12 Comments

  1. Weston Ruter

    In regards to PWA, note that the previously-reported PWA feature plugin includes better support for HTTPS in WordPress as one of its purposes. This is because service workers depends on HTTPS to be installed.

    Report

    • fwolf

      So the idea is to force HTTPS on everyone if this feature plugin transits to core?

      SSL / TLS in itself is NOT secure, if you don’t secure the other two points of “interest”, ie. client (= your local system) and, much more important, server. IMHO this is all a somewhat false-flag operation, because everyone non-deeply involved – and even then – is now thinking: “SSL makes everything secure!” – which of corpse is WRONG. If you don’t update your WP install, keep your server software up-to-date OR secure, then no matter how much strong SSL encryption you throw around, your site is still destined to be hacked and abused as eg. trojan horse malware hole in the end.

      cu, w0lf.

      Report

  2. RT Cunningham

    I’ve thought about this a lot. Google doesn’t make the rules for any web browser except Chrome. If anyone doesn’t like how it’s changing, they can use Firefox or even Edge.

    Report

  3. Irineu

    Google does not enforce not secure for many government websites

    Report

  4. J.D. Grimes

    My blog, http://scripting.com , is not “not secure.” It uses the standard protocol of the web, HTTP. It will not hurt you.

    HTTPS has nothing to do with whether his blog is secure. It has everything to do with whether a visitor’s connection to the blog is secure. If the connection is not secure, then it doesn’t matter how secure the blog itself is, anyone that can intercept the connection can do dangerous stuff. Without HTTPS, you actually have no control over what your visitors actually get served when they visit your site. (HTTPS doesn’t fix every ill either, but it is a big step in the right direction.)

    Report

    • fwolf

      In what way? People are still not going to update. In some cases, it pushed them into the right direction, letting professionals (like me) update and upgrade their sites to current software and standards, but there are also many cases where folks just “install” SSL and be done with it. Nothing changes, sites stay hugely unsecure. And that is my personal beef with all of that: The normal Joe Schmoe gets the impression, if you set up your site with SSL, everything is back to normal and all is going to be secure.

      So no, its not a step into the right direction. Its one step forward and a half or even one step back, so we are at best slighty better than before, or just on the same zero state as before.

      cu, w0lf.

      Report

      • J.D.

        You are right—people need to understand the difference between the server being secure and the connection being secure. And this may not help with that, although it is a good opportunity for education. But since in the end the plan is to no longer say that a site (really, connection) is “secure” just because it has TLS, I’d still say that this is a step in the right direction. TLS doesn’t make your site secure, but not having does make every connection to the site insecure.

        Report

  5. David Riv

    The “Encrypt Everything” initiative is not Google driven. It is an industry move that has been happening for years. Let’s Encrypt gives away free SSL certificates, and there are websites like ZeroSSL that provide you with Let’s Encrypt certificates through a web interface if you cannot install LE on your server. There is no reason to avoid SSL anymore.

    As others have indicated, an SSL-encrypted connection is just one step. Is your server secure? Is your CMS login secure? Is your file system secure? Are your plugins secure? Is your database secure? SSL is merely protecting your transport, but it’s a big improvement.

    SSL ensures the data sent from the server is the data the client receives. There are no unintended ad injections, and no code manipulations. Your content is not snooped and used for any other purposes, regardless if it contains personal data or not. Do you want the world knowing what you’re reading about, anyway?

    Report

Comments are closed.

%d bloggers like this: