Visit the Washington Post homepage, and you’ll now see a lock icon and “https,” rather than just “http,” at the beginning of the URL:
It’s a thing of beauty: pic.twitter.com/RkJKjKI99l
— Will Van Wazer (@willvanwazer) June 30, 2015
The added “s,” which stands for secure, indicates that a site’s content is delivered through an encrypted connection that makes it more difficult for a third party to track or hijack information transmitted between the site and a visitor. (Here’s a helpful, no-tech-knowledge-required explanation of HTTPS from Eric Mill, a technologist for the federal government’s digital services agency 18F.)
The Post’s announcement last month that it is encrypting swaths of its site was celebrated throughout the tech community:
— Eric Mill (@konklone) June 30, 2015
This, alone, is worth the cost of my subscription. The excellent investigative journalism is a bonus. pic.twitter.com/h4smXKA86e
— Christopher Soghoian (@csoghoian) June 30, 2015
The arguments for moving websites to a secured connection are strong. Not only are visitors’ identity information and browsing habits better protected from eavesdroppers, the content they see is also safer from tampering. Referral data is more complete (referral information for visitors moving from a secured site to a non-secured site is dropped, showing up only as direct traffic. Let’s Encrypt, available this September, offers free services.
If all that isn’t reason enough to make the switch, Google announced last summer that websites using HTTPS would start getting a boost in search rankings (though only a small one).
18F’s Mill, who has been vocal about finding easier ways for websites to transition to HTTPS, believes that changing web standards will force news organizations to HTTPS “one way or another,” as browsers like Chrome and Mozilla “apply deliberate pressure.”The push for HTTPS isn’t just a pet project for a few dedicated cybersecurity advocates. Many email, banking, and social media services encrypt their traffic already. Wikipedia is now encrypted by default. Netflix is secure. The White House has ordered all publicly accessible federal sites and services to use HTTPS by the end of next year, and there are similar requirements across the pond.
Still, only a sliver of news organizations currently use HTTPS technology. Some newer outlets launched with it on their entire sites (The Marshall Project, The Intercept, The Information) and others appear to have made significant progress toward being fully HTTPS (ProPublica, FiveThirtyEight). At least for now, though, the Post is the only large news organization to offer the security feature. Last fall, The New York Times issued a challenge for news sites to go fully HTTPS by the end of 2015; the Times’ own efforts at conversion are still under way, according to Times spokeswoman Danielle Rhoades-Ha, who said there’s currently no timeline for implementation. (Rajiv Pant, the CTO who coauthored that original blog post, also left the organization in May.)
“We didn’t really have any help or model for this move,” Will Van Wazer, the Washington Post senior platform engineer who lead the Post’s migration to HTTPS, told me. “The only other organizations who have moved have been ones that don’t have anywhere close to the archive content that we have, or did it as part of a brand new redesign of their site.”
The Post’s effort began in full in January, he said, and was a substantial amount of labor involving two engineers from the site team, one from the platform team, one from the graphics department, and several other project managers.
Why is becoming fully HTTPS so hard? The main challenge for an organization that’s been around for a few years is the time it takes to comb through years and years of archive material to make sure everything loads properly in HTTPS — especially if there’s a lot of third-party embedded content (images, video, links, audio) to check.
Van Wazer explained the Post’s methods:
The process for actually moving the code that powers our site over to HTTPS was fairly straightforward, as it would be for anyone — it’s basically just a find and replace from “http://” to “https://.” Our biggest concern turned out to be third-party content, both from advertisers and from our own newsroom…
So a developer on our App Support team developed a tool to send out an hourly report that took our top 1,000 most popular articles, visited them in an environment that we had set up that redirected everyone to HTTPS, and sent back any mixed content warnings, where they appeared, and the URLs they complained about. This was an invaluable tool for us, and basically what we spent the last two months working [on].
The issue with basing the report on the top 1,000 most popular articles is that it is constantly changing day to day and even hour to hour — articles and blog posts are published literally 24/7, and with such a wide swath of the site, someone popular tweeting out a link to an archive story could make it into the report. So we had situations where we would have perfect reports for a few hours or even a few days, and then it would switch to having a large number fail.
Potential loss of advertising revenue was another big concern, as advertisers need to take an extra step to ensure their ads are also secure (ad networks were, for instance, The Boston Globe’s major concern).
“Every third party we use on the site needs to be HTTPS-compliant, or it either stops working or the browser will warn about it being insecure,” the Post website’s chief digital architect Greg Franczyk said in the Post’s original announcement.
FiveThirtyEight senior web developer Paul Schreiber argues that the move to HTTPS could eventually prove to be a good thing for advertisers, though, as their ads are safer from some rogue Internet provider’s tampering.
The technical benefits of reducing page loading time, and pressure from browsers like Mozilla that are phasing out browser features for sites that aren’t secured, tipped the scales for the Post in favor of going for HTTPS, despite concerns about ad revenue.
“It’s clear that HTTPS is where everybody in the media industry is going to go eventually, and so that’s where we need to be,” Van Wazer said. “We’ve made some really significant investments in our technology since our acquisition [by Amazon’s Jeff Bezos in 2013], and this is just another sign of that.”
Mike Tigas, the news applications developer for ProPublica who ran an HTTPS session at this year’s SRCCON, said he was pleasantly surprised by how many organizations were interested in deploying HTTPS, and many may be far along in the process already even if they haven’t publicly announced it. (NPR, for one, is making some moves toward HTTPS this summer.)
ProPublica seriously broached the subject of migrating to HTTPS last summer, Tigas said, and like the Post, began efforts in earnest in January. It’s now mostly switched over — all that’s left is for eagle-eyed readers to point out a few stray pages here and there that aren’t HTTPS-compliant.
“Organizations know how much work is involved to weed through content,” Tigas said. “We don’t publish in large volume — if it’s taken ProPublica this long to do it…”
“In a perfect world, every website would have HTTPS,” said Ivar Vong, director of technology at The Marshall Project. Vong emphasized that because The Marshall Project launched with HTTPS and at the moment doesn’t rely on any ad revenue, their deployment was simpler.
In addition to the improved security and better analytics data that come with using HTTPS, Vong noted that it can often subvert censorship: someone tracking an HTTPS website visitor wouldn’t be able to see the specific page she or he was visiting, and certain censors may only be blocking HTTP versions of sites, such that a secured version of the site is still be accessible.
The developers I spoke to agreed that, for sites that don’t run ads or have little to no archival content to deal with, there’s little reason not to switch to HTTPS. Websites may be slow to realize they’re making personal details about their visitors vulnerable to monitoring: Until last fall, the unsecured AIDS.gov had been transmitting location information of the site’s visitors. Even for sites dealing with less sensitive subject matter, there are all sorts of ways in which content can be compromised. It’s all too easy to manipulate websites, and people on public wifi are notoriously vulnerable.
“We have a responsibility to readers to protect their privacy, and to writers to ensure the integrity of their work,” Schreiber said.
Learn more about The Washington Post