The New York Times Moves Its Website To HTTPS
Secure News For Everyone!
Yesterday, social media was abuzz with the announcement that The New York Times, one of the world’s largest media companies, had adopted HTTPS.
Runa Sandvik, Director of Information Security at The New York Times, made the announcement on Tuesday afternoon. This comes on the heels of The New York Times adding the ability to submit confidential tips via Secure Drop last month.
NYTimes.com’s software and security teams worked for two years to get everything in place. They shared a blog post about their migration and why it was important to them.
For enterprise-level sites, migrating to HTTPS involves much more than just installing a certificate. These sites are often working with a huge backlog of content, which often have hard-coded HTTP URLs, in addition to extremely complex technology stacks. Advertising networks have also been notoriously difficult to work with, as some still do not work over HTTPS.
Unfortunately, not all of NYTimes.com was ready to migrate. “Legacy” sections and articles, as well as localized versions of the site, were among content not yet moved to HTTPS.
For sites like NY Times which cover political issues and other sensitive topics, HTTPS helps hide what articles you are reading. When you visit a site over a secure connection, the exact URL you are visiting is encrypted and unavailable to anyone watching the network. All they can know is the domain you are visiting. This would prevent anyone surveilling the network or recording your traffic from knowing if you are reading the sports section or world politics.
In addition to the privacy and security benefits, HTTPS is becoming a necessity for all sites. Google, Mozilla, and other internet companies are embarked on a mission to make unsecure HTTP a thing of the past; and new web technologies like HTTP/2 are only available when using HTTPS.
SecureThe.News, an initiative of the Freedom of the Press Foundation, tracks and rates HTTPS deployment at major media websites across the world. They have given The New York Times a B rating for their HTTPS support so far. They were docked a letter grade for not supporting HSTS (HTTP Strict Transport Security), an optimal mechanism that prevents HTTP connections altogether. HSTS support will be coming later when the entirety of NYTimes.com can be migrated.
Previously, NYT had a D rating because they only supported HTTPS in very limited situations (logging in, payment).
Sometime soon the team behind the migration will be sharing a behind-the-scenes technical post, which will give valuable insight into exactly how a complex site gets it done.
5 Ways to Determine if a Website is Fake, Fraudulent, or a Scam – 2018
in Hashing Out Cyber SecurityHow to Fix ‘ERR_SSL_PROTOCOL_ERROR’ on Google Chrome
in Everything EncryptionRe-Hashed: How to Fix SSL Connection Errors on Android Phones
in Everything EncryptionCloud Security: 5 Serious Emerging Cloud Computing Threats to Avoid
in ssl certificatesThis is what happens when your SSL certificate expires
in Everything EncryptionRe-Hashed: Troubleshoot Firefox’s “Performing TLS Handshake” Message
in Hashing Out Cyber SecurityReport it Right: AMCA got hacked – Not Quest and LabCorp
in Hashing Out Cyber SecurityRe-Hashed: How to clear HSTS settings in Chrome and Firefox
in Everything EncryptionRe-Hashed: The Difference Between SHA-1, SHA-2 and SHA-256 Hash Algorithms
in Everything EncryptionThe Difference Between Root Certificates and Intermediate Certificates
in Everything EncryptionThe difference between Encryption, Hashing and Salting
in Everything EncryptionRe-Hashed: How To Disable Firefox Insecure Password Warnings
in Hashing Out Cyber SecurityCipher Suites: Ciphers, Algorithms and Negotiating Security Settings
in Everything EncryptionThe Ultimate Hacker Movies List for December 2020
in Hashing Out Cyber Security Monthly DigestAnatomy of a Scam: Work from home for Amazon
in Hashing Out Cyber SecurityThe Top 9 Cyber Security Threats That Will Ruin Your Day
in Hashing Out Cyber SecurityHow strong is 256-bit Encryption?
in Everything EncryptionRe-Hashed: How to Trust Manually Installed Root Certificates in iOS 10.3
in Everything EncryptionHow to View SSL Certificate Details in Chrome 56
in Industry LowdownA Call To Let’s Encrypt: Stop Issuing “PayPal” Certificates
in Industry Lowdown