Not a happy WordPress Premium customer
Since I’m using my blog more actively to publish information about Nōtifs lately, I thought it would be a good time to upgrade my blog to WordPress Premium. For $99/year, I get a number of benefits including removal of ads from my blog. One of those benefits is the use of a custom domain name, and since I registered altmode.org several years ago, I thought it might be good to go from altmode.wordpress.com to altmode.org.
Everything went quite smoothly. Then a friend called. “Jim, since you’re a security guy, I’m surprised that I get a warning when using HTTPS to read your blog.” Sure enough, accessing https://altmode.org/ resulted in a warning, because the site presented a certificate that is valid for *.wordpress.com, not for altmode.org. I hadn’t seen this error because I generally browse my own blog through the administrative interface via altmode.wordpress.com. I should have anticipated this because I never got a request to provide or approve a certificate for altmode.org.
I contacted WordPress support about this. Their response:
WordPress.com currently doesn’t support SSL for custom domains, so you can avoid that error message by giving out the http:// version of your site’s address:
Modern browsers will usually give a warning if you try to visit a site starting with https:// when SSL isn’t supported there, so the best way to avoid that is to make sure that links to your domain begin with http:// instead. We also have a page about HTTPS with more details and other options for turning off those browser warnings.
So the answer is, basically, don’t use TLS (SSL). It did before my upgrade to premium, but doesn’t now. Not something you want to tell a “security guy”.
There are a number of reasons this is a problem:
- More and more people default to using TLS if they can.
- Presenting a certificate for the wrong site just trains users to ignore these warnings, making them less secure.
- A premium feature should be an upgrade.
How would I like it to work? WordPress should tell me they’re going to obtain a certificate for my domain, and to approve the request for it that their Certificate Authority will send me. Or even send me a Key Signing Request and let me buy the certificate.
What are some alternatives? One is to operate an HTTPS reverse proxy, and map https://altmode.org/ into https://altmode.wordpress.com/ myself. Another is to move my blog to a self-hosted WordPress site, but I’m not sure I want to deal with the frequent security issues I have been hearing of. A third is just to turn off the domain mapping, and decide whether the cost of WordPress Premium is still worth it (mostly for ad removal).
I’ll decide which way to go soon, and apologize for the warning messages in the meanwhile. Please don’t just click “accept” when you see one of these, OK?