Why are encrypted httpS urls auto changed to plain http ones, by wordpress.com

  • Author
  • #608076

    I recently set up a page https://franciscorrigan.wordpress.com/2000/01/01/contactme/ it includes a contact form, for security I always send links to it that include a httpS prefix, to ensure it is visited over and encrypted connection.

    However, below the form I added a source url, as a note to visit the httpS version if visiting it over a plain http url, the problem is even though I include the S in httpS, when I view it online the S has been removed, very odd auto removal of the secure S, that has wide implications. This could mean that at wordpress behest if can remove the S from any url posted on it’s wordpress.com blogs, whihc raised many critical security issues, especially for those blogs accessed in hostile locations.

    To get a better idea of the issues please download this doc:


    The blog I need help with is franciscorrigan.wordpress.com.



    I have never expected these contact forms to have https URLs and I cannot see any indication that wordpress.com intended to provide https encryption or any indication that it was anticipated that we would use use https URLs. http://en.support.wordpress.com/contact-form/

    I’m flagging this thread so it gets Staff attention and we can receive a definitive answer.



    I’m actually not able to reproduce this on my own blog, so I’m a bit puzzled.

    To further complicate matters, if WordPress were arbitrarily striping the ‘s’ from https, then the “secure” link to the image file would be affected to, but that’s still linked via https.

    Please contact us via http://en.support.wordpress.com/contact/ so we can dig a bit deeper.

The topic ‘Why are encrypted httpS urls auto changed to plain http ones, by wordpress.com’ is closed to new replies.