John Blackbourn 5:52 pm on June 11, 2014

SSL taskforce

We’re hoping to make many improvements relating to SSLSSL Secure Sockets Layer. Provides a secure means of sending data over the internet. Used for authenticated and private actions./HTTPSHTTPS HTTPS is an acronym for Hyper Text Transfer Protocol Secure. HTTPS is the secure version of HTTP, the protocol over which data is sent between your browser and the website that you are connected to. The 'S' at the end of HTTPS stands for 'Secure'. It means all communications between your browser and the website are encrypted. This is especially helpful for protecting sensitive data like banking information. support in 4.0. Several fixes have already gone in over the last couple of weeks, and several are in progress.

Below is an ad-hoc list of SSL related bugs and potential enhancements that I’ve experienced in one way or another. Please leave a comment with details of other SSL related issues you are aware of (whether they’re already in TracTrac An open source project by Edgewall Software that serves as a bug tracker and project management tool for WordPress. or not). I’m going to be tackling as many issues as possible for this release. We may or may not find some time to discuss some of this during tonight’s dev meeting.

Issues with HTTPHTTP HTTP is an acronym for Hyper Text Transfer Protocol. HTTP is the underlying protocol used by the World Wide Web and this protocol defines how messages are formatted and transmitted, and what actions Web servers and browsers should take in response to various commands. front end and an HTTPS backend

Customiser previews break, site is requested over http
‘url’ and ‘return’ links in customiser have incorrect scheme
Media inserted into posts gets the incorrect scheme – #32479
GUIDs use the adminadmin (and super admin) scheme
Networknetwork (versus site, blog) admin, some mixed http/https issues – #14867, #27499
Idea: filterFilter Filters are one of the two types of Hooks https://codex.wordpress.org/Plugin_API/Hooks. They provide a way for functions to modify data of other functions. They are the counterpart to Actions. Unlike Actions, filters are meant to work in an isolated manner, and should never have side effects such as affecting global variables and output. to enable plugins to specify URLs / post IDs / paths which should be forced to https?
Idea: filter to enforce front end over http? (excluding urls from above filter)
Arguments in favour of a front-end ajax handler: x-domain and x-protocol issues with domain mapping – #12400

General issues with HTTPS on front end

Should we force https scheme on local content in post content, post excerptExcerpt An excerpt is the description of the blog post or page that will by default show on the blog archive page, in search results (SERPs), and on social media. With an SEO plugin, the excerpt may also be in that plugin’s metabox., comment text, etc?… – #28521
Should we force https scheme using canonical? – fixed – #27954
Should we force https scheme for enqueued local scripts/styles? – #28521

General issues with HTTPS backend

Mixed content in the editor – can we force https scheme for local content? What about CDNs etc? – #28521
XML-RPC does not enforce https – #28424
~~Theme thumbnails aren’t loaded over https~~ – fixed

General HTTPS issues

No support for secure oEmbeds – #28507
wp_get_attachment_url() doesn’t respect scheme – #15928
HSTS – not something coreCore Core is the set of software required to run WordPress. The Core Development Team builds WordPress. should do – could be enabled with a filter but not enabled by default – #28520
~~“Update siteurl and home as well” on network admin loses https scheme~~ – fixed by #32503
SSL terminating proxies aren’t supported by default – #31288, #29708, #6778, [28610], [30090]

Issues specifically with HTTPS everywhere

Not all cookies have secure flag set – #28427

Andrew Nacin 6:14 pm on June 11, 2014

I think HSTS could be enabled by a constant; this would handle XML-RPC forcing in the process (#28424).
Andrew Nacin 6:16 pm on June 11, 2014

I don’t think canonical is enough for forcing SSLSSL Secure Sockets Layer. Provides a secure means of sending data over the internet. Used for authenticated and private actions.. We probably need a new FORCE_SSL constant that handles everything over SSL and prevents any requests over HTTPHTTP HTTP is an acronym for Hyper Text Transfer Protocol. HTTP is the underlying protocol used by the World Wide Web and this protocol defines how messages are formatted and transmitted, and what actions Web servers and browsers should take in response to various commands. (basically, weak application-side HSTS). The next logical extension to that would be having FORCE_SSL_HSTS that does both SSL + HSTS. Or, as said, a filterFilter Filters are one of the two types of Hooks https://codex.wordpress.org/Plugin_API/Hooks. They provide a way for functions to modify data of other functions. They are the counterpart to Actions. Unlike Actions, filters are meant to work in an isolated manner, and should never have side effects such as affecting global variables and output..
Zack Tollman 6:21 pm on June 11, 2014

I think keeping FORCE_SSL separate from the HSTS control is important as undoing HSTS is more complicated than toggling a constant. You need to set a new headerHeader The header of your site is typically the first thing people will experience. The masthead or header art located across the top of your page is part of the look and feel of your website. It can influence a visitor’s opinion about your content and you/ your organization’s brand. It may also look different on different screen sizes..

I never thought of setting HSTS via PHPPHP The web scripting language in which WordPress is primarily architected. WordPress requires PHP 5.6.20 or higher, but I think this is a fantastic idea. We just need to consider undoing it by setting a header to cancel HSTS if necessary. I could see this being a confusing and frustrating problem for devs.
- John Blackbourn 10:51 pm on June 12, 2014
  
  #28520 has been opened for HSTS
Dean Taylor 7:52 pm on June 11, 2014

Consider “blacklisting” and notification to admins of non-HTTPSHTTPS HTTPS is an acronym for Hyper Text Transfer Protocol Secure. HTTPS is the secure version of HTTP, the protocol over which data is sent between your browser and the website that you are connected to. The 'S' at the end of HTTPS stands for 'Secure'. It means all communications between your browser and the website are encrypted. This is especially helpful for protecting sensitive data like banking information. embedded content. For example http://prezi.com/ embeds do not support HTTPS. Even if you change the embed URLURL A specific web address of a website or web page on the Internet, such as a website’s URL www.wordpress.org to HTTPS ultimately it loads some content over HTTPHTTP HTTP is an acronym for Hyper Text Transfer Protocol. HTTP is the underlying protocol used by the World Wide Web and this protocol defines how messages are formatted and transmitted, and what actions Web servers and browsers should take in response to various commands. causing mixed content warnings to users.

The idea is to help existing WordPress sites with their transition to HTTPS.
- Zack Tollman 6:12 pm on June 13, 2014
  
  This is a good idea, but perhaps not ideal for coreCore Core is the set of software required to run WordPress. The Core Development Team builds WordPress.. I think that while this SSLSSL Secure Sockets Layer. Provides a secure means of sending data over the internet. Used for authenticated and private actions. efforts are underway, a pluginPlugin A plugin is a piece of software containing a group of functions that can be added to a WordPress website. They can extend functionality or add new features to your WordPress websites. WordPress plugins are written in the PHP programming language and integrate seamlessly with WordPress. These can be free in the WordPress.org Plugin Directory https://wordpress.org/plugins/ or can be cost-based plugin from a third-party that provides this feature should be developed.
webaware 11:04 pm on June 11, 2014
I think you need to make any moves to force SSLSSL Secure Sockets Layer. Provides a secure means of sending data over the internet. Used for authenticated and private actions. an option. In the case of HTTPSHTTPS HTTPS is an acronym for Hyper Text Transfer Protocol Secure. HTTPS is the secure version of HTTP, the protocol over which data is sent between your browser and the website that you are connected to. The 'S' at the end of HTTPS stands for 'Secure'. It means all communications between your browser and the website are encrypted. This is especially helpful for protecting sensitive data like banking information. backend, forcing SSL on content in the editor can break the frontend if the site certificate is self-signed, for example; visitors would see patches of missing content because the certificate is untrusted. If the frontend is set to HTTPS, however, then it is appropriate to force content to HTTPS too.

I reckon the idea to handle HTTPS for enqueued scripts and stylesheets in coreCore Core is the set of software required to run WordPress. The Core Development Team builds WordPress. is terrific. If you’re doing that, you also want to handle media added to content dynamically, which you can do via the wp_get_attachment_url and upload_dir filters.

You might as well enforce HTTPS for scripts and stylesheets whether local or non-local, since they are malware vectors and should either work or not — no “works if visitor allows it” nonsense. A failed non-local script load means some script doesn’t run, but an insecure content warning means the site looks unsafe to a visitor and can scare people away (and the script load fails anyway on any decent browser).

Forcing HTTPS for non-local content must be an option, if done at all. Non-local content, including CDNs, may not have SSL hosting or may have self-signed certificates. Visitors can be warned (by their browser) that the site includes mixed content and then accept to view the “unsafe” content. It’s a bad smell, but it happens on some sites. Forcing HTTPS would effectively remove that content from the site.

Before setting enforcement, it might be a good idea to check that WordPress can actually detect SSL:
- reverse proxies often don’t pass through the HTTPS environment variable for SSL connections
- some reverse proxies pass HTTP_X_FORWARDED_PROTO or another environment variable instead (but that can be spoofed)
- some reverse proxies don’t pass ANYTHING identifying the connection as originating on SSL
I have a dodgy fix for that last scenario, but it’s a stab in the dark thing and must be installed with intention by someone who has identified their problem: https://gist.github.com/webaware/4688802
- John Blackbourn 10:53 pm on June 12, 2014
  
  Thanks for your notes Ross. #28521 has been opened for explicitly forcing SSLSSL Secure Sockets Layer. Provides a secure means of sending data over the internet. Used for authenticated and private actions. everywhere.
Terence 4:57 pm on June 12, 2014

The problem is that for plain text Apache2 figures out which vhost you meant via the request. Plain text is easy.

But for SSLSSL Secure Sockets Layer. Provides a secure means of sending data over the internet. Used for authenticated and private actions. based requests, Apache2 doesn’t even get the request to process until after the SSL encryption is established and by then you got the wrong VHOST and wrong cert.

The old method just says send it to the first VHOST with SSL. That’s why *.qloudpress.com will work: the wildcard cert is fine for subdomains. When you want to use someotherdomain.com, Apache2 will still send you to the wrong VHOST and SSL cert. Previously, you bound SSL VHOSTS to separate IPs to get around that.

That’s where SNI (Server Name Indication) Independent of IP comes in. It figures out the requested web site and VHOST before Apache2 starts processing the request. You ask for someotherdomain.com, you get sent to the correct VHOST and SSL certs. Apache2 serves the request using the correct certs and all is right in the world.

SNI is definitely the way to go.
Jan Thiel 4:58 pm on June 16, 2014

If not covered by the other changes already, please finally approach https://core.trac.wordpress.org/ticket/20534 😉

Nice to hear WP CoreCore Core is the set of software required to run WordPress. The Core Development Team builds WordPress. finally learns HTTPSHTTPS HTTPS is an acronym for Hyper Text Transfer Protocol Secure. HTTPS is the secure version of HTTP, the protocol over which data is sent between your browser and the website that you are connected to. The 'S' at the end of HTTPS stands for 'Secure'. It means all communications between your browser and the website are encrypted. This is especially helpful for protecting sensitive data like banking information.!

One more thing: I belive forcing HTTPS might not be the right way. The default way should be WP delivers its content with the protocol it was requestet. Quite simple for starters and enough to solve many problems right now.
An option (just a simple one) to make the whole Blogblog (versus network, site) or only WP-Adminadmin (and super admin) HTTPS-Only would be a very nice addon. But after all, it might be much more itelligent to consider “Force HTTPS for Logged In users” instead of “Force HTTPS for WP-Admin”. Because WP-Admin at all is not that important to secure. It is the User and their credentials that has to be secured via transport! Combining that switch with the Secure- and HTTPHTTP HTTP is an acronym for Hyper Text Transfer Protocol. HTTP is the underlying protocol used by the World Wide Web and this protocol defines how messages are formatted and transmitted, and what actions Web servers and browsers should take in response to various commands.-Only Cookie Flags should make kind of a dream team.

Good hunting, brgds

Jan
John Blackbourn 5:01 pm on June 16, 2014

Thanks Jan, I’ll add #20534 to the list!

Of course WP won’t be forcing any particular protocol on anybody. What we’re aiming to do is ensure that if someone does use SSLSSL Secure Sockets Layer. Provides a secure means of sending data over the internet. Used for authenticated and private actions. on their site, then everything that should be is served over SSL (and vice versa).
Just a guy 5:24 pm on July 10, 2014

Sorry, I’m late to the party, just saw this Also, I apologize if this has already been mentioned, but I haven’t seen it explicitly, so I’ll mention it just in case.

On multisitemultisite Used to describe a WordPress installation with a network of multiple blogs, grouped by sites. This installation type has shared users tables, and creates separate database tables for each blog (wp_posts becomes wp_0_posts). See also network, blog, site networks where a wildcard certificate is used and SSLSSL Secure Sockets Layer. Provides a secure means of sending data over the internet. Used for authenticated and private actions. is forced in login/adminadmin (and super admin) areas networknetwork (versus site, blog)-wide I’ve seen issues getting cookies to carry over from the httpsHTTPS HTTPS is an acronym for Hyper Text Transfer Protocol Secure. HTTPS is the secure version of HTTP, the protocol over which data is sent between your browser and the website that you are connected to. The 'S' at the end of HTTPS stands for 'Secure'. It means all communications between your browser and the website are encrypted. This is especially helpful for protecting sensitive data like banking information. backend to the httpHTTP HTTP is an acronym for Hyper Text Transfer Protocol. HTTP is the underlying protocol used by the World Wide Web and this protocol defines how messages are formatted and transmitted, and what actions Web servers and browsers should take in response to various commands. frontend which results in the admin bar being unavailable on the front-end

For hosting I use WP Engine, which is fairly widely used, so I assume it’s not just an issue with the host. As a work around I’m using WPMU DEV’s domain mapping pluginPlugin A plugin is a piece of software containing a group of functions that can be added to a WordPress website. They can extend functionality or add new features to your WordPress websites. WordPress plugins are written in the PHP programming language and integrate seamlessly with WordPress. These can be free in the WordPress.org Plugin Directory https://wordpress.org/plugins/ or can be cost-based plugin from a third-party (based on Donncha’s original domain mapping plugin) and it’s a reasonable temp fix, but not ideal.