X

Tumblr activates SSL, but with a catch

Tumblr blog owners can encrypt all visits to their sites, as long as they opt in. Why didn't Yahoo just make SSL the default setting?

Seth Rosenblatt Former Senior Writer / News
Senior writer Seth Rosenblatt covered Google and security for CNET News, with occasional forays into tech and pop culture. Formerly a CNET Reviews senior editor for software, he has written about nearly every category of software and app available.
Seth Rosenblatt
2 min read
Tumblr comes close to universal SSL, but chooses instead to go for opt-in encryption. Screenshot by Seth Rosenblatt/CNET

Tumblr has begun to catch up with modern security standards by activating SSL on Monday. There's a catch, though: You have to enable SSL on Tumblr manually.

If you're not familiar, Secure Sockets Layer, or SSL, allows for the data being transmitted from the Tumblr server to your computer to be encrypted. SSL decreases the likelihood of casually eavesdropping on people who visit sites with it enabled.

Tumblr owners can go into their Tumblr account settings dashboard and manually turn on SSL. Conrad Rushing, Tumblr's director of security engineering who wrote the blog post announcing the new feature, even said that there's no reason that Tumblr owners shouldn't enable SSL.

"It doesn't change anything about the dashboard, it just encrypts your connection to it," he wrote. "We've been using it for weeks and haven't even noticed."

While Tumblr is to be applauded for giving its blog owners the option to increase the privacy of both themselves and their visitors, a question remains: Why didn't Tumblr just turn on the feature by default for all connections to Tumblr? By enabling SSL for all site traffic, Tumblr would be doing its users and their visitors a small but privacy-forward favor.

Chris Wysopal, an information security expert and the chief technology officer at application security testing firm Veracode applauded Tumblr for the move but said that it didn't go far enough.

"The only reason to make it opt-in is to save on computing resources at Yahoo. Can you imagine selling a car today and saying seatbelts or airbags are opt in? It might have been that way in the '70s but it isn't today," he said.

Troy Hunt, a software architect and security expert, was even less optimistic. He said that the SSL implementation won't make much difference until Tumblr turns SSL on for all users.

"Giving people the option to enable something they probably don't understand properly to begin with might help them test things with a limited number of users in the early days, but it's pretty clear that SSL should be the default state," he said.

Tumblr told CNET that at some point it will turn on SSL by default for everybody, but not yet. "We will eventually turn on this feature by default for all of our users, but to best handle the immense traffic produced by such an effort, we are beginning first by giving our users the ability to opt in," said a Tumblr spokesperson.

Update at 7:42 p.m. PT with comment from Troy Hunt.

Update at 7:13 p.m. PT with comment from Chris Wysopal.

Update at 5:47 p.m. PT with comment from Tumblr.