“Just Do It.” Publishers Tackle the Painful Transition to HTTPS
As the movement toward an encrypted web grows ever stronger, why haven't more sites heeded the call?
We’ve all seen it. You open your web browser, head to your favorite site, and instead are met with an ominous message: “Your connection to this site is not secure,” followed by a warning that any information you enter could be stolen by unnamed attackers.
How could your favorite site betray you like this?
Despite rising awareness around the importance of HTTPS, an adaptation of the traditional HTTP protocol that provides an added layer of security through encrypting communications between a client and server, as much as half of all web traffic — including several of the internet’s 100 most popular sites — remains unencrypted, according to most estimates.
Heeding the call last year, Zack Tollman, who at the time was engineering lead at Wired, led the charge to move that site to HTTPS.
“HTTPS is a basic security feature that our visitors deserve,” Tollman, who now serves as application architect for parent company Condé Nast’s Co/Lab innovation team, tells Folio:. “HTTPS protects visitors from eavesdroppers and helps preserve the integrity of Wired‘s content.”
As added motivation, Tollman points to a September 2016 announcement from Google that Chrome would begin marking non-HTTPS pages that contain password input fields as “Not Secure” in the URL bar.
“It was clear that browsers were eventually going to require websites to use HTTPS to gain access to features, and we are starting to see this come to fruition. We wanted to be ahead of the curve.”
Gene Bishop, VP of Technology at B2B media firm ALM, cited similar reasons for adding HTTPS as one of the elements of the newly rolled out Law.com, which went live in October.
“There’s pressure from the big tech companies, and I don’t think anybody wants their users to get one of those gnarly messages,” Bishop says. “When you see that message, it’s scary. It’s one of those freak-out things that we certainly wanted to avoid.”
Bishop notes that ALM’s readership is mostly lawyers, which likely means heightened sensitivity to issues like web security, and given that ALM was centralizing numerous brand sites under one central domain anyway, the time was right to think about adding HTTPS.
Jason Snively, a developer at AppleInsider — a site that provides news and discussion forums for Mac users — is in the midst of converting the 20-year-old site to HTTPS, beginning with the discussion forums and aiming to complete the full rollout by early 2018.
Snively cites numerous reasons for making the switch, including requests from users on the discussion forums, Google favoring HTTPS-compliant sites in search rankings, browsers pushing HTTPS, and simple security — “we don’t want one of our editors getting their password swiped just because they logged into the publisher from a coffee shop.”
“Moreover and personally, it’s just something that everyone should do,” he says. “The more quickly we can get to an all-encrypted web, the better, especially with the proliferation of wireless communications. People shouldn’t be able to just pull what you’re doing out of the air.”
A Painstaking Process
“Ultimately, we wore out our ‘S’ keys updating ‘http’ to ‘https’ in countless places.”
Tollman says the entire process took about five months.
“We decided to roll out small amounts of content at a time in order to evaluate the success of the change before implementing it site-wide,” he says. “This necessarily slowed down the process and we wanted to be extra careful that this change didn’t cause any unforeseen consequences.”
Internal trepidation about a potential SEO hit turned out to be well-founded, and Tollman says it was a bigger challenge than was anticipated. Ultimately, the strategy of implementing HTTPS in stages allowed the team to correct the SEO issues and avoid them when rolling out other sections.
ALM’s approach involved grouping content based on how old it was and evaluating the best course of action from there.
“Realistically, you don’t have to do something with every piece of content,” Bishop says. “There’s value propositions against all of it. So we looked back at it and evaluated which content we thought was most likely to be called. If it’s a fifteen-year-old article, and you get the text up, it’s a good job. You don’t necessarily have to worry about things like images on those pieces of content. So there are a few different ways you can look at it.”
Just as Wired did, ALM rolled things out in stages, first making HTTPS optional, then redirecting non-HTTPS pages to HTTPS ones, and before eventually feeling that enough content was converted to turn HTTPS on site-wide.
“It’s still ongoing. Lawyers are research-intensive. And there will be inevitably portions of our content that maybe we didn’t capture, but I don’t think it’s going to be a lot of it. We’ll look at it and go back and see if there’s anything on the original list that we need to move or re-code or re-templatize somehow in order to make sure that we’re delivering it properly.”
For Snively, the process was more labor-intensive than anticipated, in part because AppleInsider is 20 years old, filled with legacy tech, and also because the site is run by a small team — the entire transition was handled by just two staffers.
“Our plan was simple: get certs, update any gaps in the site’s codebase that didn’t support HTTPS, and then slowly roll it out. We’re not a monolithic entity, so there really wasn’t any need for an overly detailed plan.”
An immediate obstacle presented itself early in the process; because certificate authorities consider “apple” a red flag in a site’s title, it took months to simply receive a valid certification. Given the speed at which things change, there’s also little guarantee that one certification will even still be valid after the next policy change is implemented — even from a seemingly reputable and well established provider like Symantec, which has issued millions of certificates over the past several years.
“For some icing on the cake, major browser vendors have added our current cert to their future blacklist,” Snively says. “It is set to be completely distrusted in September 2018. The certificate authority has made assurances to us that we should have no problems generating a new certificate when the time comes, but time will tell. It is a concern going forward.”
The Safest Course of Action
For all of the pain involved in the process, Tollman, Bishop, and Snively are unified in that they have no regrets about making the switch, and would advise other publishers to do the same.
“Because we took our time and we had somebody who was focused on it, the cost was really the investment of our time on what we had to do to our content and our templates, and not really a third-party charge, outside of the certificates,” says Bishop.
To help more sites make the switch to HTTPS, Josh Aas founded the non-profit Internet Security Research Group, the non-profit behind free certificate provider Let’s Encrypt, which launched last year.
“The web is complex and even loading pages that seem relatively simple usually involves sending a large amount of personal information or meta-data,” Aas tells Folio:. “Large amounts of seemingly inconsequential information can be put together to create accurate profiles about people. Just knowing which news articles a person reads on a site can tell you a lot about them. The only safe course of action on today’s complex web is to encrypt everything.”
While Aas acknowledges that the process, especially for large sites with a lot of historical content, can be long and difficult, he says there are enough resources and strategies available to organizations, that anyone can switch to HTTPS if they make it a priority.
“Every single website needs HTTPS,” he says. “No exceptions.”
So why haven’t more publishers made the move?
“I don’t think anybody likes to be told what to do,” says Bishop. “When you have a company like Google or Microsoft or Mozilla who are putting out these browsers and are adding tools like ad blockers, it seems like the world around publishers is getting more constricted. In the reality of it, we can’t dismiss the user experience. If the genuine good nature of all of this is that it is making the user experience safer, then you have to climb on board with it.”
Aas speculates that security may have a branding problem, without as clear a business case as other site features execs could direct their developers to work on.
“They see it as a ‘nice to have’ feature instead of something critical for protecting themselves and their users,” he says. “There are a couple of ways to combat this. One the one hand we can educate and warn about the dangers of plain HTTP. Browsers are doing a great job of this by showing stronger warnings, and sites don’t want their visitors to see those warnings. On the other hand we can make deploying HTTPS easier so that it’s less costly in terms of fees and staff time.”
Recognizing that not many publishers were on HTTPS at the time that Wired decided to encrypt itself, Tollman took the added step of documenting the process in detail.
“Without many previous experiences to guide our migration, we saw it as our duty tell others about our successes and failures,” he says. “The whole internet benefits from more sites being on HTTPS and we believed that being transparent about our process would help other publishers as they began their work on migrating to HTTPS.”
Asked their advice for publishers considering making the switch, Tollman, Snively, and Aas agree: “Just do it.”
“Don’t waffle on the question of whether it needs to be done — it does,” says Aas. “Get advice from people who’ve already done it, make a plan and execute.”