[wp-trac] [WordPress Trac] #52783: Health Check mis-reports https functionality in certain situations

WordPress Trac noreply at wordpress.org
Thu Mar 18 15:37:28 UTC 2021 

#52783: Health Check mis-reports https functionality in certain situations
--------------------------+---------------------
 Reporter:  Ipstenu       |       Owner:  (none)
     Type:  defect (bug)  |      Status:  new
 Priority:  normal        |   Milestone:  5.7.1
Component:  Site Health   |     Version:
 Severity:  normal        |  Resolution:
 Keywords:  has-patch     |     Focuses:
--------------------------+---------------------

Comment (by Ipstenu):

 Honestly, I think the SSL verification should be pulled at the moment
 @peterwilsoncc, or modified to be a _warning_ instead of an error -- it's
 a fantastic *idea* but this is just the most common way it kicks back an
 incorrect response. We should look into not checking 'is WP returning
 properly with SSL' but maybe consider mimicking whatever browsers are
 doing to give us that happy lock in our address bars. If we leverage that,
 and not "Is WP..." I feel we'll have a better idea of what is coming back.

 With the exception of a headless WP that pulls from an API on another
 server, it's unlikely a user would actually be able to get into their WP-
 admin anyway if SSL is borked. Most modern browsers warn you, some
 outright block you, and if you're intentionally pushing past that to log
 in, the odds are you already know and just need a warning. Basically, this
 is pretty rare, and in the majority of valid reports, they're being told
 already by the browser, so we shouldn't be hard error-ing, it gives the
 wrong impression when it's a false-flag.

 And I have to stress... SSL is not an easy concept to grasp for a lot of
 new admins. I came 'round to this issue from customers at my host company
 who were freaking out because they could see the lock on their browser,
 they did SSL verify, but here's WP (who has a great track record for
 correct reports) telling them they were wrong. We have to consider WHO is
 being given this information and how we present it to them.

 "WordPress is unable to verify that SSL is fully functional on your site.
 This can happen due to interference with plugins or proxy services. Here's
 how you can verify this for yourself." with a link to a doc on what could
 happen. We need to educate on this one a little more :)

-- 
Ticket URL: <https://core.trac.wordpress.org/ticket/52783#comment:15>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform

More information about the wp-trac mailing list