Thursday, April 07, 2016

Blogger goes all HTTPS

Message from Blogger announcing the change My blog is hosted by Blogger, a Google site, and usually they are quite good, however this month they announced a change that, frankly, I think will hurt them in the short run because it was so sudden and leaves not only blog owners, but Blogger themselves unprepared. The news is about forcefully enabling Secure Hyper Text Transfer Protocol support for all free Blogspot sites. BTW, the link above that explains why Blogger forces HTTPS... doesn't work on HTTPS, which shows me a nice red error while editing this post.

The underlying idea is good: move everything to HTTPS, no matter how relevant it is for people to be safe and anonymous while reading my blog :). In theory, everything should be working the same as with HTTP, with some small issues that are easily fixed. In practice, we are talking about templates that people have installed without modifying or scripts that one can only find on HTTP sites or images and other resources that can only be found on unsecured web sites. For example, Google's default blog bar itself is causing an error in the console because it is trying to search the blog with an HTTP URL, even if the bar frame is loaded from an HTTPS location.

I had several problems:
  • The PGN Viewer that I use for chess games is only found on an HTTP site, therefore Google Chrome blocks loading those scripts when in HTTPS. I had to copy stuff in Google Drive and change the PGN Viewer scripts to use alternate URLs when under HTTPS and host files from Google Drive. I hope it will not reach some hosting limit and randomly fail.
  • Many thumbnails loaded for the related posts list and the blog main page are also loaded via HTTP, causing mostly annoying errors in the console. I tried to fix it programatically, but it relies on knowing which sites support HTTPS and which don't.
  • Videos, pictures and resources inside the blog posts themselves! I can't possibly change all the posts on my blog. There are over 1300 separate posts. While I don't have any posts that load remote scripts through HTTPS, it is still damn scary because I can't manually check everything. It would take me forever!
  • Caching. It is a myth that HTTPS requests cannot be cached, but it does depend on the server headers. If the HTTPS servers that I am blindly connecting to are misconfigured, people are going to perceive it as slowing down. Also, there is an interesting post that explains why loading scripts from third parties is breaking HTTPS security.

With this in mind, please help me test the blog with HTTPS and let me know if you find any issues with it. I've done what I could, but I am a developer, not a tester, so let me know, OK? Thanks!

While it is simple for blog owners to use a small Javascript in order to force users to go to the HTTP URL, not allowing this from the get go is a pretty ballsy, but asshole move. Will it make the internet safer? We'll just have to see.