A few years ago, Google Blogger made the move to HTTPS. Most of what used to be my thriving blogosphere is no longer active, but a random discovery raised a concern - one of my blogs was delivered by plain HTTP.
As these are text-only blogs and users are not requested to provide content, it might not be the sky is falling/end of the world security bug but in this age of HTTPS norm it is not what one wishes to see when one surfs to any website. Yes, whatever the website's nature and if only for users privacy preferences all internet websites should adopt HTTPS as default, as EFF has been promoting for ages.
But why did a blog I remembered being delivered as HTTPS suddenly change its behavior? A quick check raised an interesting phenomena - it was not just that blog. In different blogs, with similar configuration regarding HTTPS redirection, there was a different behavior. In some the user was redirected to HTTPS, in some, the user received the contents via HTTP.
Well, it appears I've been unknowingly relying on some technical setting that was not promised. When google turned HTTPS on by default for all the blogs running on the blogger framework (blogs using custom domains were excepted from the move to HTTPS) I saw in testing for most of my blogs (who at that time were without a custom domain) that HTTPS was automatically turned on, and assumed that no further configuration was necessary.
But now, viewing different blogs with similar configuration regarding HTTPS, I saw a difference - different templates. It seems that Google Blogger changed something, either intentionally or by way of a new bug, and now, for some templates, HTTPS is provided only if HTTPS redirect is turned on. For others, it was still HTTPS regardless of the HTTPS redirection setting, as in the past.
Why this has changed? I don't know. But I certainly do not accuse anyone. It was my mistake not to turn on HTTPS redirect back then. Having done that, now all the blogs provide HTTPS secured content on the go.
It is one of those examples where you unintentionally rely on a specific behavior of a technical tool, not realizing that this behavior appears to be what you wish, but is actually an outcome of some other default, that may change. This, again, is a reminder how important it is not to skip parts of the setup, even if the final outcome seems correct at the moment. Otherwise, the complexity of software shall return to haunt you in the future, exposing assumptions that were not completely accurate.
TLDR: Tools change, default behaviors change, and one needs to foresee that when setting up a tool. Now that HTTPS redirection in Google Blogger no longer takes place for some templates, and the setting of redirection is taken into account, a careful blogger needs to make sure to set HTTPS redirection to yes.
No comments:
Post a Comment