Well, it took a while, but all pages and content on this blog is now forced over https. This was one of the motivations for getting bavatuesdays in its own WordPress install, and this weekend I finally pulled the trigger. it was pretty easy, I installed Let’s Encrypt, added the force https code to the htaccess file, and ran the Insecure Content Fixer plugin. The last one did not seem to get everything, so from command line I ran the following in the bavatuesdays.com directory via terminal to make sure all images load over https:
wp --allow-root search-replace 'http://bavatuesdays.com/wp-content/uploads/' 'https://bavatuesdays.com/wp-content/uploads/'
That cleaned up over 12,000 links, and gave me a shiny green “Secure” lock icon:
I’m not entirely sure bavatuesdays needed to be https given no one logs in or out except me (although I guess that’s one big reason), and it’s not highly sensitive material in my mind. At the same time, the idea of encrypting one’s website is reasonable and getting into that habit with all our web properties seems sensible. But Dave Winer’s recent rationale for not going to https makes a strong case for resisting being forced by Google to play their game:
So now Google points a gun at the web and says “Do as we say or we’ll tell users your site is not secure.” What they’re saying doesn’t stand up to a basic bullshit-test. There’s nothing insecure about my site. Okay I suppose it’s possible you could get hurt using it, I’ll grant you that. But I could get hurt getting up out of my chair and going into the kitchen to refill my coffee cup. Life is insecure. When Google says my old site is insecure what they really mean is “This is our platform now, and you do as we say or your site won’t work.”
This, in turn, made me think perhaps securing the bava may be my kowtowing to the peer pressure/stigma to get the green icon in Chrome. I’m not sure this is my revolution when all is said and done-there are points to be made on both sides. Choosing to run an https site versus being forced reminds me a bit of helmet and seatbelt laws for your website. 25 years later we take putting on a seatbelt for granted, there is no fight in me on that front anymore cause it just makes sense. Wonder if that will prove the case for https? Not sure, but for the meantime all content is being served over https, and if not necessary, there is something righteous about feeling secure on the web in this day and age 🙂