How secure are news sites? A report from the first year of Secure The News
Parker Higgins · March 7, 2018
For over a year now, Secure The News has automatically monitored the HTTPS encryption practices at more than 100 major news sites around the world. Secure The News is a Freedom of the Press Foundation project built to regularly update a scorecard of some 131 news sites. We encourage sites to climb up those rankings because well-configured HTTPS encryption can protect reader privacy, enhance site security, and make important reporting harder to censor or manipulate.
We're pleased to report that since we began monitoring in late 2016, HTTPS encryption has seen a pronounced increase in the quality and reach of its deployment among news sites, and we continue to improve the tools we use to monitor that rise.
Let's start with the stats. We can see the overall rise in HTTPS deployment and quality by monitoring the "grades" we give sites based on their use of HTTPS. Each dot on this graph represents a the grade from a sampled scan, while the line shows the average grade over time. That grade, out of 100, has risen from about 31 points at the end of 2016 to over 53 points now. A major improvement, to be sure, but with plenty of room to get better.
In several key categories, we've compared our very first evaluation of the 131 news sites we monitor with the most recent.
HTTPS encryption is available on two-thirds of sites we're monitoring—89 of 131. That's up from just over one-third, or 48 sites, when we first ran tests starting in late November 2016.
Nearly 60% now offer HTTPS encryption by default. That's up from just 22% on our first scans—a massive leap in under 18 months.
Another exciting development for the nerds: the use of HSTS (HTTP strict transport security), which aims to keep browsers from ever using an insecure connection, is way up: From just 9% of sites in our first scans to up over 25% now.
In our first year of running Secure The News, we've made a few key improvements to the site as well.
In early 2017 we created a Twitter bot that would post changes to the scorecard each weekday. Now whenever a site turns on HTTPS—or improves their HTTPS security, which readers might not otherwise spot—we post a tweet detailing the change.
We also released the code powering Secure The News as a free software project in February 2017. It is licensed under the GNU AGPL software license, which means improvements made by other people using the software can be folded back into our code.
Finally, we added an API for accessing current and historical scan data. That API was used to collect the statistics in this post and currently powers the Twitter bot. We’ll provide more information about the API, and about other new developments to Secure the News, in the near future.
Strong, well-configured HTTPS encryption is a must-have for news sites operating on the modern Web, and it’s heartening that the first year of Secure The News has recorded so many improvements on that front. Press freedom must include the ability to read free from surveillance, censorship, or manipulation, and we’ll continue to push news sites to take the important technical steps necessary to achieve that goal.