Wednesday, May 18, 2016

HTTPS and blogging

HTTPS seems to be coming to blogs. Most Wordpress sites have converted. Google is a big promoter. I think it is only a matter of time before Blogger sites come under pressure, though at the moment, that system is dragging its feet. So I have enabled HTTPS for Moyhu, and I'm writing about what it may mean for you. At present the likely answer is - nothing.

Personally, HTTPS seems to me to offer little and to have downsides. My enabling it does not require anyone to change the normal http: URL they use, and with no action they will see the usual response. If you use a https: URL (nothing else need change), then everything that appears on the page has to have a certificate. Since a great deal of stuff that has been linked in the past does not have that, unless I update the links, it won't appear. Worse, you may get a scary message saying that something has presented an invalid certificate, and someone may be trying to do you harm. Hopefully this won't happen, but if it does you'll know where it is likely coming from, and it is not a threat.

I've been watching the situation at Wordpress blogs, and did some commenting at this thread (scroll up for more). Wordpress has somehow made https mandatory. That is, whether you link with a http or https url, it is treated as https. To solve the problem of all the old images etc that don't supply certificates, they make their own cached copies with https url. The problem there is with locations that update content; the cached image doesn't change. Worse, the system intercepts links to such locations, and directs to whatever cache they have. You could find that you don't see what you thought you were linking to, but a copy that someone may have made on even a different WP site months ago.

Moyhu won't have that problem (as yet), because Blogger doesn't switch URLs, and also doesn't cache. So I will use entirely http links to past posts, and you should too. Again if you don't you'll see missing images, and maybe a scary message. For the moment I'm planning to restrict HTTPS linking to the home page and probably some heavily used pages like latest data and trend view.

So you might ask - why do I bother? I suspect with two different systems soem incompatibilities will arise, and I want to be on the front foot. But also being http only is causing some meta problems. An incoming https call doesn't like passing information to a http page. That means that I don't know the origins of traffic, and pingbacks etc don't work, if the referring site is https. My enabling HTTPS isn't an instant solution, because it requires that incoming traffic address Moyhu with HTTPS, and most of the existing links won't have that.

So linking to Moyhu with a HTTPS URL helps me a little bit, probably won't help you, and e is some possibility of downside. Using HTTP (ie doing nothing about it) works as before. But the balance may change.

BTW, if you do see missing images for HTTPS reasons, you can usually click on then and they will show in a new tab. The reason is that there is then no HTTP/HTTPS conflict. It's all http.





2 comments:

  1. Nick, I got a notice that you no longer have the choice to enable https. Google blogspots have now all been converted over to https, except for those that have a custom domain.

    >>As part of this launch, we're removing the HTTPS Availability setting. Even if you did not previously turn on this setting, your blogs will have an HTTPS version enabled.<<

    What you *can* do now is force a redirect to https for any links that go to http.

    https://security.googleblog.com/2016/05/bringing-https-to-all-blogspot-domain.html

    ReplyDelete
    Replies
    1. Thanks, Sou,
      I thought something like this was imminent, but didn't realise it was already out. I think the https redirect may not stay opt-in for long. I see you host images at Blogger, which is already https; I use an Amazon bucket, which will be a problem.

      The link you provided was very helpful, and led on to more interesting stuff (CSP etc). I'll probably have to write a follow-up post.

      Delete