Google turns on HTTPS for all Blogspot blogs
All blogs hosted on Google’s blogspot.com domain can now be accessed over an encrypted HTTPS connection. This puts more control into the hands of blog readers who value privacy.
Google started offering users of its Blogger service the option to switch their blogspot.com sites to HTTPS in September, but now that setting was removed and all blogs received an HTTPS version that users can access.
Instead of the “HTTPS Availability” option, blog owners can now use a setting called “HTTPS Redirect,” which will redirect all visitors to the HTTPS version of their blogs automatically. If the setting is not used, users will still be able to access the non-encrypted HTTP version.
Forcing HTTPS by default would have been better, but would have likely triggered mixed content alerts in users’ browsers for some blogs.Â These errors happen when a website served over HTTPS loads resources, such as images and code, from external servers that don’t use HTTPS.
“Mixed content is often caused by incompatible templates, gadgets, or post content,” Google software security engineer Milinda Perera said in a blog post Tuesday. “While we’re proactively fixing most of these errors, some of them can only be fixed by you, the blog authors.”
To help authors detect such errors early, Google has built a tool directly into the Blogger editor that warns authors about mixed content issues even before a blog post is saved and published.
In addition to using blogspot subdomains, Google’s Blogger service allows users to use their custom domains for their blogs; however, those blogs have not received HTTPS support yet.
This is in contrast to WordPress.com, the blogging platform run by Automattic, which recently enabled HTTPS by default for all custom domains. The company achieved that by partnering with Let’s Encrypt, a new certificate authority that provides free SSL/TLS certificates and automates their deployment, configuration and renewal.
Users who want to always access the HTTPS version of a blogspot.com domain can install the HTTPS Everywhere extension developed by the Electronic Frontier Foundation that’s available for Google Chrome, Mozilla Firefox and Opera.