Security Certificate Alerts on Whatever — Don’t Panic!
Every once in a while I get an email or other notification from someone about their browser (usually Chrome but occasionally Firefox) warning them that Whatever is insecure and asking them if they really want to continue onto the site. In the interest of quelling concerns and also not having to write this up every single time it happens, let me tell you what’s going on.
1. Whatever is housed on WordPress’ VIP service (and happily so) at scalzi.wordpress.com; the address whatever.scalzi.com maps there.
2. Whatever’s security cerificate, however, is to the wordpress.com domain, not the scalzi.com domain.
3. So, if you’re directing your browser to use https, it may throw up a warning letting you know the domain doesn’t match.
So, the URL isn’t being hijacked — unless you see on the warning page that the security certificate is going somewhere other than wordpress.com.
I’ll look into seeing what can be done about figuring this out. In the meantime, if you are getting these warnings, here’s what you can do.
1. Use “http” rather than “https” when you put in the URL (note this is nominally insecure) and you’ll be taken to Whatever without fuss.
2. If you see the security certificate for the site is from wordpress.com, go to the advanced settings and click through, it’ll be fine (and your browser will probably remember your preference in the future).
3. Alternately, if you use https, substitute “scalzi.wordpress.com” for “whatever.scalzi.com” and you’ll be taken to Whatever without any security alerts. Note that once you’re there, the URL will show up as “whatever.scalzi.com.” Mapping is wacky. This works for sub-urls as well (direct links to entries, etc). Update: Note that IT folks in the comments say that when you’re punted back to whatever.scalzi.com, you’re being sent back to the site without https enabled.
Update: 4. Another option I just enabled it to access Whatever via a shared SSL Encryption setup. The URL to use is: https://ssl.perfora.net/whatever.scalzi.com (it will also work with individual entry URLs). Note using this will strip out insecure elements of the page (usually things like embedded media).
Hope this helps.