instead of it just being encrypted, people will think it's broken."

IdenTrust also not widely supported

[tepples]

The Let's Encrypt intermediate certificates [letsencrypt.org] are cross-signed by IdenTrust, an established CA. From which major web browser's default certificate store is IdenTrust missing?

Re:

[Actually, I do RTFA]

It was FireFox 44 or Chrome as of last month.

Given Unicode, encodings, etc escape on output

[raymorris]

In 1998, a security- conscious person would sanitize input, and blacklist certain characters. strip_slashes(), quote_meta() and friends were best practice.

Today, there are so many well-known ways around that using different encodings and such, it's virtually impossible to do securely. Instead, today we recognize that user input is potentially malicious and treat it that way - forever. It's NEVER considered sanitized , because it never can be. That means when storing data to a database, we use bound para

What is the point

[Anonymous Coward]

of encrypting 99.99% of blog traffic, when that traffic - the blog posts - is visible to the whole Internet anyway?

Re:

[pepsikid]

The more TLS traffic we get flooding the Internet, the less indiscriminate hoovering the spooks will do?

HTTP/2 actual main reason

[xororand]

HTTP/2 might be the actual main motive for this switch. HTTP/2 is more efficient than HTTP/1 but requires TLS encryption.

Indeed, wordpress.com [wordpress.com] does offer HTTP/2:

url="https://www.wordpress.com"
curl -v --http2 -I -o /dev/null "$url" 2>&1 |grep ALPN
* ALPN, offering h2
* ALPN, offering http/1.1
* ALPN, server accepted to use h2

Re: HTTP/2 actual main reason

[corychristison]

Actually TLS is not a requirement for HTTP/2.

See https://http2.github.io/faq/#does-http2-require-encryption [github.io]

Re: HTTP/2 actual main reason

[Anonymous Coward]

In practice no browser will load http2 unless it's running under tls and picked up via alpn/npn TLS extensions.

Wont someone think of the hosting companies

[AHuxley]

That as a value added service, with per year costs they could add onto low upfront priced hosting and domain packages.