Hacker News new | past | comments | ask | show | jobs | submit login

I still see login pages over http sometimes. I will be happy when I rarely see any http pages. I wonder what would happen if Chrome made all http pages red to indicate insecure...



They plan to:

https://www.chromium.org/Home/chromium-security/marking-http...


There's a Chrome flag you can enable for that experience today, as it's only a matter of time before that is default. I use this and so this is how the TechCrunch article shows for me: http://i.imgur.com/c8Cz7S4.png


And, that imgur link is also a broken lock? ;)


Mozilla has it in dev - https://hacks.mozilla.org/2016/01/login-forms-over-https-ple...


That blog post is from January and Firefox Dev Edition 46 has since advanced to Beta. The insecure login warning will ship to the Firefox release channel on April 26. :)


Just the fact http was the default for all websites hosted on WordPress.com is really weird to me. All those websites had all the passwords sent over plaintext.


Note that this is about custom domains hosted on Wordpress.com's infrastructure. Blogs that were hosted as subdomains of wordpress.com have been using SSL since 2014 according to the original announcement. Let's Encrypt allowed them to enable it for custom domains without delivering a truckload of money to a CA.

The original announcement is a bit more precise on this.


Nope — login pages have been https for many years.


That's because Google rewards on page speed, and SSL used to make you lose the game. So if you want your wordpress to be well referenced, it used to be better to have it insecure.

Additionnaly if you published both on HTTP and HTTPS, you were flagged as duplicate content. Fortunately they've reordered the incentives now.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: