Not to say this is a bad thing, but I'm sure Wordpress just broke a lot of links on their user's sites. For example, any embedded images from other servers not using HTTPS means that they won't load anymore due to browser policies, essentially breaking the links. It also means that any embedded images/videos/etc. will only work if the remote server has HTTPS. Again, not a bad thing, but it's pretty painful to have to deal with this with a lot of users that aren't experts on HTTP, and I'm sure it's a similar story at Wordpress.
I can flip the switch for default HTTPS on Neocities in a day. The hard part is figuring out how to not break user's sites in that process. Ideas welcome.
We've been working on this for quite a while and several parts of the solution deal with rewriting embedded URLs using HTTP. If you have any examples of breakage, let us know.
This may not affect a lot of customers (since WordPress.com doesn't support PowerPress for feed generation), but I know some podcasters create feeds by hand or with other apps.
This issue will cause at least some podcasts to disappear from iTunes without warning unless you can coordinate with Apple to fix it.
> I believe it's breaking podcast feeds being served with WordPress.com, because iTunes doesn't support Let's Encrypt certificates.
Do you have an example? We have already implemented workarounds for iTunes. If they aren't working I would love to know the specifics so we can fix it.
Just the confirmation from Apple's podcaster support team that iTunes doesn't support sites which use Let's Encrypt. (I don't use WordPress.com myself.)
I've just posted a request for examples in popular podcasting groups, and I'll let you know when/if I get responses.
> We have already implemented workarounds for iTunes.
Can you elaborate just a smidge? Is WordPress.com, for example, not encrypting content when it's requested by iTunes? (Thanks!)
How do you handle that users might embed external http images in a page? Can't you somehow warn about this during editing?
Asking because that's the problem I see at my site currently (https://groni50.org). In this case I'll just upload the external images to our site. I'll also brief our users. But I wonder if something couldn't be averted/checked in the wysiwyg editor.
I'm not sure if WordPress is actually doing this, but they might be using something like camo[1] to transparently rewrite any http:// URLs to an image proxy running on SSL.
This gets harder to implement correctly depending on what kind of content you allow on your sites (i.e. does your CMS only permit sanitized HTML, or are users allowed to do basically anything?), so it's not a perfect solution for everyone, but it might work here.
Depending a bit on which browser we are talking about, passive mixed content (such as images) will typically be allowed through on default settings, while only active mixed content is blocked.
I'm not that clear as to the severity of the issue, but are you saying that "yes, it is severe, but there nothing you can do about it"? Because thats the price we pay in getting a more secure browsing experience?
Just wonderding about the metaphor of "growing pains". In humans its somethng that happens and for some its painful but has to happen, for others it isn't painful, but the process that makes the pain happens goes on regardless. Is this an accurate metaphor in this example?
I can flip the switch for default HTTPS on Neocities in a day. The hard part is figuring out how to not break user's sites in that process. Ideas welcome.