Sunday, October 4, 2015

Dear blogger: Here's the SSL for Blogger!

Good (although very belated and not totally awesome but still really good) news, everyone!  HTTPS support is finally coming to Blogspot:

We’re rolling this out gradually and Blogspot authors interested in enabling HTTPS support can begin opting-in today. Simply log into, click on the blog you’d like to make HTTPS enabled, navigate to the Settings page, and select "yes" for "HTTPS Availability". Unfortunately, blogs with custom domains are not supported in this first version. 

Almost a year after I first became aware of Google's lack of HTTPS for Blogger, they finally got around to reading my blog post and correcting the matter (but they didn't credit me in their announcement... strange...).  Regardless, I no longer have to hang my head in shame while urging others to switch to HTTPS.

HTTPS was active almost right away after I enabled it in the Blogger settings.  I had to revise some DNS records at my registrar since custom domains aren't yet supported, but that wasn't too difficult.

But not totally awesome because...?

HSTS is missing.  Even with the new HTTPS option enabled, Google doesn't force HTTP connections to reconnect over HTTPS, but that's to be expected at this point.  There are many third-party gadgets that Google has no control over and if they don't work over HTTPS then blog visitors get mixed content warnings and broken pages.  It would certainly be nice to have the option to enable HTTP Strict Transport Security from within the Blogger dashboard, hopefully that will be a feature down the road.

Custom domains.  HTTPS for custom domains might eventually show up, but then Google will have to use wildcard certs or else have every participating blogger obtain and issue a cert through Google.

Possible workaround:  Enable Cloudflare's Universal SSL service along with a custom rule in their system to redirect all visitors to HTTPS.  Then, Cloudflare will do the HTTPS-forcing as well as serving content, but this may only work for my own domain and not with the Blogspot domain.  I'll try this out in the next week to see if it works.

What about the SSL/TLS configuration?

I'll leave it in Google's capable hands to make sure that everything is on the up-and-up:

B?  B?

Ah.  The usual culprits.  Google has already addressed disabling support for SSLv3 and RC4 and sunsetting SHA-1.  No worries then, I'll just kick back and relax while the ever-working Google admins do all the magic behind the scenes.  Thanks, Googlers!

The web is moving to HTTPS but it will be a long, slow process.  I wonder what I can do to help it along....

No comments:

Post a Comment

Relevant comments will be approved as soon as possible.

Thank you for contributing!