Anyway

Let’s Encrypt has made it much easi­er for web sites to use https instead of http, even those on shared host­ing. In my case, all I needed to do was ask my ISP, Cana­dian Web Host­ing, to move my accounts to a serv­er that sup­ports a cPan­el exten­sion (I assume this one). Installing the certs is trivial.

Chan­ging the basic Word­Press set­ting was easy — update the WordPress Address (URL) and Site Address (URL) set­tings in Gen­er­al. This did break a lot of image links, mostly because I’ve had my blog on Word­Press for so long that I still had all my images in a cus­tom image dir­ect­ory and the gal­lery could­n’t find them any more. That took a cer­tain amount of fid­dling, and I haven’t yet got all the images in the old posts back to the way they were.

Anoth­er thing that broke was my spam detec­tion. I used Spam Karma for many years, and even after it was no longer updated it was suit­able for my needs. But it does­n’t work with https for some reas­on. I’ve now switched to Anti­s­pam Bee and find it does what I need. I haven’t noticed any spam slip­ping through, nor real com­ments being marked as spam. Most of the com­pet­it­ors had some fea­ture I did­n’t like, such as by default delet­ing com­ments without my hav­ing a chance to check them. That would be use­ful on sites with lots of spam, but not neces­sary for mine. It has a well-deserved high rat­ing on the Word­Press plu­gin site.

Over­all, switch­ing my sites to https cost me a couple of hours work and the time wait­ing for the new serv­er DNS to propag­ate. Well worth it.

Two-factor authen­tic­a­tion is gen­er­ally seen as a good idea; there’s a cer­tain amount of hand-wringing over the fact that more people don’t turn it on. The prob­lem is, it’s one of those things where you sign up for dis­rup­tion over the next few days, for uncer­tain reward. The reward is uncer­tain because you can nev­er tell wheth­er turn­ing on two-factor authen­tic­a­tion stopped someone hack­ing your account or not, just like you can­’t tell wheth­er hav­ing an alarm com­pany sign out­side your house dis­suades someone from break­ing into it. My main email account has been on 2FA for ages, but I decided to add it to one of my sec­ond­ary accounts as well, giv­en that lots of people seem to mis­takenly use that email instead of their own.

Tim sug­ges­ted I used the authen­tic­at­or app for my Google account 2FA, instead of using the SMS sys­tem. Just a hint: set it up while you still have access to your text mes­sages since SMS is used for the boot­strap­ping authen­tic­a­tion. You need to sign up for Google 2FA in the first place ‘on a com­puter’ (not spe­cified wheth­er a tab­let is suf­fi­cient? I used the desktop). You are sent an SMS to authen­tic­ate your­self, and then you get anoth­er one when you want to authen­tic­ate the Authen­tic­at­or app. After that, you don’t need your SMS sys­tem, as long as you have the device with the Authen­tic­at­or app on it.

But then there are the oth­er apps, which now need applic­a­tion-spe­cif­ic gen­er­ated pass­words. Adi­um for Google Talk, for example, or email with Thun­der­bird. Set­ting each one up does­n’t take long, but I’m sure some time in the future I will have for­got­ten and be won­der­ing why I can­’t log in with a val­id password.

And I under­stand what’s going on, more or less, and think the short-term hassles are worth it. There are lots of people who don’t have a men­tal mod­el of pass­words or authen­tic­a­tion, who see only the pain and not the gain (since the gain is only in the absence of a poten­tial future pain). Busi­nesses are sup­posedly imple­ment­ing 2FA fairly rap­idly, but I’d be sur­prised if people in gen­er­al were out­fit­ting their per­son­al accounts with 2FA at any­thing like the same rate. Mind you, I also sus­pect those sur­veys apply mostly to big­ger com­pan­ies in par­tic­u­lar indus­tries; anec­dot­al evid­ence I’ve heard points to a lower real adop­tion rate.