Techcrunch is usually accessed via unencrypted HTTP as a quick search for Techcrunch will show: Google offers the HTTP URL. Techcrunch is hosted on Wordpress VIP[1] which explains the SSL cert you get. In other words, nothing to see here.
Not the best endorsement for Wordpress VIP as a service, though. For what they're paying (and for a service which is specifically targeted at hosting on a non-wordpress.com domain), I'd expect at least that they support SNI to get the correct cert for browsers that support it, if not dedicated IPs so that SSL works everywhere.
Sending a *.wordpress.com cert along with an "enterprise" service is sloppy and doesn't really inspire confidence in their product.
(Although it does seem to be possible for at least some Wordpress VIP customers-- time.com has a valid cert (but redirects to HTTP), and fivethirtyeight.com has fully working HTTPS. So maybe it's actually techcrunch's issue?)
Well, they sort of have to be accessed by unencrypted HTTP, their HTTPS certificate gives a huge warning. Any site doing journalism needs to have their SSL setup correctly if they care about the privacy of their readers.
Interestingly only says things about enablign HTTPS for the admin panel and how to get make "those annoying security warnings to go away". Nothing about HTTPS with custom domain name. Nor do they have any HTTPS info on the Custom Domains section at https://en.support.wordpress.com/category/domains/
This is the problem with using that HTTPS everywhere extension - there's lots of domains that are listening on 443 but don't support https. visiting sites using broken https doesn't really make you any more secure.
HTTPS Everywhere has a whitelist of sites and only forces HTTPS on those sites. It doesn't force HTTPS on every server that merely listens on port 443.
[+] [-] VieElm|11 years ago|reply
[1] http://techcrunch.com/2012/12/13/automattic-launches-wordpre...
[+] [-] lloydde|11 years ago|reply
https://recode.net/
https://gigaom.com/
Here are two that don't:
https://qz.com
https://pando.com/
And one that redirects you from https
https://time.com
Is that last one the best experience if you don't have a cert?
[+] [-] JonathonW|11 years ago|reply
Sending a *.wordpress.com cert along with an "enterprise" service is sloppy and doesn't really inspire confidence in their product.
(Although it does seem to be possible for at least some Wordpress VIP customers-- time.com has a valid cert (but redirects to HTTP), and fivethirtyeight.com has fully working HTTPS. So maybe it's actually techcrunch's issue?)
[+] [-] alexnking|11 years ago|reply
[+] [-] Kudos|11 years ago|reply
[+] [-] imrehg|11 years ago|reply
Interestingly only says things about enablign HTTPS for the admin panel and how to get make "those annoying security warnings to go away". Nothing about HTTPS with custom domain name. Nor do they have any HTTPS info on the Custom Domains section at https://en.support.wordpress.com/category/domains/
[+] [-] mikeryan|11 years ago|reply
[+] [-] peedy|11 years ago|reply
[+] [-] notatoad|11 years ago|reply
[+] [-] agwa|11 years ago|reply
[+] [-] noinput|11 years ago|reply
[+] [-] ossreality|11 years ago|reply
[deleted]