encrypt all the things: blogs
So, with ssl certificates pretty easily available these days from letsencrypt.org it’s more and more worth looking at making sure you are using https instead of http for everything you can.
There are however some corner cases that are… difficult. One of those is blog aggregators. A while back we moved our planet.fedoraproject.org to fedoraplanet.org. This was to get it out of the fedoraproject.org domain because we send HSTS headers for fedoraproject.org telling browsers they should always contact that domain with https. Blog aggregators are in a tough spot, because they simply pull content from a bunch of different sites and put it in one place and link to it. Unless 100% of the blogs that the site is aggregating are also https, if the site itself uses https most browsers will show you a nasty warning about mixed encrypted/non encrypted content. So, for now, since most of the blogs on fedoraplanet.org are http, we are leaving fedoraplanet.org itself as http.
However, we would love to get to the point where all the blogs we aggregate are https. I don’t think it’s an impossible journey. Here’s what you can do if your blog is listed in fedoraplanet.org:
- Check to see if your blog site already supports https and has a valid cert. If so, you simply need to login to fedorapeople.org and edit your .planet file to use the https link instead of http. Done.
- If your blog site doesn’t support https (yet), ask your blog provider about adding it. They should be able to add a letsencrypt.org cert pretty easily.
- If your blog site doesn’t support https(yet) and you run your own blog, why not add https support?
If we can get a critical mass of blogs using https, we can look at switching the site over too. Help us out. 🙂