15 comments

[ 2043 ms ] story [ 1250 ms ] thread
Techcrunch is usually accessed via unencrypted HTTP as a quick search for Techcrunch will show: Google offers the HTTP URL. Techcrunch is hosted on Wordpress VIP[1] which explains the SSL cert you get. In other words, nothing to see here.

[1] http://techcrunch.com/2012/12/13/automattic-launches-wordpre...

In that case, would they not spent 10 bucks on an SSL cert and redirect to plain?
(comment deleted)
Here are two contemporaries and WP.com VIP customers that do have their own certs:

https://recode.net/

https://gigaom.com/

Here are two that don't:

https://qz.com

https://pando.com/

And one that redirects you from https

https://time.com

Is that last one the best experience if you don't have a cert?

> https://time.com

> Is that last one the best experience if you don't have a cert?

Ironically, in order to serve an HTTPS to HTTP redirection, you need a valid cert. Indeed, time.com has a valid cert.

Many ad networks don't work over https. As these news sites are ad-based businesses, unfortunately this forces some bad decisions.
Not the best endorsement for Wordpress VIP as a service, though. For what they're paying (and for a service which is specifically targeted at hosting on a non-wordpress.com domain), I'd expect at least that they support SNI to get the correct cert for browsers that support it, if not dedicated IPs so that SSL works everywhere.

Sending a *.wordpress.com cert along with an "enterprise" service is sloppy and doesn't really inspire confidence in their product.

(Although it does seem to be possible for at least some Wordpress VIP customers-- time.com has a valid cert (but redirects to HTTP), and fivethirtyeight.com has fully working HTTPS. So maybe it's actually techcrunch's issue?)

Well, they sort of have to be accessed by unencrypted HTTP, their HTTPS certificate gives a huge warning. Any site doing journalism needs to have their SSL setup correctly if they care about the privacy of their readers.
I'm pretty sure Techcrunch is a wordpress VIP customer.
Yeah, says that at the bottom of the page.
expected when hosted with wordpress:

   $ dig techcrunch.com NS

   ...

   ;; ANSWER SECTION:
   techcrunch.com.		14400	IN	NS	ns1.wordpress.com.
   techcrunch.com.		14400	IN	NS	ns3.wordpress.com.
   techcrunch.com.		14400	IN	NS	ns2.wordpress.com.
wtf are you talking about?

The nameservers for a domain don't indicate what the DN of a cert is.

This is the problem with using that HTTPS everywhere extension - there's lots of domains that are listening on 443 but don't support https. visiting sites using broken https doesn't really make you any more secure.
HTTPS Everywhere has a whitelist of sites and only forces HTTPS on those sites. It doesn't force HTTPS on every server that merely listens on port 443.