In light of a growing number of cyber security and data privacy concerns, replacing HTTP with its secure alternative, HTTPS, is becoming increasingly important.
Although HTTPS has been around for 20 years, many websites have traditionally served traffic over an insecure HTTP channel. In the early days of the web, server and network performance were often limiting factors as to whether a site used HTTPS. The server had to have enough horsepower to handle the encryption and decryption of the data, and the network had to be able to handle the extra activity.
Many of these performance concerns have become obsolete — the cost of adoption is now low enough that we should start looking into using HTTPS everywhere.
Benefits of HTTPS
1. Authenticity of News Delivery
- When you are reading a news Web site using HTTP, the content of the articles could have been altered by third parties using man-in-the-middle (MITM) vectors. Newstweek shows how easily this can be done.
2. Privacy
- When sites use HTTP, their users’ search and browsing history are transmitted for anyone to see. The Freedom of the Press Foundation recently urged news media sites to switch to HTTPS.
- When sites use HTTPS, proxies and Internet backbone infrastructure can’t as easily inspect traffic and throttle it based on content. Some entities can potentially break or get around Transport Layer Security (TLS), or steal TLS certificates. However, implementing HTTPS raises the barrier of privacy protection significantly.
3. Security
- When sites use HTTP, their users’ session cookies can be intercepted and used to replicate a user’s active session by others. This has been demonstrated using the Firesheep browser plugin.
- The use of HTTPS disables most MITM vectors, reducing the vulnerability profile.
4. Improved Ranking in Search Engines
- Search engines treat HTTPS as a factor in ranking search results. Google’s announcement is an example of this.
5. Better Analytics
- Website referrers are dropped when a user goes to an HTTP page from an HTTPS page. This means referrals from secure sites, including Google on HTTPS, are lost for sites using HTTP.
6. Better User Experience
- When using HTTPS, login, registration and other e-commerce integrations can happen anywhere on the site, without having to go to a separate HTTPS site.
7. Third-Party Integrations
- An increasing number of third parties require HTTPS to use some of their services.
8. Using Emerging Technologies
- The SPDY and HTTP2 protocols, ServiceWorker and other new technologies are designed to work better with HTTPS sites. While these are not mainstream yet, adopting HTTPS now eases future adoption.
9. Related Improvements
- Successfully replacing HTTP with HTTPS for an entire website is likely to uncover a significant amount of existing technical debt (for example, hard-coded URLs).
The Challenges
To successfully move to HTTPS, all requests to page assets need to be made over a secure channel. It’s a daunting challenge, and there are a lot of moving parts. We have to consider resources that are currently being loaded from insecure domains — everything from JavaScript to advertisement assets.
If the assets for an advertisement aren’t able to serve over an HTTPS channel, the advertisement will probably not display on the page, directly affecting revenue. It can be difficult to determine if each advertisement will load over HTTPS. Considering the importance of advertisements, this is very likely to be a significant hurdle to many media organizations’ implementation of HTTPS. While some advertising platforms, including Google’s DoubleClick for Publishers (DFP), do support HTTPS loading, there are still a number of ad networks that may not be HTTPS-compatible.
Aside from advertising, organizations may face other hurdles while implementing HTTPS. Support for modern solutions, such as HSTS, are worth consideration.
A Call to Action
If you run a news site, or any site at all, we’d like to issue a friendly challenge to you. Make a commitment to have your site fully on HTTPS by the end of 2015 and pledge your support with the hashtag #https2015.
Further Reading
- Simple steps to protect journalists and sources from eavesdroppers by Tom Lowenthal, Staff Technologist at the Committee to Protect Journalists
- Minimize Your User’s Digital Footprint by Terrence Weekes, Director of Information Security & CISO Consultant at Accuvant, A Blackstone Company
- Security/Server Side TLS on the Mozilla Wiki
- Deploying TLS the Hard Way by Tim Taubert, Engineering Manager and Senior Engineer at Mozilla.
- Optimizing HTTPS on Nginx by Bjørn Johansen
- Message Security Layer: A Modern Take on Securing Communication on the Netflix blog
Eitan Konigsburg is a software engineering architect and Rajiv Pant is the chief technology officer at The New York Times. Elena Kvochko is a cyber security and technology strategist.