Secure News For Everyone!
Yesterday, social media was abuzz with the announcement that The New York Times, one of the world’s largest media companies, had adopted HTTPS.
Runa Sandvik, Director of Information Security at The New York Times, made the announcement on Tuesday afternoon. This comes on the heels of The New York Times adding the ability to submit confidential tips via Secure Drop last month.
For enterprise-level sites, migrating to HTTPS involves much more than just installing a certificate. These sites are often working with a huge backlog of content, which often have hard-coded HTTP URLs, in addition to extremely complex technology stacks. Advertising networks have also been notoriously difficult to work with, as some still do not work over HTTPS.
For sites like NY Times which cover political issues and other sensitive topics, HTTPS helps hide what articles you are reading. When you visit a site over a secure connection, the exact URL you are visiting is encrypted and unavailable to anyone watching the network. All they can know is the domain you are visiting. This would prevent anyone surveilling the network or recording your traffic from knowing if you are reading the sports section or world politics.
In addition to the privacy and security benefits, HTTPS is becoming a necessity for all sites. Google, Mozilla, and other internet companies are embarked on a mission to make unsecure HTTP a thing of the past; and new web technologies like HTTP/2 are only available when using HTTPS.
SecureThe.News, an initiative of the Freedom of the Press Foundation, tracks and rates HTTPS deployment at major media websites across the world. They have given The New York Times a B rating for their HTTPS support so far. They were docked a letter grade for not supporting HSTS (HTTP Strict Transport Security), an optimal mechanism that prevents HTTP connections altogether. HSTS support will be coming later when the entirety of NYTimes.com can be migrated.
Previously, NYT had a D rating because they only supported HTTPS in very limited situations (logging in, payment).
Sometime soon the team behind the migration will be sharing a behind-the-scenes technical post, which will give valuable insight into exactly how a complex site gets it done.