HTTPS Problems With This Blog — and Other WordPress.com Blogs

As you may be aware, this blog is hosted on wordpress.com — its actual hostname is olsenbloom.wordpress.com — but I have the domain andrewhickey.info mapped to it. This has worked well for me for the last six years, but I may have to change.
The reason is that the internet is slowly moving to HTTPS rather than HTTP, and wordpress.com don’t seem to be happy with that change. You can access wordpress.com sites via HTTPS — visiting https://olsenbloom.wordpress.com doesn’t cause any problems, and actually redirects you to http://andrewhickey.info — but if you try to access https://andrewhickey.info a rather different thing happens, if you’re in a modern browser:

Iceweasel/Firefox:
Screenshot from 2014-12-04 22:47:27

Chromium/Chrome:
Screenshot from 2014-12-04 22:48:33

This is because wordpress.com have an SSL certificate for the wordpress.com domain name, but don’t have them for the domains that are mapped — and they don’t support using them if you own your own domain.

This is quite annoying, as it means that sites that use wordpress’ free hosting are fine, but those of us who pay (and I pay WordPress for domain mapping, extra storage space, ad removal, and other bits and pieces — I’m a paying customer, not someone whining about a free service) have our sites broken if people are trying to be secure by using addins like HTTPS Everywhere.

They don’t support that even if you’re John Scalzi, who says in this post that he uses WordPress.com VIP. If you use WordPress’ hosting, as he does, that costs *FROM* $5000 *PER MONTH*.

Yet try to connect to https://whatever.scalzi.com and you’ll get exactly the same error. The $5000-per-month site is broken, while the $0 ever sites are fine.

Until recently, I’d not thought of this as a particular problem, but there’s been a big push from a variety of sources, including Google, Mozilla, and the Electronic Frontier Foundation, to move everything over to HTTPS, and I got my first email yesterday from someone who’d tried to access this blog by HTTPS and been unable. So I spent a while today looking through WordPress’ support forums to see if this was something they were planning to add as a feature. All I could find was this from May:

If you wish to avoid the error message when you visit sites hosted on WordPress.com, you can replace https:// in your address bar with http://. If you have any visitors who are concerned with the error when they arrive at your site, they can use the same solution.

Which is helpful, especially since if visitors can’t get to the site, there’s no way to tell them how to get to the site.

I’m going to get in touch with their support team on Monday (their whole support team is off work this week, for some reason) and see if they’re planning to change their — frankly bizarre — current policy any time soon. If not, I’ll probably have to move the site to somewhere else, and quickly — I pay for another year of their services on December 26.

I really don’t have the brains to be looking for new hosting solutions and migrating six years worth of data over at no notice :-/

This entry was posted in Uncategorized. Bookmark the permalink.

7 Responses to HTTPS Problems With This Blog — and Other WordPress.com Blogs

  1. Jim Wagner says:

    PLEASE remove me from your mailing list. Im disabled and its too much incoming mail for me. Thank you

    Sent from my iPhone

    >

    • You’re not on my mailing list, which has had only two posts so far this year.
      If you’re talking about an email subscription to the blog, you’ll have to do that yourself, as that’s between you and wordpress, and nothing to do with me. Every email you get from the blog quite clearly says at the bottom:
      “Unsubscribe to no longer receive posts from Sci-Ence! Justice Leak!.
      Change your email settings at Manage Subscriptions”
      with “Unsubscribe” and “Manage Subscriptions” both clickable links. Click either of those and you’ll be able to unsubscribe yourself.

  2. artesea says:

    Could you transfer the DNS to CloudFlare? They provide free SSL certs and handle the bit between the iffy cert on the server and their proxies. I have a couple of self signed sites, with them in front and the end user doesn’t get any errors/warnings.

    • Andrew Hickey says:

      Might be a possibility, but I don’t know if WordPress.com would support that. I’ll look into it, though — thanks for the suggestion.

  3. Mike Taylor says:

    Please do follow up with whatever you end up doing. I run http://svpow.com/ on WordPress, too — I’m only a paying customer for the domain-mapping — and always assumed HTTPS Just Worked, as it clearly ought to in 2014. I was a bit shocked when I tried it just now and found that it didn’t. Really not acceptable any more: it’s like manufacturing a car without seatbelts.

  4. What’s the advantage to using https if you’re not communicating any private data?

    If you move to shared hosting you’ll probably run into the same problem, except that you can fix it by paying extra for your own SSL certificate. Traditionally, web hosts have treated secure connections as an expensive optional extra, and this is likely to cause lots of problems with a move towards making everyone use https for everything.

    • Andrew Hickey says:

      The advantage is for people who want to browse without a third party seeing what pages they’re looking at. They’d still be able to tell what domain you were looking at, but not whether you were, say, looking at the NHS pages about migraines or about an STD.
      Personally, I don’t really care much about it, but there is a concerted effort by a lot of organisations to make HTTPS the default, and it seems to be pretty much a done deal.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s