back to article WordPress pushes free default SSL for hosted sites

WordPress has deployed HTTPS for its hosted sites*, in what is a huge security boon for users. April statistics by W3techs found 26.3 percent of all content management systems run WordPress. Systems engineer Barry Abrahamson from WordPress' parent company Automattic says the roll out will be transparent and administrators …

  1. gollux
    Mushroom

    At least you can be safely and privately infected when you visit WordPress sites now.

  2. Mage Silver badge

    It means millions of websites will be safer from spying and interception techniques.

    How?

    Like how much content on a typical WP site isn't

    a) Public

    b)The same view for everyone?

    So this makes uploading draft pages & posts you haven't publish yet more private. That's about all. It's of some benefit if the Wordpress has shopping plugin, are those even possible of WP own hosting rather than 3rd party?

    I'm all in favour of encryption. But what value is it for content 100% public and the same view for everyone? Can someone explain the value to me?

    1. Anonymous Coward
      Anonymous Coward

      Re: It means millions of websites will be safer from spying and interception techniques.

      If you have to log into a wp site then your user/password doesn't get sent through all the intervening servers in plain text.

      Shops are possible with self-hosting wp sites, yes...there's a bunch of different ones available; although if they don't have SSL already as part of setting up the shop; then they don't deserve the business. Some don't bother because they farm all the finance out to PayPal or similar so never know your credit card number; but they still need a delivery address which would get sent in the clear with no SSL, plus email; probably a phone number etc.

      1. Mage Silver badge

        Re: It means millions of websites will be safer from spying and interception techniques.

        If you have to log into a wp site then your user/password doesn't get sent through all the intervening servers in plain text.

        Seems daft that the majority of email and website logins are unencrypted. What were the designers of websites and email systems thinking of?

        So for most sites it's only the Administrators. But can't MITM attacks be done on HTTPS anyway, most easily via "free" access at cafe or Hotel etc (WiFi or ethernet). I use a VPN to my home server if I'm using public internet.

        1. Anonymous Coward
          Anonymous Coward

          Re: It means millions of websites will be safer from spying and interception techniques.

          >>If you have to log into a wp site then your user/password doesn't get sent through all the intervening servers in plain text.

          >Seems daft that the majority of email and website logins are unencrypted.

          They aren't, they use https (for website logins anyway, email is slightly different). What other encryption were you expecting?

          Actually, in this instance wordpress.com admin log ins were over https anyway so this is more of a generic advantage of https rather than something that has acutally changed here.

          > But can't MITM attacks be done on HTTPS anyway, most easily via "free" access at cafe or Hotel etc (WiFi or ethernet). I use a VPN to my home server if I'm using public internet.

          No, they can't. So long as no one has interfered with the certificates on your computer, you can be confident that what you're seeing is the real website however dodgy the connection is. That's why https is great. How is it that you've got VPN to your home server working without knowing this sort of stuff?

        2. Vic
          Unhappy

          Re: It means millions of websites will be safer from spying and interception techniques.

          Seems daft that the majority of email and website logins are unencrypted. What were the designers of websites and email systems thinking of?

          Yeah, who would ever log into a website unencrypted?

          Icon because - well, we've been doing this for quite a few years now, haven't we?

          Vic.

    2. Fuzz

      Re: It means millions of websites will be safer from spying and interception techniques.

      Having encryption enabled stops the page from being modified during transit. It prevents ISPs from injecting adverts or downgrading the quality of images to save their bandwidth.

      1. Mage Silver badge

        Re: It means millions of websites will be safer from spying and interception techniques.

        If my ISP did either of those I'd get at different one. Sadly though many people have no choice or can only use Mobile, which isn't broadband.

    3. choleric

      Re: It means millions of websites will be safer from spying and interception techniques.

      It's like lending records in a library. The books are all published and it's no secret what's in them, but your private use of them and what that reveals about your purpose in using them can still be of interest to someone. HTTPS obscures what you have been reading from your ISP and any other observers on the route to the site you are looking at.

      It is often possible to work out which site you have been visiting from the server's IP address (although if it's a multihost site that will only resolve to a list of possibles), but the details of exactly which page on that server are hidden by HTTPS.

  3. G2
    FAIL

    WTF, ElReg *facepalm* !

    quotes:

    Article title: WordPress pushes free default SSL, encrypts 26% of the web's CMSes

    [...snip...]

    April statistics by W3techs found 26.3 percent of all content management systems run WordPress.

    /quotes

    WTF, ElReg ??!! that's quite a huge reading comprehension failure, here, have a red card and go sit on the bench. :p

    You're confusing the wordpress.com HOSTING service with the WordPress content management software. Their blog/press release even mentions that they have enabled SSL for the .com (hosting service) bit.

    The statistics you have quoted are for the software, not for the hosting side, and that software is installed on a TON of other hosting platforms.

    1. G2
      Pint

      Re: WTF, ElReg *facepalm* !

      ok.. looks fixed now.. thanks.

      go have a beer :)

  4. batfastad
    Trollface

    Pwnd

    So 90% of the web's SQL injection will be happening over HTTPS now instead. That's something I guess. Go Wordpress!

    1. Amos1

      Re: Pwnd

      Yeah, no kidding, If your employer doesn't do HTTPS decryption they are going to get whacked hard. Then more employers will do HTTPS decryption, reducing the over all security of the end user. What a "duh" move.

  5. Sil

    TheReg Mistaken ?

    I think you are mistaken.

    The SSL applies to all WorPress custom domain sites hosted by WordPress.com, not all sites using WordPress elsewhere. And to my knowledge most of the WordPress sites aren't hosted on WordPress.com, but self hosted, or at an ISP.

    Unless I'm wrong, this means a much much lower percentage than 26 % of Interest is affected by the announcement.

    1. AMBxx Silver badge

      Re: TheReg Mistaken ?

      I think it's even worse than that - what proportion of the Wordpress hosted sites are little more than vanity sites or brochureware and don't really need any security beyond user privacy?

      The sites that need the security are those self-hosted ones. This does nothing to help them.

  6. Seajay#

    Automattic vs Wordpress Foundation

    I see that the bootnote says you've updated the first paragraph but it's still not right. There is no organisation called Wordpress. There is Automattic or there is the Wordpress Foundation. In this instance it's a story about Automattic.

  7. TJ1

    SSL? Didn't that get chucked out with the bath-water?

    Last I noticed SSL (all versions) has been deprecated (as insecure) [0] in favour of TLS.

    If I.T. folks (especially media, who as communicators should know to be precise in their use of terms) whom should know about these things continue to knowingly misrepresent the protocol name what chance have we (as a profession) to educate the non-technical folks about I.T. security?

    See https://en.wikipedia.org/wiki/Transport_Layer_Security#Security

  8. NotBob

    Yay!

    Now no one can spy on me while I read someone's blarg about self flagellation. No one except the neighbor with the binoculars, anyway.

  9. Someone_Somewhere
    Facepalm

    Once again

    I read about some long-standing and popular service provider and think "Thank goodness I never signed up with them!"

    They weren't offering https?*

    And people signed up with them?

    * at whatever was considered the most secure version at any given time, of whatever was considered the most secure protocol at any given time.

    1. Seajay#

      Re: Once again

      They were providing https for admin access, they were already providing https for sub-domains (eg myblog.wordpress.com). All very sensible, so all passwords were already sent encrypted and the majority of their readers' browsing was already encrypted.

      They weren't doing anything wrong before but what they weren't previously doing was providing you with a certificate if you brought your own domain and hosted with them.

      1. Someone_Somewhere
        Thumb Up

        Re: Once again

        Ah, right - so not quite as drastic as I thought after all.

        Thanks for the clarification.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like

Biting the hand that feeds IT © 1998–2022