The New York Times Moves Its Website To HTTPS
1 Star2 Stars3 Stars4 Stars5 Stars (1 votes, average: 5.00 out of 5)
Loading...

The New York Times Moves Its Website To HTTPS

Secure News For Everyone!

Yesterday, social media was abuzz with the announcement that The New York Times, one of the world’s largest media companies, had adopted HTTPS.

Runa Sandvik, Director of Information Security at The New York Times, made the announcement on Tuesday afternoon. This comes on the heels of The New York Times adding the ability to submit confidential tips via Secure Drop last month.

NYTimes.com’s software and security teams worked for two years to get everything in place. They shared a blog post about their migration and why it was important to them.

For enterprise-level sites, migrating to HTTPS involves much more than just installing a certificate. These sites are often working with a huge backlog of content, which often have hard-coded HTTP URLs, in addition to extremely complex technology stacks. Advertising networks have also been notoriously difficult to work with, as some still do not work over HTTPS.

Unfortunately, not all of NYTimes.com was ready to migrate. “Legacy” sections and articles, as well as localized versions of the site, were among content not yet moved to HTTPS.

For sites like NY Times which cover political issues and other sensitive topics, HTTPS helps hide what articles you are reading. When you visit a site over a secure connection, the exact URL you are visiting is encrypted and unavailable to anyone watching the network. All they can know is the domain you are visiting. This would prevent anyone surveilling the network or recording your traffic from knowing if you are reading the sports section or world politics.

In addition to the privacy and security benefits, HTTPS is becoming a necessity for all sites. Google, Mozilla, and other internet companies are embarked on a mission to make unsecure HTTP a thing of the past; and new web technologies like HTTP/2 are only available when using HTTPS.

SecureThe.News, an initiative of the Freedom of the Press Foundation, tracks and rates HTTPS deployment at major media websites across the world. They have given The New York Times a B rating for their HTTPS support so far. They were docked a letter grade for not supporting HSTS (HTTP Strict Transport Security), an optimal mechanism that prevents HTTP connections altogether. HSTS support will be coming later when the entirety of NYTimes.com can be migrated.

Previously, NYT had a D rating because they only supported HTTPS in very limited situations (logging in, payment).

Sometime soon the team behind the migration will be sharing a behind-the-scenes technical post, which will give valuable insight into exactly how a complex site gets it done.

1 comment
  • This whole thing is BS. I mean the certificate layer. Now I can’t get the times. My browser is old. I can’t update it unless I get a new operating system, which I can’t get unless I get a new machine. This is even worse on my phone. There is no new OS for that, unless I hack it. All because of stupid certificate.

    Now if it were possible to get the certificate and install it, that would be one thing. Just try.

    All because what I read might be tracked? Silly. Give me the choice. I really don’t care if someone is watching and knows what I read on the times or the AP.

Leave a Reply

Your email address will not be published. We will only use your email address to respond to your comment and/or notify you of responses. Required fields are marked *

Captcha *