[HTTPS-E Rulesets] Disable wordpress.com
Andreas Jonsson
andreas at romab.com
Thu Mar 3 03:23:21 PST 2011
On 2011-03-03 07.50, Osama Khalid wrote:
> On Thu, Mar 03, 2011 at 01:37:32AM -0500, katmagic wrote:
>> I agree. That this rule be enabled is especially important since
>> WordPress handles private information.
>
> It can be limited by default to "/wp-admin/" and "/wp-login.php" to
> solve the private information issue.
>
> Relying on it for regular reading can be tough for users.
>
> --Osama Khalid
I disagree. What you do on a site reveals much about you, especially
what topics you follow, if you read comments, if you write comments etc.
Limiting https to wp-admin/wp-login is not sufficient imo.
Considering the huge amount of content on wordpress, the rule will
affect most people, even if they are not active followers and just get
there by google.
Is all of wordpress slow for you over https or just some of it? I don't
know anything about their infrastructure, so it is hard to tell if I'm
more tolerant of load times or if we gain access through different load
balancers/reverse-proxies that gives us different user experiences.
/andreas
More information about the HTTPS-Everywhere-Rules
mailing list