Tuesday, June 21, 2016

Https for news sites? for multiple domains and multiple blogs? Still a confusing topic

I am working on the https issue with my Bluehost Wordpress sites.

SSL certificates and the capability to “convert” to https for end-end encryption is managed by a few companies (like Commodo) which seem to always work at the domain name level only.

This means that in most hosting companies, a user can have only one domain name (which can be “main” or “add-on”) with https enabled per hosting account.

For many small businesses, this is fine.  A typical business has an e-commerce facility, product information, news, and one blog.  In niche marketing (which “Blogtyrant” Ramsay Taplin advocates), this doesn’t create too many problems.  Many authors set up their own sites this way.

I have an issue because I have multiple blogs.  Typically, a domain has one blog with one install of Wordpress.  However, it is possible to set up subdomains and put separate blogs with separate installs of Wordpress in the subdomains.  This would be a clumsy process for most users, and it’s not clear how SEO would work.  A webmaster could purchase separate domains and then equate them (with A records or C-main records) to the subdomains.

Bluehost business hosting effectively does this with add-on domains (there is a subdomain concept behind the scenes in the CDN) but right now still offers https only on one of the domains at a time, which would be logically a domain with e-commerce.  It’s fairly complicated and a bit pricey.  There are less expensive ways to use a common SSL with severe limitations (on image size, for example).
Wordpress and Blogger (Google) can now offer free https on “free” blogs not hosted precisely because they go to just one domain (wordpress.com or blogspot.com).  So far, Google has not offered an effective way to offer https to its “Goggle domains” equated to blogs.

“Https everywhere” for news information (not processing credit cards or anyone’s PII for commerce) has not been considered necessary until more recently.  It would seem to be important in non-democratic parts of the world where users (with good reason) fear snooping police or governments.  So it would be important for webmasters who know that many of their visitors come from authoritarian countries (and when they present issues like free speech, voting, or gay rights, or even religion).  About 10% of my visitors come from these countries, in my own experience (that has included China despite bans, and particularly African and Middle Eastern countries; same for many social media followers).

BlueHost and other hosts offer collaborative security with SiteLock, which is fairly complicated in the way it works.  Usually an https domain requires premium SiteLock, which pro-actively looks for threats.

The security culture is changing.  In the future, there may be much more attention to the possibility that “small” bloggers could be hacked for ideological or political motives as well as just to steal PII with possibly severe consequences for those targeted.  I can imagine how this could play out in a Trump presidency.  So it’s desirable that hosting companies make https as “easy” as possible, and right now it’s complicated because of its nature (being shared at the root domain level).

>br /> I’m a little miffed about how Electronic Frontier Foundation’s own https everywhere extensions for Mozilla, Android, Chrome and Opera can work.  EFF points out that many news sites don’t have https for news content (the Washington Post does).  Why not the New York Times?   It shouldn’t be hard for a large company.

No comments: