Wednesday, October 22, 2014

Dear Google: Where's the SSL for Blogger?

I thought enabling HTTPS for this blog would be straightforward, but I painfully found out that a feature I assumed would be a no-brainer is in fact impossible to come by - there's no way to use SSL natively with Blogger.  For those of us that want to serve content via end-to-end encryption Blogger is not a solution until Google decides to bring it up to speed with the rest of its services.

I recently advocated on behalf of the "HTTPS by default" movement but was promptly reminded that I must first practice what I preach:

I poked around Blogger's settings but was surprised and annoyed when I didn't find a relevant option. I searched Google's product forums for an answer (HTTPS or SSL) but found only a suggestion to use Cloudflare and statements from other users that Google doesn't offer SSL for Bloggers.

Not providing a way to serve Blogger over SSL is Google's awkwardly unencrypted and soon-to-be downranked elephant in the room.  There's no "Force HTTPS" option in the Blogger settings like there used to be for Gmail.  Adding HTTPS to the URL of blogs hosted on Blogger also doesn't work.  There's no way to load a SSL certificate, self-signed or otherwise, if you use a custom domain with your Blogger-hosted blog.

The inability to securely serve Blogger content is inconsistent with Google's other privacy and security enhancements - HTTPS Everywhere presentation at I/O 2014encrypting traffic between Gmail servers; enabling HTTPS by default for;  enabling HTTPS by default for Gmail;  two-factor authentication keys for Gmail; SafetyCenter; and even with other parts of Blogger that allow an HTTPS connection:

What options does a simple Blogger blogger have?  

1) Serve your content unencrypted.  Unfortunately, this is the only option that Google offers for Blogger.

2) Change blog platforms.  For blogs with lots of content or limited time resources, this is not an appealing option:

Tumblr offers SSL only for the admin dashboard.  There's no official support to migrate content from other platforms.
Wordpress is switching to HTTPS for all hosted blogs but they do not yet offer a way to use SSL certificates for custom domains.  They offer assistance with migrating.
GitHub Pages requires one learn how to use Github, install a blog platform, migrate content and then take a few more steps to get HTTPS working.

Other platforms might offer a solution, but that's a time-intensive investigation for another day.

3) Host your blog somewhere that allows you to load your own SSL certificate.  For financially- and technically-challenged blog owners this is a very, very unattractive option.   You must purchase and manage a hosting account, load and maintain blog software, migrate content, purchase and manage a SSL certificate, and you'll likely have to troubleshoot and deal with surprises along every step of the way.   This is not an option for a person that just wants to write and post about food or cats or security or whatever.

For those that manage their own hosting and want to switch to HTTPS, read this.

4)  Really want to use Google and desire an overly-complicated workaround?  Make a go at using Google App Engine to host your blog.  Google App Engine allows the use of SSL with a custom domain.  But, and this is a big but, you must first sign up for Google Apps, install and maintain a blogging app, and then purchase and maintain a certificate.   Again, not an attractive route for casual or time-deficient bloggers.

What about Cloudflare's Universal SSL?

Released to much fanfare, Cloudflare now provides free SSL to anyone.  This is an appealing solution that may fit the bill for most websites, but it comes with caveats.


1) Visitors receive browser errors until Cloudflare issues an SSL cert for the domain.  This is a minor annoyance - my certificate was fully issued within a couple hours of activating it in my Cloudflare account.

2) Certificates are shared:

This is not a security flaw and shouldn't affect the end-user experience.  But it is a cosmetic annoyance that some website owners prefer to avoid.

3) HTTPS is off by default.  Cloudflare offers the option to always use HTTPS but it must be manually enabled.  It's odd they don't draw attention to this setting during the setup and configuration process.  It misses the point to offer free SSL but then not require or even encourage their customers to turn this on.

4) It's not end-to-end encryption between the end-user and the server.  This is definitely a security gap (the severity of which depends on your threat model), but in Cloudflare's favor they don't make any claims on offering complete connection security.

Here are their SSL options:

If you use Blogger and want to use Cloudflare's free SSL service then your only option is Flexible SSL.  Be aware that with this option the content is only encrypted from Cloudflare to the end-user.  Calling it "Halfway SSL" or "Cosmetic SSL" would be technically correct but probably bad for marketing.

Cloudflare downplayed this gap in 2012:

While it is ideal to have an end-to-end HTTPS connection, securing the connection from the browser to CloudFlare mitigates 99% of the real risk. A way to think about it is if you're worried about the government monitoring your web traffic, Flexible SSL won't offer a complete solution. On the other hand, if you're worried about someone next to you in the coffee shop sniffing your cookie or password information, CloudFlare's Flexible SSL will protect you.
But that was before Snowden's disclosures about the extent of the NSA's Internet adventuring. Addressing and reacting to that threat is beyond the scope of this blog.


Despite the lack of SSL support on Google's side, I signed up this blog for Cloudflare's Universal SSL service. It's not an ideal solution and it smacks of security theater, but that's not Cloudflare's fault and it's outside of their control.  But unless I have a free week I can dedicate to researching alternatives and then relocating content, I need to wait until Google does the needful and makes SSL available to those of us using Blogger.


  1. I'm looking for a way to have my blogger hosted blog with ssl. Plecase leț me know when You fund a way.

  2. I have the same issue with my blog and I haven't found a solution yet.


Relevant comments will be approved as soon as possible.

Thank you for contributing!