HTTPS Everywhere: Encryption for All WordPress.com Sites
-
Today we are excited to announce free HTTPS for all custom domains hosted on WordPress.com. This brings the security and performance of modern encryption to every blog and website we host.
https://en.blog.wordpress.com/2016/04/08/https-everywhere-encryption-for-all-wordpress-com-sites/
-
If you're using a custom domain like cowbells.com (edit: lol it's real apparently), surely you must pay for a signed certificate? Is WordPress really providing it, as you said "you're good to go" even if you have a custom domain?
-
@tonyshowoff said:
Is WordPress really providing it, as you said "you're good to go" even if you have a custom domain?
If you have a subdomain of YOURNAME.wordpress.com you get it.
YOURNAME.com won't be covered.
-
@Breffni-Potter said:
@tonyshowoff said:
Is WordPress really providing it, as you said "you're good to go" even if you have a custom domain?
If you have a subdomain of YOURNAME.wordpress.com you get it.
YOURNAME.com won't be covered.
I figured, but OP seems to say otherwise, but it'd cost WordPress a hell of a lot to cover everyone.
-
@tonyshowoff said:
@Breffni-Potter said:
@tonyshowoff said:
Is WordPress really providing it, as you said "you're good to go" even if you have a custom domain?
If you have a subdomain of YOURNAME.wordpress.com you get it.
YOURNAME.com won't be covered.
I figured, but OP seems to say otherwise, but it'd cost WordPress a hell of a lot to cover everyone.
Unless they are just using lets encrpyt for all of them
-
@Breffni-Potter said:
If you have a subdomain of YOURNAME.wordpress.com you get it.
YOURNAME.com won't be covered.
WordPress.com has supported encryption for sites using WordPress.com subdomains (like https://barry.wordpress.com/) since 2014. Our latest efforts now expand encryption to the million-plus custom domains (like automattic.com) hosted on WordPress.com.
-
The Let’s Encrypt project gave us an efficient and automated way to provide SSL certificates for a large number of domains. We launched the first batch of certificates in January 2016 and immediately started working with Let’s Encrypt to make the process smoother for our massive and growing list of domains.
-
@tonyshowoff Let's Encrypt is completely free.
-
@aaronstuder said:
@tonyshowoff Let's Encrypt is completely free.
Without Microsoft support and recognition of it, it's completely useless from a business perspective, and maybe even a regular person perspective, considering red WARNING!!!! doesn't go over well. I like the idea of Let's Encrypt, the idea that SSL certs require money for signing due to "insurance" is a total lie and it's a way to print money. Any proof an SSL certificate has failed? No, only underlying protocols and software.
All that money Versign and the other monsters collect to send out 25kb of data is a scam, and it's no surprise the first browser to start claiming self-signed certificates were inherently dangerous was IE.
-
@tonyshowoff What are you talking about?
Let's Encrypt doesn't cause any warnings.
I have tons of sites running LE with no warnings...
-
@aaronstuder said:
@tonyshowoff What are you talking about?
Let's Encrypt doesn't cause any warnings.
I have tons of sites running LE with no warnings...
Do you have an example of a web site using it?
-
-
@aaronstuder said:
@tonyshowoff said:
Do you have an example of a web site using it?
Sure. https://letsencrypt.org/
That's issued by IdenTrust and is a part of the same certificate authority, I'm talking about one issued by letsencrypt themselves, as a part of that chain, not their parent, unless of course that's how it works.
-
-
@aaronstuder Thank you
-
-
@aaronstuder said:
@tonyshowoff said:
@aaronstuder Thank you
Any warnings?
No, not in Chrome, IE, Opera, or Firefox (as presumed). This is great! But my criticism above stands when it comes to independent authorities and my criticism of the sign-monster coming on board in the first place without a free option available back then. I really hope this makes a big dent in the absolute scam that is the signed certificate industry.
The only criticism I do have is that they do not support wild card and apparently don't plan to anytime soon, according to community posts I found (granted from months ago). Until wildcard is supported, Versign, Thawt, etc will continue to just exploit the hell out of people. Having said that, this is a great start. There was that one SSL service which provided "free" SSL for years now, but it's a pain in the ass to setup, and their site basically wants you to be an expert to avoid having to pay.
Great start, wonderful
-
@tonyshowoff I agree. Wildcard support would be excellent, but the price is right
Remember that you can generate more then one. (domain.com, mail.domain.com, owncloud.domain.com, etc) -
@aaronstuder said:
@tonyshowoff I agree. Wildcard support would be excellent, but the price is right
Remember that you can generate more then one. (domain.com, mail.domain.com, owncloud.domain.com, etc)Indeed, like I said, great start, if nothing else hopefully it will cause the prices in wildcards to drop due to fears of people leaving their current issuers.
-
The problem with free is someone has to pay for the servers that support it. I'm really glad that the EFF has decided to do Let's Encrypt - something that took them well over a year after they first announced it before it was working.
To boot strap themselves, they have their root certificate signed by someone that most if not all browsers already trusted until they get their own root cert accepted by most if not all browsers directly.
