WordPress.com turns on HTTPS encryption for all websites

447 点作者 jblz大约 9 年前

24 条评论

dankohn1大约 9 年前

Kudos to the Let's Encrypt and Wordpress teams. This is what the future looks like. Every webpage needs to be encrypted, and http (as opposed to https) needs to go the way of telnet (as compared to ssh).What's particularly great is that there is no configuration of any kind for Wordpress authors or their readers. Like they have done, we need to always default to secure.

评论 #11459126 未加载

评论 #11460409 未加载

评论 #11457078 未加载

评论 #11459652 未加载

评论 #11460834 未加载

评论 #11459250 未加载

评论 #11457510 未加载

kyledrake大约 9 年前

Not to say this is a bad thing, but I'm sure Wordpress just broke a lot of links on their user's sites. For example, any embedded images from other servers not using HTTPS means that they won't load anymore due to browser policies, essentially breaking the links. It also means that any embedded images/videos/etc. will only work if the remote server has HTTPS. Again, not a bad thing, but it's pretty painful to have to deal with this with a lot of users that aren't experts on HTTP, and I'm sure it's a similar story at Wordpress.I can flip the switch for default HTTPS on Neocities in a day. The hard part is figuring out how to not break user's sites in that process. Ideas welcome.

评论 #11457164 未加载

评论 #11457215 未加载

评论 #11457717 未加载

评论 #11457518 未加载

评论 #11457131 未加载

评论 #11457117 未加载

pfg大约 9 年前

Original announcement:<a href="https://en.blog.wordpress.com/2016/04/08/https-everywhere-encryption-for-all-wordpress-com-sites/" rel="nofollow">https://en.blog.wordpress.com/2016/04/08/https-everywhere-en...</a>

wfunction大约 9 年前

Not relevant to the WordPress part, but can someone explain to me why websites like eBay don't run on HTTPS except during login? Doesn't that allow any sniffer to steal your authentication cookies?

评论 #11457893 未加载

评论 #11457872 未加载

评论 #11459683 未加载

pred_大约 9 年前

Meanwhile, the chromium preload list just passed 10.000 domains. Things are moving forwards.<a href="https://twitter.com/lgarron/status/718242465782853633" rel="nofollow">https://twitter.com/lgarron/status/718242465782853633</a>

评论 #11461271 未加载

geostyx大约 9 年前

Awesome to see stuff like this. LetsEncrypt is really doing a great service to make the Internet a better place.

simonw大约 9 年前

WordPress.com illustrates an interesting challenge in supporting SSL if you allow people to use subdomains on your service:<a href="https://bestcrabrestaurantsinportland.wordpress.com/" rel="nofollow">https://bestcrabrestaurantsinportland.wordpress.com/</a> works fine<a href="https://www.bestcrabrestaurantsinportland.wordpress.com/" rel="nofollow">https://www.bestcrabrestaurantsinportland.wordpress.com/</a> displays a certificate warningUnfortunately I don't think there's a good solution for this. Humans are gonna www- things.

评论 #11458060 未加载

评论 #11460372 未加载

评论 #11458093 未加载

评论 #11457662 未加载

评论 #11457882 未加载

dredmorbius大约 9 年前

This is great news. All the more so as there is a tremendous amount of high-quality content under the Wordpress.com domain, something I chanced on while seeking out signs of intelligent life on the Internet.<a href="https://www.reddit.com/r/dredmorbius/comments/3hp41w/tracking_the_conversation_fp_global_100_thinkers/" rel="nofollow">https://www.reddit.com/r/dredmorbius/comments/3hp41w/trackin...</a>

rogerbinns大约 9 年前

Is anyone providing a certificate solution for LAN deployed devices/software where there isn't a stable name, or for that matter an administrator?<a href="https://news.ycombinator.com/item?id=11457567" rel="nofollow">https://news.ycombinator.com/item?id=11457567</a>

hising大约 9 年前

I think this is awesome news. Hopefully we will see Chrome starting marking http only sites as non-secure and Apples App Transport Security (ATS) forcing people to switch to https all over the web within a year or two.<a href="https://www.chromium.org/Home/chromium-security/marking-http-as-non-secure" rel="nofollow">https://www.chromium.org/Home/chromium-security/marking-http...</a> <a href="https://developer.apple.com/library/ios/releasenotes/General/WhatsNewIniOS/Articles/iOS9.html#//apple_ref/doc/uid/TP40016198-SW14" rel="nofollow">https://developer.apple.com/library/ios/releasenotes/General...</a>

iimpact大约 9 年前

I would recommend the HTTPS everywhere extensions for your fav. browser. It forces all web-pages to be loaded using HTTPS (if available).<a href="https://www.eff.org/HTTPS-everywhere" rel="nofollow">https://www.eff.org/HTTPS-everywhere</a>

评论 #11460918 未加载

评论 #11458899 未加载

anarcat大约 9 年前

I wonder how they work around Let's Encrypt rate-limiting?

评论 #11458199 未加载

dogweather大约 9 年前

A little on-topic hype if allowed: free "HTTPS Everywhere" monitoring <a href="https://nonstop.qa" rel="nofollow">https://nonstop.qa</a>. Hacker News passes with flying colors:<a href="https://nonstop.qa/projects/387-hacker-news" rel="nofollow">https://nonstop.qa/projects/387-hacker-news</a>(Free because I'm applying the GitHub model: free public projects, will eventually charge for private ones.)

teekert大约 9 年前

Let's encrypt is great, but I'm still running into people that have Chrome on WinXP or even IE8. It's crazy, I know. They did promise to start supporting both o XP because it had something to do with an intermediate cert somewhere. They didn't deliver on that promise. I don't blame them.By the way, the cert on Wordpress.com is issued by GoDaddy, all the examples I could come up with are also. Guess it's a roll out process.

评论 #11457335 未加载

评论 #11457216 未加载

ikeboy大约 9 年前

Great. Tumblr enabled it earlier this year as well.

评论 #11460364 未加载

brainpool大约 9 年前

Let's Encrypt is great, but Start SSL has also shaped up considerably. A while back their process and the GUI was a real stumbling point. Today however it is a breeze to get it going. (Disclaimer: I am in no way affiliated with Start SSL)

评论 #11483896 未加载

RawInfoSec大约 9 年前

While this helps *.wordpress.com users or custom domains using the wordpress.com back end, it's going to cause a ruckus with self hosted ones.Neither WordPress or LetsEncrypt has any way to modify global server setting on any shared hosting environment. Slapping in an SSL certificate doesn't make a site secure, properly configuring the services that use the cert is what makes it secure.GoDaddy isn't going to let Company Xyz rebuild Apache or configure cyphers server-wide...In the end, while this is a move in the right direction, I fear it will give false confidence to many web providers that don't have enterprise experience with security fundamentals.

评论 #11458932 未加载

评论 #11460379 未加载

vram22大约 9 年前

Google's Blogger is moving to https too, over time, my dashboard shows.

ne01大约 9 年前

I wonder if they bundle multiple domains in one certificate?

muloka大约 9 年前

This is awesome news.I wonder if Squarespace will follow suit in this endeavor.

评论 #11458891 未加载

billhendricksjr大约 9 年前

Squarespace needs to follow suit

评论 #11462480 未加载

upbeatlinux大约 9 年前

12+ years in the making.

chinathrow大约 9 年前

Nice.However, they could have shelved out a couply of hundred of bucks for a wildcard cert before.

评论 #11457153 未加载

评论 #11457174 未加载

frugalmail大约 9 年前

Wordpress is still a security nightmare.PHP, mostly dyanmic everything, unmoderated cesspool of plugins, themes, etc... where you just drop code, predictable URLs and pages to brute force, I could go on...