Tuesday, April 05, 2016

Blogger will automate https; but how important is https for blogs, really? Some surprising questions surface

Recently, Blogger has notified its users that https will be available to all visitors who key in “https” for all Blogspot blogs, in late April, 2016.  Blog owners will no longer need to enable https on their profiles.

But there seem to remain some questions.

The first question concerns blogs that redirect to custom domains set up by the Blogger (Google domains can be as inexpensive as $12 a year).  Blogger’s announcement does not yet address that question, but right now https is not available for custom domains.  However, “Nitecruzr”, that is “The Real Blogger Status”, hints that it will be available in the reasonably near future for custom domains.

Wordpress also offers https, as explained here.  Hosting companies like Bluehost offer it, although setting it up is a bit complex, explained here.

There is some controversy over the wisdom and necessity of https for “amateur” blogs.  One claim is that without SSL, hackers could change Blogger content (for example, with jihadist content, or perhaps inserting malware) before it reaches end users, without the knowledge of the Blogger.  I have not yet heard of this actually happening.

Some sources say https is more important if you actually use public WiFi spots to update your blogs (instead of an iPhone hotspot or home—hotels might be a little riskier).

One disadvantage seems to be that it slows down access when images are included, because each image needs its own SSL tag.  In fact, Bluehost limits embedded images in SSL blogs to 100 KB, which is not very adequate, because most higher quality photos require more space than that (reasonable cell phone pictures are typically around 200K -- and I can ask why Facebook and Twitter can process larger images under https, or could consider just embedding from Instagram).  In fact, there were some problems accessing Google products from Comcast Xfinity from late February to early March. Loads seemed to stall and give checksum errors for multiple Google components each requiring validation of an SSL layer.  The problem seems resolved now.  It’s possible that the problem could be related to changes and upgrades in Google security, themselves initiated over “Malvertising” and preventing new hacking or malware threats discussed yesterday, a problem that had become much worse right after the Super Bowl.

Another good question occurs to me.  Right now the New York Times doesn't use https but the Washington Post does.  And the Times was apparently hit with the malvertising scandal in March 2016. Connection?

At this point, it is difficult to say whether (or when) bloggers need it. I don’t see an obvious answer on “Blogtyrant”, but I just submitted a question on Ramsay’s Facebook page.  I’ll report what I find out.

No comments: