Kudos to the Let's Encrypt and Wordpress teams. This is what the future looks like. Every webpage needs to be encrypted, and http (as opposed to https) needs to go the way of telnet (as compared to ssh).<p>What's particularly great is that there is no configuration of any kind for Wordpress authors or their readers. Like they have done, we need to always default to secure.
Not to say this is a bad thing, but I'm sure Wordpress just broke a lot of links on their user's sites. For example, any embedded images from other servers not using HTTPS means that they won't load anymore due to browser policies, essentially breaking the links. It also means that any embedded images/videos/etc. will only work if the remote server has HTTPS. Again, not a bad thing, but it's pretty painful to have to deal with this with a lot of users that aren't experts on HTTP, and I'm sure it's a similar story at Wordpress.<p>I can flip the switch for default HTTPS on Neocities in a day. The hard part is figuring out how to not break user's sites in that process. Ideas welcome.
Original announcement:<p><a href="https://en.blog.wordpress.com/2016/04/08/https-everywhere-encryption-for-all-wordpress-com-sites/" rel="nofollow">https://en.blog.wordpress.com/2016/04/08/https-everywhere-en...</a>
Not relevant to the WordPress part, but can someone explain to me why websites like eBay don't run on HTTPS except during login? Doesn't that allow any sniffer to steal your authentication cookies?
Meanwhile, the chromium preload list just passed 10.000 domains. Things are moving forwards.<p><a href="https://twitter.com/lgarron/status/718242465782853633" rel="nofollow">https://twitter.com/lgarron/status/718242465782853633</a>
WordPress.com illustrates an interesting challenge in supporting SSL if you allow people to use subdomains on your service:<p><a href="https://bestcrabrestaurantsinportland.wordpress.com/" rel="nofollow">https://bestcrabrestaurantsinportland.wordpress.com/</a> works fine<p><a href="https://www.bestcrabrestaurantsinportland.wordpress.com/" rel="nofollow">https://www.bestcrabrestaurantsinportland.wordpress.com/</a> displays a certificate warning<p>Unfortunately I don't think there's a good solution for this. Humans are gonna www- things.
This is great news. All the more so as there is a <i>tremendous</i> amount of high-quality content under the Wordpress.com domain, something I chanced on while seeking out signs of intelligent life on the Internet.<p><a href="https://www.reddit.com/r/dredmorbius/comments/3hp41w/tracking_the_conversation_fp_global_100_thinkers/" rel="nofollow">https://www.reddit.com/r/dredmorbius/comments/3hp41w/trackin...</a>
Is anyone providing a certificate solution for LAN deployed devices/software where there isn't a stable name, or for that matter an administrator?<p><a href="https://news.ycombinator.com/item?id=11457567" rel="nofollow">https://news.ycombinator.com/item?id=11457567</a>
I think this is awesome news. Hopefully we will see Chrome starting marking http only sites as non-secure and Apples App Transport Security (ATS) forcing people to switch to https all over the web within a year or two.<p><a href="https://www.chromium.org/Home/chromium-security/marking-http-as-non-secure" rel="nofollow">https://www.chromium.org/Home/chromium-security/marking-http...</a>
<a href="https://developer.apple.com/library/ios/releasenotes/General/WhatsNewIniOS/Articles/iOS9.html#//apple_ref/doc/uid/TP40016198-SW14" rel="nofollow">https://developer.apple.com/library/ios/releasenotes/General...</a>
I would recommend the HTTPS everywhere extensions for your fav. browser. It forces all web-pages to be loaded using HTTPS (if available).<p><a href="https://www.eff.org/HTTPS-everywhere" rel="nofollow">https://www.eff.org/HTTPS-everywhere</a>
A little on-topic hype if allowed: free "HTTPS Everywhere" monitoring <a href="https://nonstop.qa" rel="nofollow">https://nonstop.qa</a>. Hacker News passes with flying colors:<p><a href="https://nonstop.qa/projects/387-hacker-news" rel="nofollow">https://nonstop.qa/projects/387-hacker-news</a><p>(Free because I'm applying the GitHub model: free public projects, will eventually charge for private ones.)
Let's encrypt is great, but I'm still running into people that have Chrome on WinXP or even IE8. It's crazy, I know. They did promise to start supporting both o XP because it had something to do with an intermediate cert somewhere. They didn't deliver on that promise. I don't blame them.<p>By the way, the cert on Wordpress.com is issued by GoDaddy, all the examples I could come up with are also. Guess it's a roll out process.
Let's Encrypt is great, but Start SSL has also shaped up considerably. A while back their process and the GUI was a real stumbling point. Today however it is a breeze to get it going. (Disclaimer: I am in no way affiliated with Start SSL)
While this helps *.wordpress.com users or custom domains using the wordpress.com back end, it's going to cause a ruckus with self hosted ones.<p>Neither WordPress or LetsEncrypt has any way to modify global server setting on any shared hosting environment. Slapping in an SSL certificate doesn't make a site secure, properly configuring the services that use the cert is what makes it secure.<p>GoDaddy isn't going to let Company Xyz rebuild Apache or configure cyphers server-wide...<p>In the end, while this is a move in the right direction, I fear it will give false confidence to many web providers that don't have enterprise experience with security fundamentals.
Wordpress is still a security nightmare.<p>PHP, mostly dyanmic everything, unmoderated cesspool of plugins, themes, etc... where you just drop code, predictable URLs and pages to brute force, I could go on...