Secure Blogging
Ever since I started working on Automattic and WordPress.com full-time I’ve found myself working at places like cafes and various other places with wireless internet connections around town. It’s nice because they make far better hot chocolate than I do. I’ve also been lucky enough to find myself at some great conferences around the world, for example I’m heading to SxSW Interacive next week. Any conference worth its salt these days provides free wifi.
This is great, but the internet can be a dangerous place. What most people don’t realize is that almost everything they do on the internet, with the exception of things like e-commerce, is transmitted in clear text. This means the data could be readable to anyone who listened. People use things like “packet sniffers” that let them observe and log traffic on a local network, for example that free wifi connection you and 50 of your closest trusted friends are on.
There are ways around this using things like VPN or SSH tunnels, but mostly they’re beyond the reach of us mere mortals to use. I know personally if I’m a techy conference I’m less likely to post to my blog because someone could just “sniff” my password and traffic and cause all sorts of travel.
We’ve made it so you never have to worry about this on WordPress.com. You’re safe blogging here now.
Using the same technology that online stores like Amazon.com and your bank do, we’re now securing all the important bits of your blog using SSL. What this means is that when you’re logging in or posting to WordPress.com, all of your traffic will be encrypted so anyone “sniffing” it will just see a bunch of gibberish. This is free and immediately available for all our users.
On a technical level, what we’ve done is restricted your login cookies to be SSL-only, which means they will never be transmitted in the clear, and we’re encrypting the cookies sent in the clear to make it difficult for anyone to impersonate your login.
There are still one or two kinks we’re working out, particularly for this main blog, but at worst you may see a security warning about the SSL certificate. If you have any problems please let us know using the feedback form.
Also, because we love you so much, we’ve made the code we’re using to do this available as a WordPress plugin. All you need is a SSL certificate and WordPress 2.1-alpha.
Anyway, now when you go to conferences or that sketchy coffee house blog without fear.
Mar 8th at 9:31 am
Yes! I’ve been waiting for this! I noticed that you guys did something strange before to scramble the login information but now with SSL, decryption is near impossible.
Thanks again!
Mar 8th at 9:45 am
wow! this is great! nice job!
Mar 8th at 10:44 am
umm…but now I seem to have to log in every time, rather than it retaining a cookie. also, there’s a prompt about secure and insecure objects on the page which is a bit annoying.
I guess these are just kinks, and its good to see this improvement.
Mar 8th at 10:51 am
A desire fulfilled indeed! As I access WP.com from various public places also, I get a lil’ nervous at times… so this is great!
Thanks and praise to the Matt and the WP team
Mar 8th at 11:30 am
WordPress is the best. Keep up the good work guys.
Mar 8th at 11:44 am
I noticed two days ago I have to log in each day.
I like WordPress better each day.
Thanks
Mar 8th at 12:01 pm
Wow, appreciate the work you’re doing here. Cheers!
Mar 8th at 12:52 pm
it’s not just every day. I’ve been onto my wordpress a couple of times today, and have to log on each time. Just now, it let me in, showed my toolbar, but when I went to my blog stats, it forced me to sign on again. Definitely not quite right yet.
Mar 8th at 2:09 pm
Good and useful.
Mar 8th at 4:43 pm
Thanks a lot
Mar 8th at 5:39 pm
While we were rolling it out you may have had to login a few extra times. Now it should be stable, again if you have any probs report them using feedback.
Mar 8th at 6:29 pm
Thank you so much. This is a great feature. Keep up the good work! I can’t say how much I appreciate being able to use WordPress.
Mar 8th at 8:22 pm
Thank you. This is a great addition. You guys do an excellent job!
Mar 9th at 1:21 am
Cool. I noticed that I can view wordpress on my XDA 2 mini (Pocket PC) with no layout hassles at all. Well done! I haven’t tried to blog through it yet though. I hope it holds up – but given that you use it yourself, I am sure you’ve got the design right.
Mar 9th at 3:27 am
Nice, being safe online is huge in my book. At least now I know that there is one thing online that I can use free of mind.
Mar 9th at 4:25 am
You guys just rock. Danke, not just for this feature but for the tags, the widgets…
Mar 9th at 4:57 pm
Very good idea. Now I know why I don’t use my server for my blog
Mar 9th at 7:47 pm
This is FAB! Thanks guys
Mar 9th at 9:17 pm
Fantastic. Wordress never seems to fail me. hooray!
Mar 10th at 3:40 am
oh so this is why i need to log in everytime.. hehe I thought there was something, but its a nice feature
Mar 10th at 1:38 pm
nice one … once again!
Mar 10th at 9:47 pm
awesome! another great reason to stop using blogger…
Mar 11th at 4:24 am
I was so wishing for this…
Thanks.
Mar 11th at 9:07 pm
Awesome. Sending vital information through SSL will definetely make me feel safer.
Mar 12th at 5:01 pm
Humm. With the new admin pages under SSL the feedback doesn’t appear to work and the graph on the Dashboard Stats page has gone south – now being a bar graph labelled Region A and Region B – and showing years 2003, 2004 & 2005 (interesting since the blog has only been up and running since 2006).
I find myself getting messages from IE saying that the pages contain secure and non-secure elements (mixed mode) and an invalid name on the SSL certificate when visiting http://wordpress.com/blog/2006/03/08/secure-blogging/ and logging in. The SSL cert *.wordpress.com won’t be valid for WordPress.com – because there is no child domain.
XMLRPC calls (if you’re using a desktop blogging client) aren’t encrypted using SSL – and as many of them reget the categories, posts, etc – each time they startup your userID and password are sent down the line.
Finally – pingbacks/trackbacks don’t appear to function any more…
Mar 16th at 10:19 am
Is there a way to disable it? I have seen a few that don’t have it.
Mar 18th at 11:00 am
Secure Admin Problems at WordPress
Humm. With the new admin pages under SSL the feedback doesn’t appear to work and the graph on the Dashboard Stats page has gone south – now being a bar graph labelled Region A and Region B – and showing years 2003, 2004 & 2005 (this blog ha…
Mar 22nd at 6:09 am
I would be curious to know how you managed to use SSL for different subdomains all on one server – assuming wordpress.com uses apache (I can’t see it using IIS) I was under the impression from the apache docs that SSL cannot be used with name-based virtual domains (see http://httpd.apache.org/docs/2.0/ssl/ssl_faq.html#vhosts )
Mar 22nd at 6:10 am
You can have a wildcard SSL cert, so we have one for *.wordpress.com.
Mar 23rd at 6:25 pm
Matt: it was not the SSL cert that gave me problems, it was the name based virtual domains. by the way – my browser warns me about the cert when posting here (http://wordpress.com/blog/…) because there is no leading dot to match. It works fine every other place though.
May 21st at 3:35 am
Why I appreciate WordPress.com so much
I haven't been updating this blog for a while, mainly because recently I've been looking around the net for free hosts that'd allow me to host my own wordpress installation. The reason being there are quite a lot of restrictions on the blog…
Dec 19th at 6:59 am
Does this still hold true !!!
Jan 12th at 9:48 am
regarding the plugin,
I had trouble making it work, and ended up finding there was a problem in the code.
I’ve patched it and made it available here:
http://haris.tv/2007/01/11/wordpress-ssl-plugin-secure-admin-patched-and-working
Haris
Apr 27th at 5:27 am
Why dont you use PGP secured forms. You can encrypt form data with JavaScript and then send it to the server. No need to have SSL or any secure tunnel.
Check out this example
http://www.anonymousspeech.com/how_to_secure_email_form.aspx