A simple step to make news sites more secure

Image via gill.holgate/Flickr.

While media organizations have spent the post-election period highlighting the perils of fake news on social media, few seem to recognize the risk of fake news appearing where they might least be looking for it: their own websites. 

The vast majority of mainstream news organizations still publish to HTTP domains, making it impossible to guarantee either their readers’ privacy or the authenticity and accuracy of what those readers are seeing. News sites that publish on HTTPS domains, however, can guarantee all of this–without additional effort from users. 

Publishing their stories via HTTPS, says Betsy Reed, editor in chief of The Intercept, “protects against attackers making fake Intercept articles that are impossible to tell apart from real ones.” In fact, Reed continues, “The FBI did this to the Associated Press in 2007, but if [the] AP used HTTPS this attack wouldn’t have worked.”

HTTPS has been around as long as the Web, but in the early days of slow connections and computers, the faster and simpler HTTP protocol dominated as the way to publish content online. HTTPS was typically reserved for login and e-commerce pages, where better security was more valuable than any potential time-lag it caused. In the last few years, however, an exponential increase in cybersecurity threats and revelations of mass surveillance have offset these tradeoffs entirely. Today, web browsers and search engines actually give preference to HTTPS websites, and key technologies for improving page speed are only available to those on HTTPS. 

With the American media also now facing one of the most hostile and unpredictable executive leaders in recent history, the imperative for reputable news sites to move to HTTPS is now greater than ever.

The ability to guarantee readers are seeing authentic, reliable information should make switching to HTTPS an obvious choice for journalists. But for readers, the stakes are even higher. HTTPS affords increased privacy: When readers visit sites served over HTTP, anyone from their service provider to someone sitting next to them in a coffee shop (especially if the WiFi is also unsecured, as it is in many public places), can see exactly what they’re reading–even if their web browser is in “private” or “incognito” mode. If profiling individuals based on their reading habits seems far-fetched, recall the early days of the Patriot Act found librarians shredding borrowing records and computer sign-in sheets to avoid sharing reader data with the FBI.

Sign up for CJR's daily email

While the Snowden revelations showed intercepting and manipulating HTTP content is well within the capacities the NSA and GCHQ, such interventions aren’t solely the purview of sophisticated agencies. As projects like Newstweek and Firesheep illustrate, interfering with HTTP-delivered content (especially over unsecured WiFi) can be as simple as plugging in a device that looks like a power adapter.

Fortunately for news organizations, going HTTPS-only has never been easier, especially for small or startup media organizations.

“If somebody is launching a new business, there’s no reason they shouldn’t be on HTTPS,” says Rajiv Pant, chief technical and product officer of Thrive Global, Arianna Huffington’s new media and lifestyle brand, which launched on HTTPS at the end of November. For smaller organizations, content delivery networks (CDNs) like CloudFlare and hosting providers like WPEngine have integrated support for HTTPS, making it possible to switch with little to no technical assistance.

For larger organizations, going HTTPS is a bit more complex. “When you’re doing a site redesign, that’s a good time to make the change to HTTPS,” says Pant, since “you’re likely to impact other things on the site anyway, like SEO.” Indeed, the decision to go HTTPS may be the hardest part for large organizations, because of perceived difficulty or overhead.

HTTPS is also an all-or-nothing proposition: A website serving any HTTP content won’t show the crucial green lock in the browser bar confirming all the information is both authentic and private. This means news organizations have to examine dozens if not hundreds of apps and vendors as well as seemingly countless lines of code–all the while potentially breaking links and threatening SEO.

“The business decision to do it is the harder part,” says Will Van Wazer, a lead engineer at The Washington Post who oversaw its five-person, seven-month transition to HTTPS in 2015. From a technical perspective, Van Wazer says, “It’s not like anything is particularly hard. It’s just that there’s a huge scope of things that you need to do.”

While news sites like The Washington Post, Wired, The Intercept, ProPublica, The Marshall Project, and most recently, The Guardian, have either launched as HTTPS-only or successfully made the switch, many major news outlets, including The New York Times, The Wall Street Journal, Bloomberg, LA Times, Reuters, and The Associated Press remain at least partially HTTP. (Editor’s Note: CJR doesn’t currently use HTTPS, though the publication is studying shifting to the technology as part of an upcoming upgrade of its site.)

When I asked Pant (who left The New York Times in 2015) why this change had yet to be realized more than two years after he and his colleagues wrote a post on the “Open Blog” titled “Embracing HTTPS” he said simply: “Many of the people who had started the project ended up leaving the company”–highlighting the commitment needed to see such a project through.

At The Washington Post, Van Wazer was initially concerned about persuading the advertising and editorial departments to make the switch to HTTPS, but “It was much more collaborative than I was expecting,” he says. “Especially from the editorial side–they were really great partners.” The trade offs were relatively minor, Van Wazer says. For example: “Our website is going to be more secure, but we won’t be able to embed a graph from this random website.”

Indeed, the kind of business objections that would have been raised to an HTTPS conversion just two years ago are now largely a thing of the past. For example, HTTPS connections require more bandwidth, potentially slowing down secure sites for users. According to Pant, however, “as computers have gotten faster, the speed difference is negligible. It’s like saying that certain safety features in a car may make it heavier–but it still goes quite fast.”

For The Washington Post, in fact, HTTPS has been the key to faster loading pages, rather than the reverse. Their progressive web app, which reduces page load times by at least a third and in some cases renders them instantly, relies on Web “service worker” technologies that are “only possible because of HTTPS,” says Van Wazer. Not only does this technology play nicely with services like Google AMP, Google’s service for instantly loading articles, “now it appears that search engines give you somewhat better ratings” when your site is HTTPS, says Pant.

Speed and search results are important, of course, but in the end, many news organizations still rely on advertising to make their money online. “The biggest thing has been working with advertising agencies,” says Pant. “But in the last few years these services are working with HTTPS more and more, so even that excuse is dwindling.”

“Even the ad networks have been paving the way,” says Van Wazer. In a 2015 blog post, the vice presidents of the display, video and AdWords programs at Google pledged to make their online ad inventory available via HTTPS. “Ad networks are following that lead,” says Van Wazer.

One final barrier to HTTPS has often been the cost of “security certificates” (also called “SSL certificates”). These digital documents are issued by “certificate authorities,” to assure users a website is really owned and operated by the organization it appears to be. With the 2015 launch of projects like Let’s Encrypt, which provides SSL certificates for free, “the cost of getting a certificate has gone down to zero,” says Van Wazer. 

While I believe in the integrity and privacy of HTTPS connections, it was in my role as the assistant director of the Tow Center for Digital Journalism (and its primary website administrator) that I recently had my own practical encounter with setting it up. One day last month, I logged into our WPEngine hosting provider to find a message announcing free Let’s Encrypt SSL certificates were now available to all clients. After toggling a setting on the website and requesting a small change to our domain configuration, towcenter.org went HTTPS a few days later. 

“I think that’s the story that’s going to be playing out a lot more,” said Van Wazer, when I relayed this experience. Converting to HTTPS is “going to be as easy, soon, as flipping a switch.”

Has America ever needed a media watchdog more than now? Help us by joining CJR today.

Susan McGregor is Assistant Director of the Tow Center for Digital Journalism and Assistant Professor at Columbia School of Journalism.