
WordPress.com turns on HTTPS encryption for all websites - jblz
http://techcrunch.com/2016/04/08/wordpress-com-turns-on-https-encryption-for-all-websites/
======
dankohn1
Kudos to the Let's Encrypt and Wordpress teams. This is what the future looks
like. Every webpage needs to be encrypted, and http (as opposed to https)
needs to go the way of telnet (as compared to ssh).

What's particularly great is that there is no configuration of any kind for
Wordpress authors or their readers. Like they have done, we need to always
default to secure.

~~~
afarrell
There should still exist one well-known unencrypted page. Sometimes, I need to
log in to hotel or airport wifi and therefore need to accept a MitM attack. I
would prefer this not to be the case.

~~~
iainnash
[http://example.com/](http://example.com/) perhaps?

~~~
afarrell
I use [http://xkcd.com](http://xkcd.com), but that works.

------
kyledrake
Not to say this is a bad thing, but I'm sure Wordpress just broke a lot of
links on their user's sites. For example, any embedded images from other
servers not using HTTPS means that they won't load anymore due to browser
policies, essentially breaking the links. It also means that any embedded
images/videos/etc. will only work if the remote server has HTTPS. Again, not a
bad thing, but it's pretty painful to have to deal with this with a lot of
users that aren't experts on HTTP, and I'm sure it's a similar story at
Wordpress.

I can flip the switch for default HTTPS on Neocities in a day. The hard part
is figuring out how to not break user's sites in that process. Ideas welcome.

~~~
skeltoac
We've been working on this for quite a while and several parts of the solution
deal with rewriting embedded URLs using HTTP. If you have any examples of
breakage, let us know.

~~~
CharlesW
> If you have any examples of breakage, let us know.

I believe it's breaking podcast feeds being served with WordPress.com, because
iTunes doesn't support Let's Encrypt certificates.

[https://www.dominicrodger.com/2016/02/29/lets-encrypt-
itunes...](https://www.dominicrodger.com/2016/02/29/lets-encrypt-itunes-
podcasts/)

This may not affect a _lot_ of customers (since WordPress.com doesn't support
PowerPress for feed generation), but I know some podcasters create feeds by
hand or with other apps.

This issue will cause at least some podcasts to disappear from iTunes without
warning unless you can coordinate with Apple to fix it.

~~~
barsxl
> I believe it's breaking podcast feeds being served with WordPress.com,
> because iTunes doesn't support Let's Encrypt certificates.

Do you have an example? We have already implemented workarounds for iTunes. If
they aren't working I would love to know the specifics so we can fix it.

~~~
CharlesW
> Do you have an example?

Just the confirmation from Apple's podcaster support team that iTunes doesn't
support sites which use Let's Encrypt. (I don't use WordPress.com myself.)

I've just posted a request for examples in popular podcasting groups, and I'll
let you know when/if I get responses.

> We have already implemented workarounds for iTunes.

Can you elaborate just a smidge? Is WordPress.com, for example, not encrypting
content when it's requested by iTunes? (Thanks!)

~~~
barsxl
> Can you elaborate just a smidge? Is WordPress.com, for example, not
> encrypting content when it's requested by iTunes? (Thanks!)

Yes, we have some targeted exceptions for incompatible clients.

------
pfg
Original announcement:

[https://en.blog.wordpress.com/2016/04/08/https-everywhere-
en...](https://en.blog.wordpress.com/2016/04/08/https-everywhere-encryption-
for-all-wordpress-com-sites/)

------
wfunction
Not relevant to the WordPress part, but can someone explain to me why websites
like eBay don't run on HTTPS except during login? Doesn't that allow any
sniffer to steal your authentication cookies?

~~~
ultramancool
Yes, yes it does. It's pretty annoying, aliexpress does similar too. You'd
think big ecommerce sites would have caught up with this.

As for their reasoning... maybe performance, but more likely laziness.

~~~
at-fates-hands
From their perspective, its not their issue.

If a user gets their credentials hijacked, and a hacker makes a bunch of
unauthorized purchases with their saved credit card, who's the customer going
to call? AliExpress or their bank to mark the purchase and fraudulent and
refund the money?

To them, they're merely supplying the vehicle to do business. It's the payment
processing companies, the banks and third party vendors who handle the money,
so its their responsibility to notice the charges and shut the account down.

Like last week, I got a call from my bank asking if I was making purchases in
Belgium, Norway and France. I was like, "Uhhhhhhhhhhh no, that's fraud." They
blocked the purchases first and THEN called to confirm with me. It was pretty
obvious based on my banking behavior this was out of the norm and immediately
flagged. It wasn't the travel sites fault they let it happen, it would've been
my banks problem if they let those purchases go through.

I'm glad they have an incredible fraud detection system. This is the second
time they've flagged something on my account and shut these down before any
damage could be done.

~~~
wfunction
Is identity theft not their issue? That site includes a history of your
buying/selling habits, your address, your phone number, your payment
information... screw the money itself, there's a lot more damage a nefarious
eavesdropper can do than make a purchase with your account in Belgium.

~~~
MichaelGG
Identity theft is non-thing, a lie made up by unscrupulous creditors to
pretend it's not their fault for incorrectly authorizing a criminal then
charging you for it.

Think about it: This information you're revealing to eBay is basically the
same for any other online merchant. If that's enough to "steal your identity",
where does the problem really lie?

------
pred_
Meanwhile, the chromium preload list just passed 10.000 domains. Things are
moving forwards.

[https://twitter.com/lgarron/status/718242465782853633](https://twitter.com/lgarron/status/718242465782853633)

~~~
Matt3o12_
Do you know how they're stored on my PC? Last time I checked they were all in
a giant C source file, which sounds like a pretty bad idea to me since I can't
imagine it'll scale well.

------
geostyx
Awesome to see stuff like this. LetsEncrypt is really doing a great service to
make the Internet a better place.

------
simonw
WordPress.com illustrates an interesting challenge in supporting SSL if you
allow people to use subdomains on your service:

[https://bestcrabrestaurantsinportland.wordpress.com/](https://bestcrabrestaurantsinportland.wordpress.com/)
works fine

[https://www.bestcrabrestaurantsinportland.wordpress.com/](https://www.bestcrabrestaurantsinportland.wordpress.com/)
displays a certificate warning

Unfortunately I don't think there's a good solution for this. Humans are gonna
www- things.

~~~
icebraining
I never understood why you can't get a wildcard cert for * . * .example.com.
Then again, the whole concept of wildcart certs being priced differently is
pure price segmentation, so that's to be expected.

~~~
enraged_camel
It's not price segmentation. You can encrypt X hosts with a wildcard cert, and
X can be any number. So you basically buy encryption at a flat price, which
can save you a LOT of money.

~~~
icebraining
Fair enough; maybe the term isn't correct. My point is that a wildcart cert is
technically no different than a 'regular' cert, and the CA incurs in no extra
cost, unlike with EV certs. The price difference is purely based on the fact
that buyers who need wildcart certs tend to have larger budgets.

------
dredmorbius
This is great news. All the more so as there is a _tremendous_ amount of high-
quality content under the Wordpress.com domain, something I chanced on while
seeking out signs of intelligent life on the Internet.

[https://www.reddit.com/r/dredmorbius/comments/3hp41w/trackin...](https://www.reddit.com/r/dredmorbius/comments/3hp41w/tracking_the_conversation_fp_global_100_thinkers/)

------
rogerbinns
Is anyone providing a certificate solution for LAN deployed devices/software
where there isn't a stable name, or for that matter an administrator?

[https://news.ycombinator.com/item?id=11457567](https://news.ycombinator.com/item?id=11457567)

------
hising
I think this is awesome news. Hopefully we will see Chrome starting marking
http only sites as non-secure and Apples App Transport Security (ATS) forcing
people to switch to https all over the web within a year or two.

[https://www.chromium.org/Home/chromium-security/marking-
http...](https://www.chromium.org/Home/chromium-security/marking-http-as-non-
secure)
[https://developer.apple.com/library/ios/releasenotes/General...](https://developer.apple.com/library/ios/releasenotes/General/WhatsNewIniOS/Articles/iOS9.html#//apple_ref/doc/uid/TP40016198-SW14)

------
iimpact
I would recommend the HTTPS everywhere extensions for your fav. browser. It
forces all web-pages to be loaded using HTTPS (if available).

[https://www.eff.org/HTTPS-everywhere](https://www.eff.org/HTTPS-everywhere)

~~~
pred_
If available, and if someone has added it to the database of more or less
manually maintained rulesets for redirection;

[https://www.eff.org/https-everywhere/atlas/](https://www.eff.org/https-
everywhere/atlas/)

[https://github.com/EFForg/https-
everywhere/tree/master/src/c...](https://github.com/EFForg/https-
everywhere/tree/master/src/chrome/content/rules)

------
anarcat
I wonder how they work around Let's Encrypt rate-limiting?

~~~
pfg
This is about custom domains, not subdomains of wordpress.com (they're using a
wildcard cert for that, and have been for years).

Rate limits aren't much of an issue in that scenario unless someone has more
than 20 separate subdomains set up as a WordPress.com blog under the same
domain. Even then, you could theoretically get 20 * 100 subdomains covered
every week if you're smart about which domains you combine on a single SAN
certificate.

~~~
anarcat
Those are the rate limits, as far as I understand them:

* 100 Names/Certificate (how many domain names you can include in a single certificate) * 5 Certificates per Domain per week * 500 Registrations/IP address per 3 hours * 300 Pending Authorizations/Account per week

It seems to me that WP.com could reach at least one of those... So I was
curious to hear how they were doing that.

And yes, I was wondering if they would replace the *.wp.com wildcard - i guess
not...

~~~
pfg
The rate limits have been changed to 20 certificates per domain per week
recently.

The registrations/IP rate limits aren't really a problem - WordPress could, in
theory, run their entire Let's Encrypt infrastructure using one registration
(account).

Pending authorizations shouldn't be much of an issue given that all custom
domains are CNAMEs pointing to their servers, so they should be able to solve
all challenges.

(By the way: If you're building a large integration, Let's Encrypt can change
the rate limits for you.)

------
dogweather
A little on-topic hype if allowed: free "HTTPS Everywhere" monitoring
[https://nonstop.qa](https://nonstop.qa). Hacker News passes with flying
colors:

[https://nonstop.qa/projects/387-hacker-
news](https://nonstop.qa/projects/387-hacker-news)

(Free because I'm applying the GitHub model: free public projects, will
eventually charge for private ones.)

------
teekert
Let's encrypt is great, but I'm still running into people that have Chrome on
WinXP or even IE8. It's crazy, I know. They did promise to start supporting
both o XP because it had something to do with an intermediate cert somewhere.
They didn't deliver on that promise. I don't blame them.

By the way, the cert on Wordpress.com is issued by GoDaddy, all the examples I
could come up with are also. Guess it's a roll out process.

~~~
joshmoz
Windows XP support was rolled out March 25 2016.

You can find more information about upcoming and completed features here:

[https://letsencrypt.org/upcoming-features/](https://letsencrypt.org/upcoming-
features/)

~~~
haroldp
But that doesn't really help you if you are using SNI to host multiple sites
on a single IP address, does it?

~~~
pfg
Internet Explorer doesn't support SNI on Windows XP, correct.

Let's Encrypt doesn't force you to use SNI, though. SNI is not something you
"stick" on a certificate - it's a TLS extension which you don't _have_ to use
at all.

------
ikeboy
Great. Tumblr enabled it earlier this year as well.

~~~
fwn
Only in their dashboard, not for individual blogs itself.

~~~
ikeboy
[https://www.tumblr.com/docs/en/account_security#ssl_what](https://www.tumblr.com/docs/en/account_security#ssl_what)

~~~
nsgi
It says they don't support it on custom domains.

------
brainpool
Let's Encrypt is great, but Start SSL has also shaped up considerably. A while
back their process and the GUI was a real stumbling point. Today however it is
a breeze to get it going. (Disclaimer: I am in no way affiliated with Start
SSL)

~~~
nsgi
Amazing what a bit of competition can do.

------
RawInfoSec
While this helps *.wordpress.com users or custom domains using the
wordpress.com back end, it's going to cause a ruckus with self hosted ones.

Neither WordPress or LetsEncrypt has any way to modify global server setting
on any shared hosting environment. Slapping in an SSL certificate doesn't make
a site secure, properly configuring the services that use the cert is what
makes it secure.

GoDaddy isn't going to let Company Xyz rebuild Apache or configure cyphers
server-wide...

In the end, while this is a move in the right direction, I fear it will give
false confidence to many web providers that don't have enterprise experience
with security fundamentals.

~~~
CM30
This won't affect self hosted sites, only those on WordPress.com's platform. A
lot of the code for that service isn't present in the self hosted script.

So it won't break servers or shared hosts.

------
vram22
Google's Blogger is moving to https too, over time, my dashboard shows.

------
ne01
I wonder if they bundle multiple domains in one certificate?

------
muloka
This is awesome news.

I wonder if Squarespace will follow suit in this endeavor.

~~~
PuffinBlue
Squarespace already allows this for non-custom domains, but if you have a
custom domain then you can't use https.

I hope this move by Wordpress will push Squarespace to support https for
custom domains as it's a very frequently requested feature.

------
billhendricksjr
Squarespace needs to follow suit

~~~
emdd
Does SquareSpace do any encryption for non-admin log in things?

------
upbeatlinux
12+ years in the making.

------
chinathrow
Nice.

However, they could have shelved out a couply of hundred of bucks for a
wildcard cert before.

~~~
cavisne
This includes custom domains not just *.wordpress.com

~~~
derf_
Is it not live yet? The article uses the present progressive "is activating",
but e.g., [https://whatever.scalzi.com](https://whatever.scalzi.com) serves a
certificate whose CN is *.wordpress.com (i.e., one that is invalid for the
intended domain).

~~~
pmaiorana
whatever.scalzi.com is on WordPress.com VIP—same platform, but a different
segment of users. Our VIP sites often use 3rd parties (mostly ad servers) that
don't yet support https, so we haven't defaulted any of those sites to
https—it's an option available if they want it though!

------
frugalmail
Wordpress is still a security nightmare.

PHP, mostly dyanmic everything, unmoderated cesspool of plugins, themes,
etc... where you just drop code, predictable URLs and pages to brute force, I
could go on...

