WordPress pushes free default SSL for hosted sites WordPress has deployed HTTPS for its hosted sites*, in what is a huge security boon for users. April statistics by W3techs found 26.3 percent of all content management systems run WordPress. Systems engineer Barry Abrahamson from WordPress' parent company Automattic says the roll out will be transparent and administrators …
How?
Like how much content on a typical WP site isn't
a) Public
b)The same view for everyone?
So this makes uploading draft pages & posts you haven't publish yet more private. That's about all. It's of some benefit if the Wordpress has shopping plugin, are those even possible of WP own hosting rather than 3rd party?
I'm all in favour of encryption. But what value is it for content 100% public and the same view for everyone? Can someone explain the value to me?
If you have to log into a wp site then your user/password doesn't get sent through all the intervening servers in plain text.
Shops are possible with self-hosting wp sites, yes...there's a bunch of different ones available; although if they don't have SSL already as part of setting up the shop; then they don't deserve the business. Some don't bother because they farm all the finance out to PayPal or similar so never know your credit card number; but they still need a delivery address which would get sent in the clear with no SSL, plus email; probably a phone number etc.
If you have to log into a wp site then your user/password doesn't get sent through all the intervening servers in plain text.
Seems daft that the majority of email and website logins are unencrypted. What were the designers of websites and email systems thinking of?
So for most sites it's only the Administrators. But can't MITM attacks be done on HTTPS anyway, most easily via "free" access at cafe or Hotel etc (WiFi or ethernet). I use a VPN to my home server if I'm using public internet.
>>If you have to log into a wp site then your user/password doesn't get sent through all the intervening servers in plain text.
>Seems daft that the majority of email and website logins are unencrypted.
They aren't, they use https (for website logins anyway, email is slightly different). What other encryption were you expecting?
Actually, in this instance wordpress.com admin log ins were over https anyway so this is more of a generic advantage of https rather than something that has acutally changed here.
> But can't MITM attacks be done on HTTPS anyway, most easily via "free" access at cafe or Hotel etc (WiFi or ethernet). I use a VPN to my home server if I'm using public internet.
No, they can't. So long as no one has interfered with the certificates on your computer, you can be confident that what you're seeing is the real website however dodgy the connection is. That's why https is great. How is it that you've got VPN to your home server working without knowing this sort of stuff?
Seems daft that the majority of email and website logins are unencrypted. What were the designers of websites and email systems thinking of?
Yeah, who would ever log into a website unencrypted?
Icon because - well, we've been doing this for quite a few years now, haven't we?
Vic.
It's like lending records in a library. The books are all published and it's no secret what's in them, but your private use of them and what that reveals about your purpose in using them can still be of interest to someone. HTTPS obscures what you have been reading from your ISP and any other observers on the route to the site you are looking at.
It is often possible to work out which site you have been visiting from the server's IP address (although if it's a multihost site that will only resolve to a list of possibles), but the details of exactly which page on that server are hidden by HTTPS.
quotes:
Article title: WordPress pushes free default SSL, encrypts 26% of the web's CMSes
[...snip...]
April statistics by W3techs found 26.3 percent of all content management systems run WordPress.
/quotes
WTF, ElReg ??!! that's quite a huge reading comprehension failure, here, have a red card and go sit on the bench. :p
You're confusing the wordpress.com HOSTING service with the WordPress content management software. Their blog/press release even mentions that they have enabled SSL for the .com (hosting service) bit.
The statistics you have quoted are for the software, not for the hosting side, and that software is installed on a TON of other hosting platforms.
I think you are mistaken.
The SSL applies to all WorPress custom domain sites hosted by WordPress.com, not all sites using WordPress elsewhere. And to my knowledge most of the WordPress sites aren't hosted on WordPress.com, but self hosted, or at an ISP.
Unless I'm wrong, this means a much much lower percentage than 26 % of Interest is affected by the announcement.
I think it's even worse than that - what proportion of the Wordpress hosted sites are little more than vanity sites or brochureware and don't really need any security beyond user privacy?
The sites that need the security are those self-hosted ones. This does nothing to help them.
Last I noticed SSL (all versions) has been deprecated (as insecure) [0] in favour of TLS.
If I.T. folks (especially media, who as communicators should know to be precise in their use of terms) whom should know about these things continue to knowingly misrepresent the protocol name what chance have we (as a profession) to educate the non-technical folks about I.T. security?
See https://en.wikipedia.org/wiki/Transport_Layer_Security#Security
I read about some long-standing and popular service provider and think "Thank goodness I never signed up with them!"
They weren't offering https?*
And people signed up with them?
* at whatever was considered the most secure version at any given time, of whatever was considered the most secure protocol at any given time.
They were providing https for admin access, they were already providing https for sub-domains (eg myblog.wordpress.com). All very sensible, so all passwords were already sent encrypted and the majority of their readers' browsing was already encrypted.
They weren't doing anything wrong before but what they weren't previously doing was providing you with a certificate if you brought your own domain and hosted with them.
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2024
