Whatever Security Update
Posted on August 19, 2017 Posted by John Scalzi 26 Comments
A small piece of security information for you: Whatever (was well as the whole Scalzi.com) site, now operates using https, for extra added security. Mind you, as this site does very little in the way of transactions or anything security-critical, this may not be a big deal to anyone. On the other hand, Google sent me a note recently noting that unless I switched over to https, they’d start blasting “INSECURE” in the URL field of the Chrome browser, so, fine. Now it’s secure. Enjoy the securiosity! No, that’s not a real word. Even so.
You just worded it.
The blog is now covered, but the root domain(s) of //www.scalzi.com and //scalzi.com come up as insecure due to mixed content, because you load the picture over HTTP. Also, I’m somewhat surprised you use a different cert provider for the main site (GeoTrust) than for the blog (Let’s Encrypt). Given that LE is easy and free, I would have guessed you’d simply flip them all to LE.
I’ve run my WordPress blog over https ever since WordPress offered it. That kept me from getting the Google virtual shoulder tap that seems to have annoyed you. Encryption over the wire is something we all need, and not just because we’re entering private and/or critical information. Any form that accepts input, such as this text box I’m now typing my “thinky bits” into, needs to be encrypted over-the-wire on general principals. I could go on and on about how important it is, and why you, of all people, should both practice and preach the good practice of over-the-wire encryption no matter what. Instead, I’ll direct you to one of you own, Cory Doctorow. He Gets It. Have a nice, long one-on-one conversation with him on this subject. Maybe he can help you Get It Too.
I feel so much better now. Maybe Monday I’ll finally leave my home, secure in the knowledge that your security protocols will now keep the sun shining at full strength all morning and afternoon. Whew!
I’ll be honest, I didn’t know that there was a scalzi.com. Not that there’s anything much on it, other than a cute doggo and links to Whatever.
I feel safer already.
I feel so much safer. Thanks. :-/
Seems everyone is falling for Google’s attempt to essentially take control of the internet using various ploys such as these. It’s extremely effective propaganda, adroitly deployed from a near-monopoly position.
I’d urge everyone to read Dave Winer’s take (creator of RSS) on this.
While HTTPS isn’t without its merits, if you believe that Google is actually doing this for security reasons or out of the goodness of its own corporate heart — well, that is not very realistic.
Examine who wins and loses and why (for instance, Google penalizes non-HTTPS ad networks, which favors their own) in this obligatory “security” push.
As usual, follow the money, and always ask cui bono?
Everybody using encryption gives something akin to herd immunity to the people who really need it. The NSA and its ilk can’t just focus on the few who use encryption if everybody does.
Of course securiosity is a real word – it has a .net domain and everything…
Dear Mike,
Ummm…. so Google is trying to achieve Internet world domination by encouraging better security???
Oooooookkkkaaaaayyyyy…
(and they all moved to the other end of the Group W bench)
pax / Ctein
If’n ya don’t like Google, then don’t do it because Google asks. Do it because the EFF asks. And the Free Software Foundation/Gnu Project and the Debian Project and Software in the Public Interest. :)
Thanks! Now hotel WiFi can’t inject obnoxious ads anymore when I’m checking up on my daily dose of whatever!
Insecure? Are they saying the site drives an enormous vehicle?
What whbeebe said.
You’ve made it clear to the If-You’re-Not-With-Us You’re-Against-Us crowd that you’re not with them, so it never hurts to have all the securiosity you can get.
As a Whatever fan, and founding executive director of the Tor Project (you know, that *other* Tor, at least within fandom, lol), I approve of this message. There’s a saying in security — “anonymity loves company.” The more information is running over the “wires” encrypted, the less the information that needs the security stands out. In a day when state security agencies aspire to spool off information for decryption slowly over time, it’s vital to make sure there is too much of it for them to keep track of.
Not. Even. A. Little. Tin. Hat. These are things that should worry most of y’all, in the “age of Trump,” liberal, conservative, libertarian or anarchist.
The little green padlock makes me feel so much better…..
I’m not trying to be sarcastic, I’ve just really never worried about it before.
Now no one will be able to intercept what’s being posted to the comments.
@Miles
Could they not still read the comments? Just saying.
What is up with all the hate on Google? They recently fired that bigot, what more do you want?
Dave Winer is right. Google shouldn’t be trusted more than any other giant corporation (other than oil companies, coal and all those guys right?). But flagging sites that don’t use HTTPS? Really fail to see the downside for the end users on that one.
Sometimes in the morning in the UK, this blog isn’t available. Is it due to this and me using the android default browser app? Or something else?
Nobody saw Alien? Take your security protocols lightly and see what happens…
Curses! Foiled again.
Redirection is so lovely isn’t it?
I’ve been using the HTTPS for several years on FB, so having to encounter elsewhere doesn’t bother me. Kind of like white noise for computers, in that you get so used to it that the only time you pay attention to it is when you get one of those insecure warnigs.
Next step: getting rid of the Adobe Flash on your frontpage….