HTTPS (the S stands for "secure") is the industry standard for providing encryption, authentication, and integrity for content on the web. If you're unfamiliar with HTTPS, we recommend starting with this handy explainer.
HTTPS encryption is increasingly widely used on the Internet, and for good reason - it provides a whole host of benefits to organizations who deploy it, as well as their users. What follows are some of the reasons why news organizations in particular should consider deploying HTTPS.
We want LGBT readers in Uganda to be able to learn about troubling developments in their country without exposing themselves to authorities who are likely sniffing their web traffic. Buzzfeed
The news articles you read can provide intimate details about your interests, your work, and your personal life that you may want to keep private from prying eyes. Without HTTPS, an eavesdropper—whether it’s a snooper on public wifi, or a government collecting information about websites you visit—can trivially see exactly what news articles you read when you go to sites like the USA Today or the Wall Street Journal. Eavesdropping on people reading the news is a real threat, as demonstrated by the NSA and GCHQ spying on visitors to WikiLeaks.org.
HTTPS prevents this type of spying, and while an eavesdropper might be able to determine you visited the USA Today's website, they wouldn’t be able to see which specific stories you read.
HTTPS is most commonly seen on sites that ask users for sensitive information, such as passwords or credit card details. You may have been told to look for "https://" or a green lock icon before entering sensitive information into a website. Without the encryption provided by HTTPS, this information is sent over the network "in the clear", and can be intercepted by anybody on the network - from another person sharing the same free wireless network with you in a coffee shop or airport, to your Internet Service Provider (ISP), to an intelligence agency conducting surveillance.
Unencrypted websites can be used to do more than just steal sensitive information that a user might submit through their browser. An attacker can take advantage of the lack of encryption to inject malware into a website, which can lead to the complete compromise of a user’s computer and all of their data. A version of this technique, codenamed "Quantum Insert," was revealed to have been used by GCHQ to attack sysadmins who read Slashdot, a popular news website in the IT community (Slashdot has since deployed HTTPS site-wide).
More recently, a report from Citizen Lab revealed private companies selling network appliances that could perform this attack on users of popular unencrypted websites, including YouTube.
These products allow for the easy deployment of targeted surveillance implants and are being sold by commercial vendors to countries around the world. Compromising a target becomes as simple as waiting for the user to view unencrypted content on the Internet. Citizen Lab
YouTube has since stepped up their efforts to deploy HTTPS across their entire site. They recently announced that 97% of their traffic now uses HTTPS, and they plan to eventually phase out insecure connections entirely.
The source warned that his or her ‘life is in danger,’ was only willing to communicate via encrypted channels, and refused to meet in person. Wired on the Panama Papers leaker
When potential sources or whistleblowers go to a news website to contact journalists about a potential story - whether through a normal contact page or a more secure system like SecureDrop - any eavesdroppers could potentially detect all users who went to particular pages and at what time. Authorities can use this information to identify the whistleblower. By keeping news sites unencrypted, news organizations may be unwittingly putting their sources at risk.
HTTPS helps mitigate the risk of surveillance for sources. It means eavesdroppers would only be able to determine anyone who went to the main domain (like nytimes.com), therefore allowing whistleblowers to disguise themselves in a much larger pool of traffic. It also prevents the malicious modification of critical information for sources who wish to communicate with journalists securely, such as PGP key fingerprints or links to a secure submission system.
Unencrypted traffic over HTTP, also known as plaintext, is easier for authoritarian governments to filter, allowing for selective censorship of articles, subjects, specific reporters or outlets -- this is a common tactic when a newspaper reports on something a government does not like.Forcing your entire website over HTTPS means that governments can no longer block specific articles, and if they want to engage in censorship, they would be forced to block an entire website. Recent examples suggest they are much less likely to do this: as EFF has noted, "On numerous occasions, we've seen [...] governments back away from wholesale censorship where granular censorship was not an option—in China, it was GitHub; in Iran, it was Google Reader (serving as a proxy for general news sites); and last summer in Russia, it was Wikipedia."
Editors: did you know that without HTTPS, the words you approve for publication might not be the words your readers see? In addition to encryption, HTTPS provides integrity for the content of your site. Without it, your site’s content is malleable and can be manipulated without you or your readers realizing it.If your site’s revenue model includes advertising, HTTP’s lack of integrity has implications for your bottom line as well. Recent studies have shown that both ISPs and core Internet network operators regularly inject content into user’s traffic, primarily to increase their own revenues by injecting advertisements or identifiers that are used to track user’s behavior online. Unscrupulous network operators may replace your advertisements with their own, effectively stealing your revenue. They may also inject sleazy advertisements, which could negatively influence perceptions of your brand, or even be used to deliver malware (malvertising).
Several major web browsers have recently announced their intentions to gradually intensify the warnings shown to users who are browsing unencrypted sites. For example, Google recently announced that its Chrome browser will soon start indicating in a very obvious way that a website that does not default to HTTPS is insecure. If your website does not enable HTTPS soon, readers might see this scary warning when they visit your site:
Google has been encouraging websites of all kinds to switch over to HTTPS, and in 2014 they announced that they would give a bump in SEO to websites who switched over to provide HTTPS by default. While the first change was subtle, they said that they would gradually increase the amount of weight they gave HTTPS websites in their search rankings.As with any major site move (an HTTPS migration can be considered a type of site move), there are certain steps that webmasters must follow in order to mitigate potential ranking issues. Google has a variety of online resources (such as this one) that lists these steps.
Deploying HTTPS can provide or enable a variety of improvements to user’s experience on your site.
For example, because HTTPS makes every page of a website safe, activities that require personal or sensitive information—like logging in, registering, or making a payment—can happen anywhere, on any page. This means users don’t have to be redirected to a separate secure page, which makes for a more seamless user experience.
If your site's content includes streaming audio or video, the integrity provided by HTTPS can help eliminate many types of common streaming errors, which usually lead to a frustrating experience for users. This benefit was noted by YouTube during their recent transition to HTTPS: "We found that HTTPS improved quality of experience on most clients: by ensuring content integrity, we virtually eliminated many types of streaming errors."
The future of the web’s core protocol, HTTP, is a new protocol called HTTP/2. Much like the powerful features we mentioned above, HTTP/2 enables a variety of possible performance enhancements. In order to take advantage of them, however, you need to deploy HTTPS, because all browsers require HTTPS to use HTTP/2. What this means is that HTTPS isn’t just going to be necessary for the security of your content—it’s going to be necessary for faster delivery of, and great functionality around, your content for your readers.
Certain web features come with powerful functionality, and must be restricted for the sake of issues like violating a user’s privacy and accessing personal credentials or gaining unauthorized access to a user’s computer outside of the browser. Because of this, browsers require that these features are only available to secure origins -- which require HTTPS.
One great example of such a power feature is the Geolocation API, which allows sites to collection geographic location information about a host device (e.g., the smart phone a user might be using to access a news site). Because leaking location information about users is an obvious privacy risk, modern browsers only allow it over HTTPS. If you want to use geolocation to provide a rich location-aware experience to users, you are now required to deploy HTTPS.
Another powerful feature that requires HTTPS is service workers. These background scripts run outside of the browser and can provide fine-grained control over network requests and browser caching; this not only makes the page load faster, but also makes it possible for the page to work completely offline. Naturally, this type of feature demands a lot of access and control, so serving it over HTTPS is necessary.
What you’ll find is that the more powerful features become, the more locked-down they’ll need to be, which is why HTTPS is a logical progression towards a more secure Web.