The transition to HTTPS is a lot more complicated than it sounds.
Wired.com is in the process of switching its entire site from HTTP to HTTPS. For a site of its scale – with thousands of pages, and loads of existing infrastructure – making an engineering change is always a challenge.
From the beginning, Wired pledged to be transparent about the switch, giving insight about what it’s like for a major website to implement HTTPS for the first time. In its most recent update, Wired’s application architect Zack Tollman discussed obstacles in implementing the secure protocol.
The HTTPS protocol brings a variety of benefits to end users, including encryption, authentication, and integrity. Combined, those features ensure that you are connecting to website’s true server and seeing the content exactly as intended. Without HTTPS, it is trivially easy for the content of a website to be modified by others, including malicious actors.
Google released an HTTPS Transparency Report earlier this year, which included some great statistics on HTTPS usage amongst the world’s most-visited websites. A troubling trend is that many popular news sites have yet to adopt the secure protocol. As Neiman Lab wrote, “when it comes to security best practices, most publishers are better at writing about them than actually implementing them.”
The New York Times and DailyMail.co.uk are amongst worldwide leaders in news that do not have any support for HTTPS on their sites. The Guardian (which originally published Edward Snowden’s evidence of the NSA’s global spying programs) added HTTPS only a few months ago.
Many news organizations have acknowledged this and are working on rectifying this lack of secure access. To have a properly secure connection all the resources on your webpage need to be available over HTTPS. For large sites that use third-party services and ad networks this can be challenging, as those providers may not have HTTPS support themselves.
Ensuring every asset on a page is available over HTTPS is no small feat. It’s common for larger sites like Wired to have more than a dozen third-party services providing tools like metrics, video players, advertising, etc. On top of that you have to consider every individual page that may have embedded content that was relevant to a particular article. If just one asset is not available over HTTPS, then that specific page is not secure. That is a big challenge when you have 23 years of content.
Wired isn’t moving to HTTPS purely for the security benefits. The site is also hoping that moving to HTTPS can help it combat ad-blocking, which is growing 50% year-over-year. Reuters estimates that more than 20% of U.S. internet users use ad-blocking software, and Wired’s own estimates show that proportion is even higher with their tech-savvy audience.
Privacy concerns are frequently cited as a reason for blocking ads. Wired believes that if they can eliminate those concerns by supporting HTTPS, they can slow their audience’s adoption of ad-blocking. In a May interview, Wired’s VP publisher Ken Kelleher told Digiday, “the ultimate goal is to alleviate one of the big three concerns people have expressed to us outright.”
Wired’s HTTPS pilot began in April, when they moved their Security vertical over. They intended to move the entire site to HTTPS by the end of May. But now, five months later, less than half of Wired’s verticals are using HTTPS.
There are two persistent issues that have been holding Wired back from a full-site switch: SEO rankings and mixed content.
A temporary drop in SEO is normal and expected, because Google treats HTTP and HTTPS as separate addresses and the associated rankings need to be migrated. But once that happens, everything should return to normal. Wired has had some lingering issues with SEO and they are “still trying to figure out why.”
The other issue is mixed content problems, which occur when some of the assets on a page are loaded over HTTP (the challenge we were describing above). Tollman said “many of these issues are from ad assets.” Ad networks have typically been one of the biggest components preventing a transition to HTTPS.
Wired’s progress has further cemented the importance of piloting changes before flipping your entire site over to HTTPS. It is so easy to turn HTTPS on with most servers, that it belies what a major change it is. We always recommend having a detailed plan to ensure that you do not suffer any negative consequences as a result of switching to HTTPS. Google has an excellent set of documentation about best-practices for moving from HTTP to HTTPS, including tips on how to avoid SEO problems.
Alexa.com ranks Wired as the 887th most-visited site in the world. This week, they moved their Design vertical to HTTPS, and they hope to have the entire site on HTTPS “by the end of the summer.”