Page MenuHomePhabricator

Switch blog to HTTPS-only
Closed, ResolvedPublic

Description

Now that we've switched production to HTTPS-only, it would be great if our blog followed suit.

Initially it made sense to keep the blog on HTTP, so that the message could get through even to users that were having issues with HTTPS; however, now sufficient time has passed and we should actually move this forward.

The blog already works fine over HTTPS, with a certificate of our own.

Switching to HTTPS-only involves asking Automattic (our blog hoster) to do the following:

  • Make sure embedded resources to http:// URLs within the page are https (I don't currently see any, but someone should double-check)
  • Switch <link rel=canonical> to HTTPS; right now it's forced to http://, which means that search engines always point to our blog over HTTP. Same but less important for <link rel=shortlink>.
  • Permanently redirect (301) all URLs (/.*) to their HTTPS equivalent.
  • Set Strict-Transport-Security header to max-age=31536000; includeSubDomains; preload

Related Objects

StatusAssignedTask
OpenBBlack
ResolvedBBlack
ResolvedArielGlenn
ResolvedChmarkine
ResolvedBBlack
ResolvedBBlack
ResolvedBBlack
ResolvedBBlack
ResolvedBBlack
ResolvedBBlack
ResolvedCCogdill_WMF
DeclinedBBlack
DuplicateBBlack
ResolvedBBlack
ResolvedBBlack
ResolvedBBlack
ResolvedBBlack
ResolvedBBlack
ResolvedBBlack
ResolvedBBlack
ResolvedNone
ResolvedBBlack
InvalidNone

Event Timeline

faidon created this task.Jul 15 2015, 4:37 PM
faidon raised the priority of this task from to Needs Triage.
faidon updated the task description. (Show Details)
faidon added projects: Wikimedia-Blog, HTTPS.
faidon added subscribers: faidon, Tbayer, BBlack.
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptJul 15 2015, 4:37 PM
Tbayer set Security to None.Jul 15 2015, 6:55 PM
Tbayer added a subscriber: Katherine-WMF.

Update: I filed a request about this with Automattic last week (internal ticket number: #43195), and they think the process outlined by Faidon should work fine. Regarding the first step ( this mainly concerns older posts where http://upload.Wikimedia.org thumbnails would need to be converted to https://upload.wikimedia.org), they recommend to either filter the content to rewrite HTTP thumbnail links before a page is rendered, or to write a WP-CLI script that searches and replaces them with HTTPS links. I will look into the latter.

Seb35 added a subscriber: Seb35.Aug 16 2015, 9:37 PM

For linked resources like images in posts, it can be used a plugin search-replace. I used "Better Search Replace" to move a WordPress blog, but probably other plugins can do the job also.

Any news from the internal ticket?

Tbayer added a comment.EditedAug 22 2015, 8:06 AM

Hi Faidon, you should actually still be on CC for the internal ticket via Zendesk. But just to be sure, I will make sure to CC explicitly in my next response to Automattic, which I intend to send this weekend once I find a bit of time to work on the remaining items (see below).

In the meantime, a quick summary of what has happened since the last public update here:

  • It turned out that Automattic's caching layer and CDN actually rewrites many src="http..." links to HTTPS anyway, including all references to the blog's wordpress files subdomain itself. E.g. in this post, this code in the source:
src="http://wikimediablog.files.wordpress.com/2011/06/amount-of-content-added-by-students-06-06-2011.png"

becomes the following in the publicly displayed HTML:

src="https://wikimediablog.files.wordpress.com/2011/06/amount-of-content-added-by-students-06-06-2011.png?w=635&#038;h=455"

Automattic confirmed that this is stable behavior that can be relied on.

  • Nevertheless, it still seems prudent to convert these HTTP thumbnails and the upload.wikimedia.org ones to HTTPS once and for all, also in case the hosting configuration changes in the future. I wrote the required WP-CLI commands (they are quite simple) and tested them in my local Quickstart environment as recommended by Automattic (Quickstart is the Vagrant version of the VIP environment they provide for testing purposes). @Seb35: Thanks for the tip! But plugins need to satisfy Automattic's code review standards for VIP and many don't, and as mentioned it seems prudent to make the change permanent anyway.
  • I used this tool to do an automated scan for mixed content warnings; it accessed over 6000 pages on the blog (that's more than the number of actual posts, it also includes comment pages and e.g. https://blog.wikimedia.org/2010/ ) and found only five posts with remaining warnings, which I will fix manually.
  • I got the hint to use that tool along with some other great advice from members of the WordPress in Enterprise Slack community, in particular Paul Schreiber, coauthor of this HTTPS guide, which contains some caveats on how e.g. Facebook Likes and comments are treating the HTTP and HTTPS versions of a web page as two separate pages (meaning that the switch could have some impact retroactively on Like numbers). It seems Facebook uses the canonical URL or the "or:url" parameter to sort that out, but that Twitter is a bit more brittle, using the separate "counturl" query parameter or the "data-counturl" attribute - AIUI if that contains the HTTPS version, HTTP links aren't counted etc. In any case, I think we've already been quite consistently sharing the HTTPS versions of blog posts on social media for a while now, so these risks should be pretty low here. However, they also advised that the canonical URLs are forced to HTTP on purpose on WordPress VIP (here is the code that does that, https://core.trac.wordpress.org/ticket/30581 and https://core.trac.wordpress.org/ticket/28521 are related open bugs for WordPress in general). I'm not quite sure yet what to make of all that and what's the ideal configuration we'd want Automattic to set for us. Input welcome.

Update for those following along here: Heard back from Automattic last week and it turns out that contrary to the previous discussion, the search/replace feature of WP-CLI is actually disabled on VIP because it can cause database issues. They are looking into alternative options.

Restricted Application added a subscriber: StudiesWorld. · View Herald TranscriptDec 3 2015, 7:06 PM
Dzahn moved this task from Backlog to Blocked on External on the HTTPS board.Dec 3 2015, 7:12 PM

Is there a status update on this? Just curious as it came up on IRC. :)

Is there a status update on this? Just curious as it came up on IRC. :)

Yes, so I followed up with Automattic in November, and they eventually offered a solution that should work for our purposes ("It will update any mentions of the target string in the post_content field for published posts only"). It then took me a while to look into this and confirm that this indeed what we want - I just sent one last followup for clarification, but I hope that we are good to go after that.

Restricted Application added a project: Operations. · View Herald TranscriptFeb 23 2016, 6:12 PM

(Update: Heard back on Feb 10 that they needed to check with someone specific about this and would get back. On Feb 18 I sent a reminder and got the reply that they would "ping on this again and see what's up". I sent another reminder-thanks today.)

Assigning to Tilman for the time being since he's currently running the discussion with Automattic

Update: Followed up again on March 4 and got yet another response from yet another person: It's actually possibly to use WP-CLI for replacements, but scripts can't process all posts at once (apparently because of timeouts, cf. https://vip.wordpress.com/documentation/writing-bin-scripts/ ) and instead should loop through posts in blocks of 100. I have resent the WP-CLI commands I tested earlier, for a first dry-run, and also asked for advice on the best way to do this looping to match their requirements.

Update: After some more detours, all posts that embedded HTTP content should now have been converted to HTTPS. In the end Automattic ran two conversion scripts for us, see log below. Checking about 10 random posts from each list, they all look good. In addition, I have now manually fixed the five posts found earlier with the "mixed content scan" tool.

I've followed up with Automattic to see about the completion of the remaining steps from the task description.

Found 303 posts to update on http://blog.wikimedia.org
str_replace( 'http://upload.wikimedia.org/', 'https://upload.wikimedia.org/' ); will be run against post_content rows.
0: Post #25 was modified in 1 place(s)
1: Post #26 was modified in 1 place(s)
2: Post #27 was modified in 1 place(s)
3: Post #28 was modified in 1 place(s)
4: Post #29 was modified in 1 place(s)
5: Post #33 was modified in 8 place(s)
6: Post #36 was modified in 1 place(s)
7: Post #39 was modified in 1 place(s)
8: Post #40 was modified in 1 place(s)
9: Post #49 was modified in 1 place(s)
10: Post #52 was modified in 1 place(s)
11: Post #53 was modified in 1 place(s)
12: Post #55 was modified in 1 place(s)
13: Post #56 was modified in 1 place(s)
14: Post #57 was modified in 1 place(s)
15: Post #61 was modified in 1 place(s)
16: Post #63 was modified in 1 place(s)
17: Post #65 was modified in 2 place(s)
18: Post #68 was modified in 2 place(s)
19: Post #138 was modified in 1 place(s)
20: Post #161 was modified in 1 place(s)
21: Post #165 was modified in 1 place(s)
22: Post #168 was modified in 1 place(s)
23: Post #181 was modified in 1 place(s)
24: Post #186 was modified in 1 place(s)
25: Post #199 was modified in 1 place(s)
26: Post #205 was modified in 1 place(s)
27: Post #212 was modified in 1 place(s)
28: Post #225 was modified in 2 place(s)
29: Post #240 was modified in 1 place(s)
30: Post #280 was modified in 1 place(s)
31: Post #290 was modified in 1 place(s)
32: Post #318 was modified in 1 place(s)
33: Post #347 was modified in 1 place(s)
34: Post #468 was modified in 2 place(s)
35: Post #493 was modified in 3 place(s)
36: Post #504 was modified in 2 place(s)
37: Post #544 was modified in 1 place(s)
38: Post #554 was modified in 1 place(s)
39: Post #3711 was modified in 1 place(s)
40: Post #3712 was modified in 1 place(s)
41: Post #3713 was modified in 1 place(s)
42: Post #3714 was modified in 1 place(s)
43: Post #3715 was modified in 1 place(s)
44: Post #3717 was modified in 1 place(s)
45: Post #592 was modified in 1 place(s)
46: Post #602 was modified in 1 place(s)
47: Post #638 was modified in 1 place(s)
48: Post #663 was modified in 1 place(s)
49: Post #766 was modified in 2 place(s)
50: Post #3721 was modified in 2 place(s)
51: Post #3723 was modified in 1 place(s)
52: Post #3726 was modified in 1 place(s)
53: Post #799 was modified in 1 place(s)
54: Post #890 was modified in 1 place(s)
55: Post #856 was modified in 1 place(s)
56: Post #923 was modified in 1 place(s)
57: Post #3740 was modified in 1 place(s)
58: Post #3743 was modified in 1 place(s)
59: Post #3753 was modified in 1 place(s)
60: Post #996 was modified in 2 place(s)
61: Post #1024 was modified in 2 place(s)
62: Post #3756 was modified in 2 place(s)
63: Post #3758 was modified in 1 place(s)
64: Post #3761 was modified in 1 place(s)
65: Post #3763 was modified in 1 place(s)
66: Post #1061 was modified in 1 place(s)
67: Post #1071 was modified in 1 place(s)
68: Post #1111 was modified in 1 place(s)
69: Post #3771 was modified in 1 place(s)
70: Post #3772 was modified in 1 place(s)
71: Post #3773 was modified in 1 place(s)
72: Post #3781 was modified in 1 place(s)
73: Post #1140 was modified in 2 place(s)
74: Post #1153 was modified in 1 place(s)
75: Post #1206 was modified in 1 place(s)
76: Post #1287 was modified in 1 place(s)
77: Post #1337 was modified in 1 place(s)
78: Post #1367 was modified in 1 place(s)
79: Post #1426 was modified in 1 place(s)
80: Post #1459 was modified in 1 place(s)
81: Post #1204 was modified in 16 place(s)
82: Post #1518 was modified in 1 place(s)
83: Post #1552 was modified in 1 place(s)
84: Post #1605 was modified in 1 place(s)
85: Post #3805 was modified in 1 place(s)
86: Post #3807 was modified in 1 place(s)
87: Post #3808 was modified in 1 place(s)
88: Post #1660 was modified in 1 place(s)
89: Post #1676 was modified in 1 place(s)
90: Post #1756 was modified in 1 place(s)
91: Post #1782 was modified in 1 place(s)
92: Post #1889 was modified in 1 place(s)
93: Post #1935 was modified in 1 place(s)
94: Post #1951 was modified in 4 place(s)
95: Post #2179 was modified in 1 place(s)
96: Post #2203 was modified in 1 place(s)
97: Post #2218 was modified in 2 place(s)
98: Post #2245 was modified in 1 place(s)
99: Post #2268 was modified in 1 place(s)
100: Post #2306 was modified in 1 place(s)
101: Post #2315 was modified in 1 place(s)
102: Post #2331 was modified in 1 place(s)
103: Post #2334 was modified in 1 place(s)
104: Post #3833 was modified in 3 place(s)
105: Post #2556 was modified in 1 place(s)
106: Post #2582 was modified in 1 place(s)
107: Post #2588 was modified in 1 place(s)
108: Post #2604 was modified in 1 place(s)
109: Post #2756 was modified in 1 place(s)
110: Post #2807 was modified in 1 place(s)
111: Post #2849 was modified in 1 place(s)
112: Post #2910 was modified in 1 place(s)
113: Post #2925 was modified in 1 place(s)
114: Post #2988 was modified in 1 place(s)
115: Post #3001 was modified in 1 place(s)
116: Post #3036 was modified in 1 place(s)
117: Post #3462 was modified in 1 place(s)
118: Post #3500 was modified in 3 place(s)
119: Post #3506 was modified in 1 place(s)
120: Post #4075 was modified in 1 place(s)
121: Post #4077 was modified in 1 place(s)
122: Post #4229 was modified in 1 place(s)
123: Post #4264 was modified in 1 place(s)
124: Post #4475 was modified in 1 place(s)
125: Post #4531 was modified in 2 place(s)
126: Post #4576 was modified in 2 place(s)
127: Post #4618 was modified in 1 place(s)
128: Post #4629 was modified in 1 place(s)
129: Post #4706 was modified in 4 place(s)
130: Post #5046 was modified in 2 place(s)
131: Post #5154 was modified in 1 place(s)
132: Post #5557 was modified in 1 place(s)
133: Post #5616 was modified in 1 place(s)
134: Post #5671 was modified in 1 place(s)
135: Post #5710 was modified in 1 place(s)
136: Post #5874 was modified in 3 place(s)
137: Post #6000 was modified in 1 place(s)
138: Post #5907 was modified in 1 place(s)
139: Post #6297 was modified in 4 place(s)
140: Post #6322 was modified in 3 place(s)
141: Post #6477 was modified in 1 place(s)
142: Post #6585 was modified in 1 place(s)
143: Post #6600 was modified in 21 place(s)
144: Post #6645 was modified in 2 place(s)
145: Post #6666 was modified in 1 place(s)
146: Post #6674 was modified in 1 place(s)
147: Post #6713 was modified in 1 place(s)
148: Post #6740 was modified in 2 place(s)
149: Post #6792 was modified in 4 place(s)
150: Post #6807 was modified in 1 place(s)
151: Post #6883 was modified in 1 place(s)
152: Post #7011 was modified in 4 place(s)
153: Post #7175 was modified in 1 place(s)
154: Post #7230 was modified in 4 place(s)
155: Post #7279 was modified in 26 place(s)
156: Post #7417 was modified in 1 place(s)
157: Post #7428 was modified in 3 place(s)
158: Post #7569 was modified in 4 place(s)
159: Post #7573 was modified in 4 place(s)
160: Post #7582 was modified in 4 place(s)
161: Post #7630 was modified in 1 place(s)
162: Post #7553 was modified in 1 place(s)
163: Post #7677 was modified in 8 place(s)
164: Post #7983 was modified in 1 place(s)
165: Post #8017 was modified in 17 place(s)
166: Post #7998 was modified in 4 place(s)
167: Post #8007 was modified in 2 place(s)
168: Post #8040 was modified in 1 place(s)
169: Post #8168 was modified in 5 place(s)
170: Post #8284 was modified in 5 place(s)
171: Post #8331 was modified in 2 place(s)
172: Post #8421 was modified in 3 place(s)
173: Post #8452 was modified in 1 place(s)
174: Post #8673 was modified in 1 place(s)
175: Post #8675 was modified in 1 place(s)
176: Post #8702 was modified in 2 place(s)
177: Post #8829 was modified in 22 place(s)
178: Post #9019 was modified in 9 place(s)
179: Post #9027 was modified in 5 place(s)
180: Post #10655 was modified in 1 place(s)
181: Post #10849 was modified in 3 place(s)
182: Post #10902 was modified in 3 place(s)
183: Post #10922 was modified in 1 place(s)
184: Post #11307 was modified in 23 place(s)
185: Post #11102 was modified in 1 place(s)
186: Post #11596 was modified in 2 place(s)
187: Post #11658 was modified in 2 place(s)
188: Post #12075 was modified in 1 place(s)
189: Post #12289 was modified in 5 place(s)
190: Post #12295 was modified in 4 place(s)
191: Post #11184 was modified in 1 place(s)
192: Post #12662 was modified in 3 place(s)
193: Post #12751 was modified in 6 place(s)
194: Post #13049 was modified in 1 place(s)
195: Post #13267 was modified in 43 place(s)
196: Post #13282 was modified in 1 place(s)
197: Post #13328 was modified in 2 place(s)
198: Post #13385 was modified in 1 place(s)
199: Post #13436 was modified in 2 place(s)
200: Post #13452 was modified in 2 place(s)
201: Post #13494 was modified in 4 place(s)
202: Post #13571 was modified in 4 place(s)
203: Post #13578 was modified in 5 place(s)
204: Post #13637 was modified in 1 place(s)
205: Post #13850 was modified in 2 place(s)
206: Post #13866 was modified in 1 place(s)
207: Post #13962 was modified in 1 place(s)
208: Post #14064 was modified in 2 place(s)
209: Post #14132 was modified in 3 place(s)
210: Post #14201 was modified in 4 place(s)
211: Post #14243 was modified in 21 place(s)
212: Post #14296 was modified in 4 place(s)
213: Post #14504 was modified in 8 place(s)
214: Post #14906 was modified in 1 place(s)
215: Post #15044 was modified in 2 place(s)
216: Post #15061 was modified in 1 place(s)
217: Post #15065 was modified in 1 place(s)
218: Post #14382 was modified in 35 place(s)
219: Post #15153 was modified in 1 place(s)
220: Post #15076 was modified in 1 place(s)
221: Post #15195 was modified in 1 place(s)
222: Post #15856 was modified in 2 place(s)
223: Post #16028 was modified in 1 place(s)
224: Post #16443 was modified in 4 place(s)
225: Post #16460 was modified in 1 place(s)
226: Post #16647 was modified in 1 place(s)
227: Post #16651 was modified in 1 place(s)
228: Post #17282 was modified in 1 place(s)
229: Post #17288 was modified in 1 place(s)
230: Post #17387 was modified in 2 place(s)
231: Post #17519 was modified in 1 place(s)
232: Post #17553 was modified in 1 place(s)
233: Post #17573 was modified in 1 place(s)
234: Post #18069 was modified in 1 place(s)
235: Post #15834 was modified in 1 place(s)
236: Post #18783 was modified in 1 place(s)
237: Post #18789 was modified in 1 place(s)
238: Post #18831 was modified in 2 place(s)
239: Post #19105 was modified in 1 place(s)
240: Post #19888 was modified in 1 place(s)
241: Post #19892 was modified in 1 place(s)
242: Post #20187 was modified in 2 place(s)
243: Post #20345 was modified in 1 place(s)
244: Post #20352 was modified in 1 place(s)
245: Post #21058 was modified in 1 place(s)
246: Post #21309 was modified in 2 place(s)
247: Post #21453 was modified in 1 place(s)
248: Post #21456 was modified in 1 place(s)
249: Post #21619 was modified in 1 place(s)
250: Post #21928 was modified in 1 place(s)
251: Post #21929 was modified in 1 place(s)
252: Post #22566 was modified in 1 place(s)
253: Post #22581 was modified in 1 place(s)
254: Post #22863 was modified in 2 place(s)
255: Post #23053 was modified in 1 place(s)
256: Post #23062 was modified in 1 place(s)
257: Post #23382 was modified in 1 place(s)
258: Post #23524 was modified in 1 place(s)
259: Post #23545 was modified in 1 place(s)
260: Post #23591 was modified in 1 place(s)
261: Post #23694 was modified in 1 place(s)
262: Post #23711 was modified in 1 place(s)
263: Post #23722 was modified in 1 place(s)
264: Post #23780 was modified in 1 place(s)
265: Post #23784 was modified in 1 place(s)
266: Post #23883 was modified in 1 place(s)
267: Post #23890 was modified in 1 place(s)
268: Post #23924 was modified in 1 place(s)
269: Post #24040 was modified in 1 place(s)
270: Post #24042 was modified in 1 place(s)
271: Post #24618 was modified in 1 place(s)
272: Post #24623 was modified in 1 place(s)
273: Post #24924 was modified in 1 place(s)
274: Post #25223 was modified in 1 place(s)
275: Post #25546 was modified in 1 place(s)
276: Post #25629 was modified in 1 place(s)
277: Post #26109 was modified in 1 place(s)
278: Post #26347 was modified in 1 place(s)
279: Post #26923 was modified in 1 place(s)
280: Post #27605 was modified in 1 place(s)
281: Post #27800 was modified in 1 place(s)
282: Post #27836 was modified in 1 place(s)
283: Post #31021 was modified in 1 place(s)
284: Post #31066 was modified in 3 place(s)
285: Post #31097 was modified in 1 place(s)
286: Post #9247 was modified in 1 place(s)
287: Post #7960 was modified in 2 place(s)
288: Post #8950 was modified in 2 place(s)
289: Post #9172 was modified in 1 place(s)
290: Post #9297 was modified in 2 place(s)
291: Post #9451 was modified in 3 place(s)
292: Post #9473 was modified in 15 place(s)
293: Post #9673 was modified in 2 place(s)
294: Post #9741 was modified in 8 place(s)
295: Post #9748 was modified in 7 place(s)
296: Post #10027 was modified in 29 place(s)
297: Post #10074 was modified in 1 place(s)
298: Post #10377 was modified in 6 place(s)
299: Post #10381 was modified in 4 place(s)
300: Post #36051 was modified in 2 place(s)
301: Post #36053 was modified in 2 place(s)
302: Post #36054 was modified in 3 place(s)
Success: All done! 303 posts were modified and 0 weren't.

Found 436 posts to update on http://blog.wikimedia.org
str_replace( 'http://wikimediablog.files.wordpress.com/', 'https://wikimediablog.files.wordpress.com/' ); will be run against post_content rows.
0: Post #60 was modified in 2 place(s)
1: Post #3708 was modified in 1 place(s)
2: Post #3709 was modified in 1 place(s)
3: Post #3716 was modified in 1 place(s)
4: Post #3730 was modified in 1 place(s)
5: Post #907 was modified in 1 place(s)
6: Post #3731 was modified in 2 place(s)
7: Post #3736 was modified in 1 place(s)
8: Post #3737 was modified in 6 place(s)
9: Post #3740 was modified in 1 place(s)
10: Post #3741 was modified in 1 place(s)
11: Post #3742 was modified in 2 place(s)
12: Post #3744 was modified in 1 place(s)
13: Post #3745 was modified in 2 place(s)
14: Post #3746 was modified in 2 place(s)
15: Post #3747 was modified in 1 place(s)
16: Post #3748 was modified in 2 place(s)
17: Post #3751 was modified in 2 place(s)
18: Post #3752 was modified in 2 place(s)
19: Post #3757 was modified in 2 place(s)
20: Post #3759 was modified in 2 place(s)
21: Post #3762 was modified in 2 place(s)
22: Post #3778 was modified in 2 place(s)
23: Post #3788 was modified in 2 place(s)
24: Post #3790 was modified in 2 place(s)
25: Post #3791 was modified in 1 place(s)
26: Post #3793 was modified in 1 place(s)
27: Post #3795 was modified in 1 place(s)
28: Post #3796 was modified in 1 place(s)
29: Post #3797 was modified in 2 place(s)
30: Post #1562 was modified in 7 place(s)
31: Post #3813 was modified in 2 place(s)
32: Post #2025 was modified in 2 place(s)
33: Post #3816 was modified in 2 place(s)
34: Post #3817 was modified in 2 place(s)
35: Post #3820 was modified in 6 place(s)
36: Post #2050 was modified in 1 place(s)
37: Post #2099 was modified in 1 place(s)
38: Post #3823 was modified in 2 place(s)
39: Post #2254 was modified in 2 place(s)
40: Post #2388 was modified in 4 place(s)
41: Post #3830 was modified in 1 place(s)
42: Post #1139 was modified in 6 place(s)
43: Post #3834 was modified in 1 place(s)
44: Post #3838 was modified in 1 place(s)
45: Post #3839 was modified in 1 place(s)
46: Post #3840 was modified in 4 place(s)
47: Post #2563 was modified in 1 place(s)
48: Post #2662 was modified in 2 place(s)
49: Post #2679 was modified in 8 place(s)
50: Post #2708 was modified in 1 place(s)
51: Post #2738 was modified in 2 place(s)
52: Post #2957 was modified in 1 place(s)
53: Post #3856 was modified in 2 place(s)
54: Post #3858 was modified in 2 place(s)
55: Post #3007 was modified in 4 place(s)
56: Post #3348 was modified in 3 place(s)
57: Post #3530 was modified in 1 place(s)
58: Post #3862 was modified in 3 place(s)
59: Post #3587 was modified in 2 place(s)
60: Post #3687 was modified in 2 place(s)
61: Post #4100 was modified in 4 place(s)
62: Post #4125 was modified in 2 place(s)
63: Post #4142 was modified in 1 place(s)
64: Post #4157 was modified in 2 place(s)
65: Post #4177 was modified in 1 place(s)
66: Post #4214 was modified in 5 place(s)
67: Post #4254 was modified in 1 place(s)
68: Post #4393 was modified in 2 place(s)
69: Post #4418 was modified in 1 place(s)
70: Post #4424 was modified in 4 place(s)
71: Post #4452 was modified in 1 place(s)
72: Post #4482 was modified in 1 place(s)
73: Post #4599 was modified in 1 place(s)
74: Post #4624 was modified in 1 place(s)
75: Post #4766 was modified in 3 place(s)
76: Post #4646 was modified in 2 place(s)
77: Post #4823 was modified in 3 place(s)
78: Post #4911 was modified in 1 place(s)
79: Post #5053 was modified in 2 place(s)
80: Post #5072 was modified in 6 place(s)
81: Post #5154 was modified in 1 place(s)
82: Post #5178 was modified in 2 place(s)
83: Post #5254 was modified in 3 place(s)
84: Post #5234 was modified in 1 place(s)
85: Post #5295 was modified in 3 place(s)
86: Post #5430 was modified in 2 place(s)
87: Post #5490 was modified in 2 place(s)
88: Post #5543 was modified in 2 place(s)
89: Post #5557 was modified in 1 place(s)
90: Post #5622 was modified in 1 place(s)
91: Post #5671 was modified in 1 place(s)
92: Post #5724 was modified in 1 place(s)
93: Post #5614 was modified in 2 place(s)
94: Post #5804 was modified in 1 place(s)
95: Post #5822 was modified in 1 place(s)
96: Post #5900 was modified in 1 place(s)
97: Post #5984 was modified in 1 place(s)
98: Post #6032 was modified in 3 place(s)
99: Post #6106 was modified in 1 place(s)
100: Post #5907 was modified in 1 place(s)
101: Post #6137 was modified in 2 place(s)
102: Post #6199 was modified in 1 place(s)
103: Post #6203 was modified in 2 place(s)
104: Post #6241 was modified in 5 place(s)
105: Post #6322 was modified in 5 place(s)
106: Post #6362 was modified in 2 place(s)
107: Post #6391 was modified in 2 place(s)
108: Post #6497 was modified in 2 place(s)
109: Post #6509 was modified in 2 place(s)
110: Post #6537 was modified in 1 place(s)
111: Post #6545 was modified in 1 place(s)
112: Post #6713 was modified in 2 place(s)
113: Post #6780 was modified in 2 place(s)
114: Post #6851 was modified in 2 place(s)
115: Post #6912 was modified in 5 place(s)
116: Post #7083 was modified in 1 place(s)
117: Post #7126 was modified in 4 place(s)
118: Post #7470 was modified in 2 place(s)
119: Post #7801 was modified in 1 place(s)
120: Post #7815 was modified in 1 place(s)
121: Post #7921 was modified in 1 place(s)
122: Post #7930 was modified in 2 place(s)
123: Post #7983 was modified in 1 place(s)
124: Post #8040 was modified in 2 place(s)
125: Post #8383 was modified in 1 place(s)
126: Post #8452 was modified in 2 place(s)
127: Post #8536 was modified in 1 place(s)
128: Post #8574 was modified in 1 place(s)
129: Post #8600 was modified in 1 place(s)
130: Post #8197 was modified in 13 place(s)
131: Post #8618 was modified in 1 place(s)
132: Post #8850 was modified in 1 place(s)
133: Post #8826 was modified in 2 place(s)
134: Post #8848 was modified in 1 place(s)
135: Post #8931 was modified in 1 place(s)
136: Post #8940 was modified in 1 place(s)
137: Post #8964 was modified in 1 place(s)
138: Post #8989 was modified in 1 place(s)
139: Post #8992 was modified in 1 place(s)
140: Post #9039 was modified in 1 place(s)
141: Post #9055 was modified in 1 place(s)
142: Post #10489 was modified in 3 place(s)
143: Post #10604 was modified in 2 place(s)
144: Post #10638 was modified in 2 place(s)
145: Post #10655 was modified in 1 place(s)
146: Post #10757 was modified in 1 place(s)
147: Post #10778 was modified in 1 place(s)
148: Post #10849 was modified in 1 place(s)
149: Post #10937 was modified in 3 place(s)
150: Post #11103 was modified in 3 place(s)
151: Post #11190 was modified in 2 place(s)
152: Post #11102 was modified in 1 place(s)
153: Post #11331 was modified in 3 place(s)
154: Post #11444 was modified in 1 place(s)
155: Post #11503 was modified in 1 place(s)
156: Post #11440 was modified in 1 place(s)
157: Post #11598 was modified in 2 place(s)
158: Post #11619 was modified in 2 place(s)
159: Post #11391 was modified in 9 place(s)
160: Post #11596 was modified in 4 place(s)
161: Post #11670 was modified in 1 place(s)
162: Post #11864 was modified in 1 place(s)
163: Post #11935 was modified in 2 place(s)
164: Post #12085 was modified in 1 place(s)
165: Post #12111 was modified in 1 place(s)
166: Post #12128 was modified in 1 place(s)
167: Post #12165 was modified in 2 place(s)
168: Post #12186 was modified in 1 place(s)
169: Post #12189 was modified in 1 place(s)
170: Post #12244 was modified in 2 place(s)
171: Post #12333 was modified in 2 place(s)
172: Post #12361 was modified in 2 place(s)
173: Post #12376 was modified in 1 place(s)
174: Post #12388 was modified in 3 place(s)
175: Post #12437 was modified in 1 place(s)
176: Post #12448 was modified in 1 place(s)
177: Post #12612 was modified in 2 place(s)
178: Post #12559 was modified in 1 place(s)
179: Post #12673 was modified in 2 place(s)
180: Post #12685 was modified in 2 place(s)
181: Post #12729 was modified in 1 place(s)
182: Post #12859 was modified in 2 place(s)
183: Post #12987 was modified in 1 place(s)
184: Post #12999 was modified in 2 place(s)
185: Post #13092 was modified in 1 place(s)
186: Post #12759 was modified in 1 place(s)
187: Post #13387 was modified in 1 place(s)
188: Post #13513 was modified in 2 place(s)
189: Post #13566 was modified in 1 place(s)
190: Post #13678 was modified in 1 place(s)
191: Post #13695 was modified in 2 place(s)
192: Post #13637 was modified in 2 place(s)
193: Post #13765 was modified in 1 place(s)
194: Post #13894 was modified in 2 place(s)
195: Post #13931 was modified in 1 place(s)
196: Post #14007 was modified in 1 place(s)
197: Post #14039 was modified in 1 place(s)
198: Post #14059 was modified in 2 place(s)
199: Post #14157 was modified in 1 place(s)
200: Post #14283 was modified in 2 place(s)
201: Post #14206 was modified in 3 place(s)
202: Post #14317 was modified in 4 place(s)
203: Post #14442 was modified in 3 place(s)
204: Post #14884 was modified in 2 place(s)
205: Post #14938 was modified in 1 place(s)
206: Post #15007 was modified in 2 place(s)
207: Post #14382 was modified in 3 place(s)
208: Post #15155 was modified in 3 place(s)
209: Post #15230 was modified in 1 place(s)
210: Post #15356 was modified in 1 place(s)
211: Post #15460 was modified in 1 place(s)
212: Post #15153 was modified in 1 place(s)
213: Post #15349 was modified in 2 place(s)
214: Post #15562 was modified in 2 place(s)
215: Post #15732 was modified in 3 place(s)
216: Post #14667 was modified in 2 place(s)
217: Post #15195 was modified in 2 place(s)
218: Post #15743 was modified in 1 place(s)
219: Post #15961 was modified in 1 place(s)
220: Post #15928 was modified in 2 place(s)
221: Post #16081 was modified in 2 place(s)
222: Post #16196 was modified in 2 place(s)
223: Post #16239 was modified in 2 place(s)
224: Post #16396 was modified in 1 place(s)
225: Post #15523 was modified in 1 place(s)
226: Post #15920 was modified in 3 place(s)
227: Post #16211 was modified in 3 place(s)
228: Post #16404 was modified in 1 place(s)
229: Post #16460 was modified in 1 place(s)
230: Post #16670 was modified in 2 place(s)
231: Post #16686 was modified in 1 place(s)
232: Post #16850 was modified in 1 place(s)
233: Post #16873 was modified in 2 place(s)
234: Post #16941 was modified in 1 place(s)
235: Post #16836 was modified in 3 place(s)
236: Post #17050 was modified in 2 place(s)
237: Post #17088 was modified in 1 place(s)
238: Post #17122 was modified in 1 place(s)
239: Post #17157 was modified in 1 place(s)
240: Post #17212 was modified in 4 place(s)
241: Post #17330 was modified in 1 place(s)
242: Post #17406 was modified in 1 place(s)
243: Post #17468 was modified in 1 place(s)
244: Post #17519 was modified in 1 place(s)
245: Post #17536 was modified in 1 place(s)
246: Post #17683 was modified in 2 place(s)
247: Post #17705 was modified in 1 place(s)
248: Post #17612 was modified in 1 place(s)
249: Post #17842 was modified in 1 place(s)
250: Post #17861 was modified in 1 place(s)
251: Post #17865 was modified in 2 place(s)
252: Post #17987 was modified in 3 place(s)
253: Post #18037 was modified in 2 place(s)
254: Post #18096 was modified in 1 place(s)
255: Post #18116 was modified in 1 place(s)
256: Post #18144 was modified in 1 place(s)
257: Post #18164 was modified in 1 place(s)
258: Post #18191 was modified in 1 place(s)
259: Post #18263 was modified in 1 place(s)
260: Post #18215 was modified in 2 place(s)
261: Post #18242 was modified in 1 place(s)
262: Post #18291 was modified in 1 place(s)
263: Post #18339 was modified in 1 place(s)
264: Post #18350 was modified in 2 place(s)
265: Post #18486 was modified in 1 place(s)
266: Post #18540 was modified in 1 place(s)
267: Post #18552 was modified in 1 place(s)
268: Post #18567 was modified in 3 place(s)
269: Post #18596 was modified in 2 place(s)
270: Post #18657 was modified in 1 place(s)
271: Post #18667 was modified in 1 place(s)
272: Post #18693 was modified in 1 place(s)
273: Post #18696 was modified in 10 place(s)
274: Post #15834 was modified in 2 place(s)
275: Post #18765 was modified in 3 place(s)
276: Post #18802 was modified in 1 place(s)
277: Post #18907 was modified in 1 place(s)
278: Post #18919 was modified in 2 place(s)
279: Post #18985 was modified in 2 place(s)
280: Post #18994 was modified in 2 place(s)
281: Post #19005 was modified in 1 place(s)
282: Post #19042 was modified in 3 place(s)
283: Post #19087 was modified in 3 place(s)
284: Post #19031 was modified in 3 place(s)
285: Post #19040 was modified in 3 place(s)
286: Post #19133 was modified in 3 place(s)
287: Post #19063 was modified in 3 place(s)
288: Post #19234 was modified in 1 place(s)
289: Post #19256 was modified in 3 place(s)
290: Post #19291 was modified in 6 place(s)
291: Post #19320 was modified in 3 place(s)
292: Post #19339 was modified in 1 place(s)
293: Post #19360 was modified in 2 place(s)
294: Post #19426 was modified in 1 place(s)
295: Post #19488 was modified in 1 place(s)
296: Post #19520 was modified in 3 place(s)
297: Post #19060 was modified in 3 place(s)
298: Post #19507 was modified in 3 place(s)
299: Post #19529 was modified in 3 place(s)
300: Post #19579 was modified in 1 place(s)
301: Post #19591 was modified in 1 place(s)
302: Post #19847 was modified in 3 place(s)
303: Post #19512 was modified in 1 place(s)
304: Post #19532 was modified in 3 place(s)
305: Post #19592 was modified in 3 place(s)
306: Post #19640 was modified in 3 place(s)
307: Post #19659 was modified in 6 place(s)
308: Post #19671 was modified in 3 place(s)
309: Post #19077 was modified in 3 place(s)
310: Post #19210 was modified in 3 place(s)
311: Post #19769 was modified in 4 place(s)
312: Post #19794 was modified in 6 place(s)
313: Post #19770 was modified in 4 place(s)
314: Post #19793 was modified in 3 place(s)
315: Post #19809 was modified in 3 place(s)
316: Post #19810 was modified in 6 place(s)
317: Post #19827 was modified in 2 place(s)
318: Post #19848 was modified in 3 place(s)
319: Post #19855 was modified in 2 place(s)
320: Post #19884 was modified in 3 place(s)
321: Post #19940 was modified in 3 place(s)
322: Post #20012 was modified in 6 place(s)
323: Post #20040 was modified in 2 place(s)
324: Post #20067 was modified in 1 place(s)
325: Post #20199 was modified in 1 place(s)
326: Post #20178 was modified in 1 place(s)
327: Post #20233 was modified in 2 place(s)
328: Post #20273 was modified in 1 place(s)
329: Post #20289 was modified in 1 place(s)
330: Post #20317 was modified in 1 place(s)
331: Post #20354 was modified in 2 place(s)
332: Post #20396 was modified in 1 place(s)
333: Post #20412 was modified in 2 place(s)
334: Post #20522 was modified in 5 place(s)
335: Post #20495 was modified in 1 place(s)
336: Post #20561 was modified in 1 place(s)
337: Post #20585 was modified in 1 place(s)
338: Post #20618 was modified in 1 place(s)
339: Post #20666 was modified in 1 place(s)
340: Post #20744 was modified in 1 place(s)
341: Post #20799 was modified in 2 place(s)
342: Post #20851 was modified in 1 place(s)
343: Post #20868 was modified in 1 place(s)
344: Post #20905 was modified in 1 place(s)
345: Post #20946 was modified in 1 place(s)
346: Post #20969 was modified in 1 place(s)
347: Post #20984 was modified in 1 place(s)
348: Post #21140 was modified in 1 place(s)
349: Post #21151 was modified in 1 place(s)
350: Post #21160 was modified in 1 place(s)
351: Post #21172 was modified in 2 place(s)
352: Post #21180 was modified in 1 place(s)
353: Post #21255 was modified in 1 place(s)
354: Post #21271 was modified in 1 place(s)
355: Post #21286 was modified in 1 place(s)
356: Post #21342 was modified in 3 place(s)
357: Post #21359 was modified in 1 place(s)
358: Post #21441 was modified in 2 place(s)
359: Post #21548 was modified in 1 place(s)
360: Post #21205 was modified in 1 place(s)
361: Post #21577 was modified in 1 place(s)
362: Post #21636 was modified in 1 place(s)
363: Post #21673 was modified in 1 place(s)
364: Post #21739 was modified in 1 place(s)
365: Post #20455 was modified in 2 place(s)
366: Post #21543 was modified in 1 place(s)
367: Post #21811 was modified in 1 place(s)
368: Post #21821 was modified in 2 place(s)
369: Post #21854 was modified in 1 place(s)
370: Post #21871 was modified in 2 place(s)
371: Post #21955 was modified in 1 place(s)
372: Post #22050 was modified in 1 place(s)
373: Post #22066 was modified in 1 place(s)
374: Post #22089 was modified in 1 place(s)
375: Post #22098 was modified in 1 place(s)
376: Post #22174 was modified in 1 place(s)
377: Post #22359 was modified in 2 place(s)
378: Post #22456 was modified in 1 place(s)
379: Post #22537 was modified in 1 place(s)
380: Post #22602 was modified in 1 place(s)
381: Post #22640 was modified in 2 place(s)
382: Post #22701 was modified in 1 place(s)
383: Post #22739 was modified in 1 place(s)
384: Post #22082 was modified in 2 place(s)
385: Post #22790 was modified in 1 place(s)
386: Post #22820 was modified in 1 place(s)
387: Post #22847 was modified in 1 place(s)
388: Post #22882 was modified in 1 place(s)
389: Post #22944 was modified in 1 place(s)
390: Post #22973 was modified in 7 place(s)
391: Post #23034 was modified in 1 place(s)
392: Post #23072 was modified in 1 place(s)
393: Post #23081 was modified in 1 place(s)
394: Post #23097 was modified in 2 place(s)
395: Post #23164 was modified in 1 place(s)
396: Post #23179 was modified in 1 place(s)
397: Post #23243 was modified in 2 place(s)
398: Post #23273 was modified in 1 place(s)
399: Post #23345 was modified in 1 place(s)
400: Post #23310 was modified in 2 place(s)
401: Post #23360 was modified in 1 place(s)
402: Post #23438 was modified in 1 place(s)
403: Post #23947 was modified in 5 place(s)
404: Post #31020 was modified in 2 place(s)
405: Post #31066 was modified in 1 place(s)
406: Post #31107 was modified in 1 place(s)
407: Post #31166 was modified in 2 place(s)
408: Post #31169 was modified in 1 place(s)
409: Post #31170 was modified in 1 place(s)
410: Post #9107 was modified in 1 place(s)
411: Post #9155 was modified in 2 place(s)
412: Post #9194 was modified in 1 place(s)
413: Post #9205 was modified in 1 place(s)
414: Post #9256 was modified in 1 place(s)
415: Post #8977 was modified in 2 place(s)
416: Post #9589 was modified in 1 place(s)
417: Post #9415 was modified in 1 place(s)
418: Post #9685 was modified in 3 place(s)
419: Post #9717 was modified in 1 place(s)
420: Post #9780 was modified in 2 place(s)
421: Post #9815 was modified in 1 place(s)
422: Post #9824 was modified in 2 place(s)
423: Post #9914 was modified in 2 place(s)
424: Post #9928 was modified in 3 place(s)
425: Post #9949 was modified in 1 place(s)
426: Post #10013 was modified in 1 place(s)
427: Post #10074 was modified in 2 place(s)
428: Post #10167 was modified in 1 place(s)
429: Post #10190 was modified in 2 place(s)
430: Post #10260 was modified in 2 place(s)
431: Post #10343 was modified in 1 place(s)
432: Post #10398 was modified in 1 place(s)
433: Post #31533 was modified in 2 place(s)
434: Post #31813 was modified in 1 place(s)
435: Post #37792 was modified in 1 place(s)
Success: All done! 436 posts were modified and 0 weren't.
jrbs added a subscriber: jrbs.Apr 8 2016, 5:02 PM

Wordpress is now using HTTPS as default for blogs making use of their backend. I'm not sure how (if it all) this impacts on this task, but worth pointing out.

Wordpress is now using HTTPS as default for blogs making use of their backend. I'm not sure how (if it all) this impacts on this task, but worth pointing out.

Yes, that's indeed interesting news. There was also a parallel announcement in the internal "WordPress.com VIP Lobby" blog (let me know in case it hasn't reached you and you're interested in reading it) saying that VIP sites are not included in this rollout, but offering support to convert a VIP site on request. As the TheNextWeb article states, their standard setup uses certificates from Let's Encrypt whereas we have long ago decided to purchase our own, but that case is apparently supported too.

To be clear, this does not touch the work we have completed so far (making the content future-proof against mixed content warnings by replacing HTTP embeded content with HTTPS), but should make the next steps (about which I have just followed up again with Automattic) easier.

ema triaged this task as Normal priority.Jul 8 2016, 10:17 AM

If there's no real cost to do so, it would be ideal to ask them to switch our VIP for blog.wm.o to HTTPS-by-default and LetsEncrypt (as the latter will save us some maintenance burden and cost).

We (@Tbayer mostly) have asked for this repeatedly, to no avail. There was a thread with comms that hasn't seen any activity lately, I'll ping again…

Update (@faidon: I'm still unsure if you are receiving the updates from the internal ticket with Automattic):

On April 21, I had asked Automattic's support about their suggestions for implementing the HTTP -> HTTPS redirect. (Looking at at https://vip.wordpress.com/documentation/setting-up-redirects/ , the "Safe Redirect Manager" plugin looks attractive, also because it might be possible to use it for fixing some legacy URLs. But it's not clear to me if it supports the wildcard HTTP -> HTTPS redirects we need here.)
I received a reply on April 26 saying that they would look into this question, but no response on this issue since then. I just followed up on the support ticket.

Obviously I agree that this kind of response time is not satisfactory. I should have followed up earlier, but having already had to sink way more time into this project that anticipated last year though, I have been limiting the amount of effort I've put myself into shepherding this - it's no longer my main work area.

Ops, thanks for nudging this. If it this blocking anything on your side regarding HTTPS on our domains in general, I would suggest attaching a blocking/parent task.

@Tbayer, I still do. In fact I've been receiving these ticket (or series of tickets?) updates since Jul 24th 2015. They supposedly support HTTPS-by-default since April (see https://en.blog.wordpress.com/2016/04/08/https-everywhere-encryption-for-all-wordpress-com-sites/ and https://en.support.wordpress.com/https/) so it might just be a click of a button these days.

After my mail ysterday, Jeff Elder contacted me for clarifications (which I gave). I'm not sure what he did yet, but blog.wikimedia.org seems to redirect to HTTPS today and even sending an STS header. I don't see a rel=canonical in that HTML, so I guess there isn't anything more to be done.

I'll wait until a response before I resolve this ticket (besides, I also raised the tangential issue of switching to Let's Encrypt with him, so might be good to get an update on that).

Nice! The redirect functionality looks correct. However, the STS header is strict-transport-security:max-age=31536000, whereas it should be strict-transport-security:max-age=31536000; includeSubDomains; preload. This isn't mentioned in the ticket description here because this ticket predates all of our later HSTS work.

We also haven't made lack of proper STS on these minority one-off sites a blocker for anything yet because they're generally going to be protected by our wikimedia.org STS preload entry in modern browsers anyways.

However, the rules on that are evolving: https://hstspreload.appspot.com/ now says that domains preloaded after their Feb 16, 2016 cutoff (and wikimedia.org didn't make that cutoff, although most of our other domains did) are subject to possible future removal from the STS-preload list if Chrome browsers detect a lack of preloadable headers in the wild. We're not sure exactly how this will work (e.g. if a one-off hostname in wikimedia.org's lack of headers can trigger removal of all of wikimedia.org), and it hasn't happened to any site (anywhere) yet, but this underscores the importance of getting all of our sites aligned on this issue in the long run. I'll probably end up making a separate ticket about STS-preload cleanup once we get over other more-fundamental hurdles, but cleaning this case up now while someone's actively looking into it might be a good idea :)

@Tbayer, I still do. In fact I've been receiving these ticket (or series of tickets?) updates since Jul 24th 2015.

OK, from your email summary it wasn't clear if you had received (or read) the most recent updates. In particular, while I generally agree with your critical opinion about the support quality in this ticket, it should be said that the difficult part (the content replacements, first bullet point in the task) had in fact been completed at this point, even though, granted, it had involved much prodding and some false starts.

They supposedly support HTTPS-by-default since April (see https://en.blog.wordpress.com/2016/04/08/https-everywhere-encryption-for-all-wordpress-com-sites/ and https://en.support.wordpress.com/https/) so it might just be a click of a button these days.

Yes, we already discussed that announcement above, and indeed the hope has been that we can now profit from this general process. That said, the redirect plugin question remains relevant for some other purposes.

After my mail ysterday, Jeff Elder contacted me for clarifications (which I gave).

I would have appreciated some coordination on this, which would also have helped the misunderstandings that apparently occurred with the support person today, and prevented the premature switchover at a point where nobody has worked yet on updating the canonical links (see below).

I'm not sure what he did yet, but blog.wikimedia.org seems to redirect to HTTPS today and even sending an STS header. I don't see a rel=canonical in that HTML, so I guess there isn't anything more to be done.

https://blog.wikimedia.org doesn't have a rel=canonical, but individual posts do. (If you read the updates on the Automattic support ticket from recent months, you will see a discussion about this difference.) And unfortunately the latter still points to the HTTP version - e.g. in https://blog.wikimedia.org/2016/07/14/pokemon-go-wikipedia/ it's <link rel="canonical" href="http://blog.wikimedia.org/2016/07/14/pokemon-go-wikipedia/" />. Same for the shortlinks.

To re-iterate current status: the main thing missing here in the present is that the STS header is insufficient. It should be strict-transport-security:max-age=31536000; includeSubDomains; preload

EdErhart-WMF added a subscriber: EdErhart-WMF.EditedAug 5 2016, 1:04 AM

@BBlack can you recheck this? Automattic shipped a few changes for us today.

BBlack added a comment.Aug 5 2016, 2:11 AM

@BBlack can you recheck this? Automattic shipped a few changes for us today.

The blog is still sending the response header: strict-transport-security: max-age=86400. It should be strict-transport-security: max-age=31536000; includeSubDomains; preload

The blog is still sending the response header: strict-transport-security: max-age=86400. It should be strict-transport-security: max-age=31536000; includeSubDomains; preload

@EdErhart-WMF: Do you plan to contact Automattic about changing this?

After my mail ysterday, Jeff Elder contacted me for clarifications (which I gave).

I would have appreciated some coordination on this, which would also have helped the misunderstandings that apparently occurred with the support person today, and prevented the premature switchover at a point where nobody has worked yet on updating the canonical links (see below).

I'm not sure what he did yet, but blog.wikimedia.org seems to redirect to HTTPS today and even sending an STS header. I don't see a rel=canonical in that HTML, so I guess there isn't anything more to be done.

https://blog.wikimedia.org doesn't have a rel=canonical, but individual posts do. (If you read the updates on the Automattic support ticket from recent months, you will see a discussion about this difference.) And unfortunately the latter still points to the HTTP version - e.g. in https://blog.wikimedia.org/2016/07/14/pokemon-go-wikipedia/ it's <link rel="canonical" href="http://blog.wikimedia.org/2016/07/14/pokemon-go-wikipedia/" />. Same for the shortlinks.

For the record, the fix for the canonical URLs was deployed on July 27, so the blog was in the misconfigured state for about 13 days. I didn't check if there was an adverse SEO effect; in any case it should hopefully have recovered by now. (Also in July, @EdErhart-WMF and I met for an introduction to the blog's technical setup regarding Automattic, and hand over more of its technical management, now that there is a permanent person on the Comms team who can take this on. I'm going to unassign myself from this bug, as I understand he is going to shepherd the last remaining subtask.)

Tbayer removed Tbayer as the assignee of this task.Sep 23 2016, 3:53 PM
Tbayer updated the task description. (Show Details)
BBlack updated the task description. (Show Details)Sep 23 2016, 4:17 PM
BBlack moved this task from Triage to TLS on the Traffic board.Sep 30 2016, 1:47 PM

@EdErhart-WMF are you the person now working on this? Can we get a status update fixing the remaining issue (correct HSTS header)?

@BBlack we're working on it now as part of a larger effort to tweak the blog's theme.

@EdErhart-WMF - Any update on setting the appropriate Strict-Transport-Security header on this service?

abian added a subscriber: abian.Jan 5 2017, 7:21 PM

@BBlack Automattic has done this. Can someone check and make sure it's been set correctly before we close the ticket?

BBlack closed this task as Resolved.Jan 26 2017, 3:03 PM
BBlack claimed this task.

Confirmed correct current operation:

  1. All HTTP access seems to redirect to HTTPS
  2. All HTTPS requests send response header: strict-transport-security: max-age=31536000; includeSubDomains; preload

Thanks for chasing this down!

BBlack updated the task description. (Show Details)Jan 26 2017, 3:03 PM