Today, Freedom of the Press Foundation is excited to launch Secure The News, a new website that automatically tracks and grades the adoption of HTTPS encryption across dozens of the world’s largest news websites. You can view the results of all the news organizations we're currently tracking here.
HTTPS is a vital feature for any modern news site that protects the privacy and security of both its readers and journalists from a variety of malicious actors. HTTPS can also act an important anti-censorship tool against authoritarian regimes. Unfortunately, news organizations have been slow to implement HTTPS by default on their websites, so we hope Secure The News can help speed its adoption.
An HTTPS connection is easily recognized by the most novice of Internet users for the lock icon it displays in your web browser’s address bar (the "S" in HTTS means "secure"). It signifies that the connection between you and the website you are reading is encrypted, so someone spying on your internet connection—whether a criminal trying to eavesdrop on you through public WiFi or a government that has access to raw Internet traffic—cannot see the information that you are transmitting or the articles you are reading on a particular website.
A regular HTTP connection means that such attackers can potentially see the search terms or articles you are reading, spy on your username and password, or spoof a website to steal your personal information. Unencrypted HTTP traffic is also easier to filter and block, allowing for selective censorship of articles, subjects, specific reporters or outlets by authoritarian governments.
While most of the tech giants and e-commerce sites long ago switched HTTPS on to protect its users, news organizations have lagged far behind in its adoption. Recently a handful of major outlets—including the Washington Post, the Guardian, Wired, Buzzfeed, and ProPublica—have commendably implemented HTTPS-by-default on their websites, but there are dozens more than still put their readers and reporters at unnecessary risk.
Secure The News automatically analyzes each news site every 24 hours and grades it on an F to A scale based on several factors: whether the site allows HTTPS connections, whether it enforces HTTPS by default, whether it deploys a security feature known as HSTS ("HTTP Strict Transport Security"), whether HSTS is preloaded, and several other smaller factors. For a more detailed description of these factors and our methodology, see here. On the Secure The News Leaderboard, you can see which news sites have made progress and which ones still have work to do.
If your news organization has a low grade and you are working towards adopting HTTPS by default, we are happy to indicate on Secure The News's Leaderboard if you commit to making the switch in the next six months. All you need to do is post a commitment on your website and alert us by contacting us here.
We understand large news websites have many obstacles in switching over a large news site to HTTPS and it’s not as simple as flipping a switch. These roadblocks may include advertising networks, Content Delivery Networks (CDNs), embedding mixed content, and re-coding large portion of legacy content. That’s why we also provided a comprehensive batch of resources detailing common problems and how other news organizations have fixed them in the past.
Secure The News also provides simple explanation for editors and executives on why it’s important for news sites to switch over to HTTPS and the many benefits—like better analytics, a potential bump in SEO traffic, and access to new technology—your site will receive once the switch is complete.
A note on our grading system
Admittedly, there are other security factors we could potentially test news websites on to get a better sense of their website security beyond the four factors that we are currently using.
The most popular tool for testing individual sites is called SSL Labs, which is owned by Qualys. SSL Labs is a great tool: it tests for over fifty different security features and has a robust grading system for how secure your site is. Initially, we wanted to use SSL Labs’ API and plug it into Secure The News, but SSL Labs’ terms of service requires their permission to hook up to their API, and a representative from Qualys denied us the ability to use it.
Even though their tool pulls in publicly available information, their terms of service says you are required to get a site’s permission before using their tool for its score. This may be out of undue legal concern for violating the Computer Fraud and Abuse Act (CFAA) —another reason why the law is overbroad and stifles First Amendment protected research and speech.
Future Work
We plan on further improving Secure The News in the days and months ahead, and as more news organizations adopt HTTPS by default, adding different security metrics by which they can further protect their journalists and readers (see some ideas here).
We plan to open source Secure the News in the near future—stay tuned to this blog for the announcement! Once the project is open source, we'll welcome contributors and encourage other organizations to fork the project and create a HTTPS deployment dashboard for their own area of interest on the web.
Thanks
Secure the News was inspired by Pulse, a dashboard for tracking the adoption of best practices—including HTTPS deployment—by U.S. Federal Government websites.
Secure the News was a collaboration between Freedom of the Press Foundation staff and numerous outside contributors. We'd like to thank the following individuals for their contributions to the project:
- Eric Mill - for creating Pulse, the inspiration for Secure the News, and providing helpful guidance and feedback throughout the design and development process.
- Sina Khanifar - graphic design and logo. Thanks to Taskforce for connecting us!
- Gabe Isman - front-end engineering.
- Tom Lowenthal
- Geoffrey King
- Cameron Dixon
Finally, we'd like to thank the people who have worked hard to blaze a trail for securing the news, and who helped us understand the landscape by letting us interview them:
- Greg Franczyk and Will Van Wazer, from the Washington Post
- Mike Tigas, from ProPublica
- Zack Tollman, from Wired
- Clement Huyghebaert, from Buzzfeed