At least you can be safely and privately infected when you visit WordPress sites now.
WordPress pushes free default SSL for hosted sites
WordPress has deployed HTTPS for its hosted sites*, in what is a huge security boon for users. April statistics by W3techs found 26.3 percent of all content management systems run WordPress. Systems engineer Barry Abrahamson from WordPress' parent company Automattic says the roll out will be transparent and administrators …
COMMENTS
-
Monday 11th April 2016 06:45 GMT Mage
It means millions of websites will be safer from spying and interception techniques.
How?
Like how much content on a typical WP site isn't
a) Public
b)The same view for everyone?
So this makes uploading draft pages & posts you haven't publish yet more private. That's about all. It's of some benefit if the Wordpress has shopping plugin, are those even possible of WP own hosting rather than 3rd party?
I'm all in favour of encryption. But what value is it for content 100% public and the same view for everyone? Can someone explain the value to me?
-
Monday 11th April 2016 07:12 GMT Anonymous Coward
Re: It means millions of websites will be safer from spying and interception techniques.
If you have to log into a wp site then your user/password doesn't get sent through all the intervening servers in plain text.
Shops are possible with self-hosting wp sites, yes...there's a bunch of different ones available; although if they don't have SSL already as part of setting up the shop; then they don't deserve the business. Some don't bother because they farm all the finance out to PayPal or similar so never know your credit card number; but they still need a delivery address which would get sent in the clear with no SSL, plus email; probably a phone number etc.
-
Monday 11th April 2016 07:43 GMT Mage
Re: It means millions of websites will be safer from spying and interception techniques.
If you have to log into a wp site then your user/password doesn't get sent through all the intervening servers in plain text.
Seems daft that the majority of email and website logins are unencrypted. What were the designers of websites and email systems thinking of?
So for most sites it's only the Administrators. But can't MITM attacks be done on HTTPS anyway, most easily via "free" access at cafe or Hotel etc (WiFi or ethernet). I use a VPN to my home server if I'm using public internet.
-
Monday 11th April 2016 13:43 GMT Anonymous Coward
Re: It means millions of websites will be safer from spying and interception techniques.
>>If you have to log into a wp site then your user/password doesn't get sent through all the intervening servers in plain text.
>Seems daft that the majority of email and website logins are unencrypted.
They aren't, they use https (for website logins anyway, email is slightly different). What other encryption were you expecting?
Actually, in this instance wordpress.com admin log ins were over https anyway so this is more of a generic advantage of https rather than something that has acutally changed here.
> But can't MITM attacks be done on HTTPS anyway, most easily via "free" access at cafe or Hotel etc (WiFi or ethernet). I use a VPN to my home server if I'm using public internet.
No, they can't. So long as no one has interfered with the certificates on your computer, you can be confident that what you're seeing is the real website however dodgy the connection is. That's why https is great. How is it that you've got VPN to your home server working without knowing this sort of stuff?
-
Monday 11th April 2016 15:02 GMT Vic
Re: It means millions of websites will be safer from spying and interception techniques.
Seems daft that the majority of email and website logins are unencrypted. What were the designers of websites and email systems thinking of?
Yeah, who would ever log into a website unencrypted?
Icon because - well, we've been doing this for quite a few years now, haven't we?
Vic.
-
-
-
Monday 11th April 2016 07:57 GMT choleric
Re: It means millions of websites will be safer from spying and interception techniques.
It's like lending records in a library. The books are all published and it's no secret what's in them, but your private use of them and what that reveals about your purpose in using them can still be of interest to someone. HTTPS obscures what you have been reading from your ISP and any other observers on the route to the site you are looking at.
It is often possible to work out which site you have been visiting from the server's IP address (although if it's a multihost site that will only resolve to a list of possibles), but the details of exactly which page on that server are hidden by HTTPS.
-
-
Monday 11th April 2016 07:12 GMT G2
WTF, ElReg *facepalm* !
quotes:
Article title: WordPress pushes free default SSL, encrypts 26% of the web's CMSes
[...snip...]
April statistics by W3techs found 26.3 percent of all content management systems run WordPress.
/quotes
WTF, ElReg ??!! that's quite a huge reading comprehension failure, here, have a red card and go sit on the bench. :p
You're confusing the wordpress.com HOSTING service with the WordPress content management software. Their blog/press release even mentions that they have enabled SSL for the .com (hosting service) bit.
The statistics you have quoted are for the software, not for the hosting side, and that software is installed on a TON of other hosting platforms.
-
Monday 11th April 2016 08:17 GMT Sil
TheReg Mistaken ?
I think you are mistaken.
The SSL applies to all WorPress custom domain sites hosted by WordPress.com, not all sites using WordPress elsewhere. And to my knowledge most of the WordPress sites aren't hosted on WordPress.com, but self hosted, or at an ISP.
Unless I'm wrong, this means a much much lower percentage than 26 % of Interest is affected by the announcement.
-
Monday 11th April 2016 09:59 GMT AMBxx
Re: TheReg Mistaken ?
I think it's even worse than that - what proportion of the Wordpress hosted sites are little more than vanity sites or brochureware and don't really need any security beyond user privacy?
The sites that need the security are those self-hosted ones. This does nothing to help them.
-
-
Monday 11th April 2016 11:03 GMT TJ1
SSL? Didn't that get chucked out with the bath-water?
Last I noticed SSL (all versions) has been deprecated (as insecure) [0] in favour of TLS.
If I.T. folks (especially media, who as communicators should know to be precise in their use of terms) whom should know about these things continue to knowingly misrepresent the protocol name what chance have we (as a profession) to educate the non-technical folks about I.T. security?
See https://en.wikipedia.org/wiki/Transport_Layer_Security#Security
-
Monday 11th April 2016 23:32 GMT Someone_Somewhere
Once again
I read about some long-standing and popular service provider and think "Thank goodness I never signed up with them!"
They weren't offering https?*
And people signed up with them?
* at whatever was considered the most secure version at any given time, of whatever was considered the most secure protocol at any given time.
-
Tuesday 12th April 2016 08:06 GMT Seajay#
Re: Once again
They were providing https for admin access, they were already providing https for sub-domains (eg myblog.wordpress.com). All very sensible, so all passwords were already sent encrypted and the majority of their readers' browsing was already encrypted.
They weren't doing anything wrong before but what they weren't previously doing was providing you with a certificate if you brought your own domain and hosted with them.
-