Modern field guide to security and privacy

WordPress joins movement toward HTTPS encryption

Popular blogging platform WordPress is the latest in a growing number of sites that are enabling website encryption to protect their users.

Reuters
A lock icon, signifying an encrypted Internet connection, is seen on an Internet Explorer browser.

The popular blogging platform WordPress is about to make its corner of the Internet more secure as it begins to enable encryption by default on 600,000 custom Wordpress.com domains.

The move to embrace HTTPS encryption – the secure form of the Internet protocol HTTP – represents an increasing mainstream embrace of consumer-focused online security. Many major sites, such as Google, Yahoo, Facebook, and Twitter, already have HTTPS enabled, and the US government is working to have HTTPS on its sites by the end of 2016.

But even as some of the biggest companies on the Web are moving toward HTTPS, the majority of Internet sites still don't use HTTPS, which privacy advocates say is especially important when users are submitting sensitive data, such as credit card information or a Social Security Number, to a website.

"It protects our users against various issues," a spokesperson for Automattic, WordPress’s parent company, said in an e-mail. "This includes defending against surveillance of content and communications, cookie theft, account hijacking, and other web security flaws."

Automattic didn't have a firm date for a complete rollout, but the encryption is currently enabled on about 100,000 of those domains.

Over the past few years, privacy advocates and tech companies have ramped up efforts to expand the use of HTTPS. This past December, the nonprofit Internet Security Research Group (ISRG) launched its service Let’s Encrypt to provide HTTPS encryption to sites for free. It's providing HTTPS encryption to WordPress.

“Who we’re really trying to protect is the people who visit WordPress sites or any other site,” said Josh Aas, ISRG's executive director. "The era of HTTP-only needs to end."

Even though HTTPS is becoming more common, it's still up to individuals to check their URL bar for the HTTPS connection, a task even many experts are unlikely to do for each site they visit.

To help address that issue, tech advocacy nonprofit The Electronic Frontier Foundation provides tools such as the “HTTPS Everywhere” browser extension for consumers. The extension ensures that if someone visits a site with HTTPS, that person connects to the secure version of the site each time. 

Until HTTPS is more widely adopted, tech companies such as Google and Mozilla are working to make a site’s connection security more obvious to Internet users.

Google has a multiphase plan that uses icons in the URL bar to alert users when a site has an encrypted connection, and eventually mark sites that do not as unsafe. Sites won’t be marked until a certain percentage of total Internet traffic is sent over HTTPS. Likewise, Mozilla plans to gradually make new features, such as the geolocation, unavailable to sites that don’t have HTTPS to protect people’s security.

Richard Barnes, head of security for Mozilla’s Firefox browser, tracks the number of domains that newly acquire HTTPS without previously having it. Before Jan. 27 when WordPress acquired HTTPS for the sites, he said, there were about 16.5 million domains total with HTTPS. Paired with other sites that acquired HTTPS that day, the total number of sites with HTTPS jumped 8 percent, which Mr. Barnes said is “significant.” 

WordPress isn’t the only hosting company migrating to a secure connection. DreamHost recently enabled their customers to opt in to HTTPS, as well as hosting company OVH.

 

Editor's note: This story was updated to clarify that custom WordPress.com domains will receive HTTPS encryption.

You've read  of  free articles. Subscribe to continue.

Dear Reader,

About a year ago, I happened upon this statement about the Monitor in the Harvard Business Review – under the charming heading of “do things that don’t interest you”:

“Many things that end up” being meaningful, writes social scientist Joseph Grenny, “have come from conference workshops, articles, or online videos that began as a chore and ended with an insight. My work in Kenya, for example, was heavily influenced by a Christian Science Monitor article I had forced myself to read 10 years earlier. Sometimes, we call things ‘boring’ simply because they lie outside the box we are currently in.”

If you were to come up with a punchline to a joke about the Monitor, that would probably be it. We’re seen as being global, fair, insightful, and perhaps a bit too earnest. We’re the bran muffin of journalism.

But you know what? We change lives. And I’m going to argue that we change lives precisely because we force open that too-small box that most human beings think they live in.

The Monitor is a peculiar little publication that’s hard for the world to figure out. We’re run by a church, but we’re not only for church members and we’re not about converting people. We’re known as being fair even as the world becomes as polarized as at any time since the newspaper’s founding in 1908.

We have a mission beyond circulation, we want to bridge divides. We’re about kicking down the door of thought everywhere and saying, “You are bigger and more capable than you realize. And we can prove it.”

If you’re looking for bran muffin journalism, you can subscribe to the Monitor for $15. You’ll get the Monitor Weekly magazine, the Monitor Daily email, and unlimited access to CSMonitor.com.