[liberationtech] HTTPS links on wordpress blog post have S removed automatically, odd

Erik Sundelof erik at sundelof.com
Thu May 5 13:44:47 PDT 2011 

All,

In general Wordpress is not very secure platform and is natively very 
vulnerable for attacks. Wordpress.com is ok but is very often blocked. I 
would strongly suggest against using Wordpress for anything you need a 
lot of security.

Best,

Erik

> ------------------------------------------------------------------------
>
> 	Frank Corrigan <mailto:email at franciscorrigan.com>
> May 5, 2011 12:58 PM
>
>
> Thanks for the feedback. I am not using a selfhosted WP blog and might
> not have explained myself well enough, for a better explanation with
> images anyone can download more info via:
> https://franciscorrigan.files.wordpress.com/2011/05/https-removal-of-s-by-wordpress.pdf
>
> I will be contacting wordpress direct, not happy with any blog system
> than changes a url I add to a post from a HTTPS url to a plain HTTP one,
> this is not about redirecting, this is about changing a link I add to a
> post. I think this has broad implication users of blogs, as they like me
> could be adding many urls with HTTPS links, only to discover the S is
> removed from the blog post BEFORE it is clicked on...
>
> Frank
>
>
> ----- Original message -----
> From: "SiNA" <sina at anarchy.cx>
> To: "Frank Corrigan" <email at franciscorrigan.com>
> Cc: "Liberation Technologies" <liberationtech at lists.stanford.edu>
> Date: Thu, 05 May 2011 11:44:50 -0700
> Subject: Re: [liberationtech] HTTPS links on wordpress blog post have S
> removed automatically, odd
>
> Try adding this to wp-config.php, it should make all the core parts of
> wordpress, use https for urls that are loading from an HTTPS site:
>
> if(strlen(strstr( $_SERVER['SERVER_PROTOCOL'],"HTTPS"))>0) {
> define('WP_HOME', 'https://' . $_SERVER['HTTP_HOST'] . '');
> define('WP_SITEURL', 'https://' . $_SERVER['HTTP_HOST'] . '');
> }
> else {
> define('WP_HOME', 'http://' . $_SERVER['HTTP_HOST'] . '');
> define('WP_SITEURL', 'http://' . $_SERVER['HTTP_HOST'] . '');
> }
>
>
> Hope it helps!
>
> --
> SiNA
> pgp 0x0B47D56D
>
>
>
>
>
>
> _______________________________________________
> liberationtech mailing list
> liberationtech at lists.stanford.edu
>
> Should you need to change your subscription options, please go to:
>
> https://mailman.stanford.edu/mailman/listinfo/liberationtech
>
> If you would like to receive a daily digest, click "yes" (once you 
> click above) next to "would you like to receive list mail batched in a 
> daily digest?"
>
> You will need the user name and password you receive from the list 
> moderator in monthly reminders.
>
> Should you need immediate assistance, please contact the list moderator.
>
> Please don't forget to follow us on http://twitter.com/#!/Liberationtech
> ------------------------------------------------------------------------
>
> 	Frank Corrigan <mailto:email at franciscorrigan.com>
> May 5, 2011 5:25 AM
>
>
> PS:
>
> Below is the html code snippet for the page, (from within the
> worpress.com Dashboard) that confirms HTTPS is rewritten to HTTP
>
> <strong>Note:</strong> When visiting <a
> href="http://www.franciscorrigan.com">www.franciscorrigan.com</a> it
> automatically redirects to this page<a
> href="https://franciscorrigan.files.wordpress.com/2000/01/contact.pdf"
> target="_blank">: </a><a title="Secure contact form over https
> encryption"
> href="https://franciscorrigan.wordpress.com/2000/01/01/contactme/"
> target="_blank">https://franciscorrigan.wordpress.com/2000/01/01/contactme/</a>
> ? (libtech note..)
>
> Thanks
> Frank
>
> ----- Original message -----
> From: "Frank Corrigan" <email at franciscorrigan.com>
> To: "Liberation Technologies" <liberationtech at lists.stanford.edu>
> Date: Thu, 05 May 2011 13:11:23 +0100
> Subject: HTTPS links on wordpress blog post have S removed
> automatically, odd
>
> I was setting up a 'secure' https contact page at:
> https://franciscorrigan.wordpress.com/2000/01/01/contactme/
>
> But when I post a link on the above blog page, it is overwritten by
> wordpress.com to remove the S in HTTPS, this is odd.
>
> In summary when I add this link to the blog:
>
> httpS://franciscorrigan.wordpress.com/2000/01/01/contactme/
>
> it becomes:
>
> http://franciscorrigan.wordpress.com/2000/01/01/contactme/
>
> Clearly this action seems to be hard coded into wordpress.com - I have
> replicated this problem a nuber of times, ensured I do not have a chache
> of the old page and added a ? after the link to ensure it is the latest
> version of the blog post.
>
> I cannot expect visitors to this page to have the HTTPS Everywhere
> add-on enabled, at least when I auto redirect to this page from
> http://www.franciscorrigan.com it does at least stay on the HTTPS
> version.
>
> Thanks
> Frank
>
> _______________________________________________
> liberationtech mailing list
> liberationtech at lists.stanford.edu
>
> Should you need to change your subscription options, please go to:
>
> https://mailman.stanford.edu/mailman/listinfo/liberationtech
>
> If you would like to receive a daily digest, click "yes" (once you 
> click above) next to "would you like to receive list mail batched in a 
> daily digest?"
>
> You will need the user name and password you receive from the list 
> moderator in monthly reminders.
>
> Should you need immediate assistance, please contact the list moderator.
>
> Please don't forget to follow us on http://twitter.com/#!/Liberationtech
> ------------------------------------------------------------------------
>
> 	Frank Corrigan <mailto:email at franciscorrigan.com>
> May 5, 2011 5:11 AM
>
>
> I was setting up a 'secure' https contact page at:
> https://franciscorrigan.wordpress.com/2000/01/01/contactme/
>
> But when I post a link on the above blog page, it is overwritten by
> wordpress.com to remove the S in HTTPS, this is odd.
>
> In summary when I add this link to the blog:
>
> httpS://franciscorrigan.wordpress.com/2000/01/01/contactme/
>
> it becomes:
>
> http://franciscorrigan.wordpress.com/2000/01/01/contactme/
>
> Clearly this action seems to be hard coded into wordpress.com - I have
> replicated this problem a nuber of times, ensured I do not have a chache
> of the old page and added a ? after the link to ensure it is the latest
> version of the blog post.
>
> I cannot expect visitors to this page to have the HTTPS Everywhere
> add-on enabled, at least when I auto redirect to this page from
> http://www.franciscorrigan.com it does at least stay on the HTTPS
> version.
>
> Thanks
> Frank
> _______________________________________________
> liberationtech mailing list
> liberationtech at lists.stanford.edu
>
> Should you need to change your subscription options, please go to:
>
> https://mailman.stanford.edu/mailman/listinfo/liberationtech
>
> If you would like to receive a daily digest, click "yes" (once you 
> click above) next to "would you like to receive list mail batched in a 
> daily digest?"
>
> You will need the user name and password you receive from the list 
> moderator in monthly reminders.
>
> Should you need immediate assistance, please contact the list moderator.
>
> Please don't forget to follow us on http://twitter.com/#!/Liberationtech
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.stanford.edu/pipermail/liberationtech/attachments/20110505/8f01c02a/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: compose-unknown-contact.jpg
Type: image/jpeg
Size: 1421 bytes
Desc: not available
URL: <http://mailman.stanford.edu/pipermail/liberationtech/attachments/20110505/8f01c02a/attachment.jpg>

More information about the liberationtech mailing list