More than fifteen months after the NSA revelations laid bare the overwhelming scope of online surveillance and fueled the demand for privacy, virtually none of the top news websites—including all those who have reported on the Snowden documents—have adopted the most basic of security measures to protect the integrity of their content and the privacy of their readers: deploying HTTPS.
An HTTPS connection is easily recognized by the most novice of Internet users for the lock icon it displays in your web browser’s address bar. It signifies that the connection between you and the website you are reading is encrypted, so a malicious actor—whether a criminal trying to eavesdrop on you through public WiFi or a government that has access to raw Internet traffic—cannot see the information that you are transmitting or requesting from a particular website.
A regular HTTP connection means that such attackers can potentially spy on your username and password, and search terms or articles you are reading. Unencrypted traffic, or plaintext, is also easy to filter, allowing for selective censorship of articles, subjects, specific reporters or outlets by authoritarian governments. You also can’t be sure if you’re visiting the right website, rather than an impostor (which could happen if you’re a victim of simple DNS hijacking).
For a sense of how risky an unencrypted connection might be for users, consider the following scenario: a private company sells a device that takes advantage of unencrypted YouTube streams. It will target a user, wait for them to watch some cat videos, intercept that traffic and replace it with malicious code that gives the operator total control over the target’s computer without his or her knowledge. This is exactly what was discovered by Morgan Marquis-Boire, a researcher at Citizen Lab, First Look Media’s director of security and a member of our technical advisory board.
Websites that don’t encrypt traffic by default can potentially be used to compromise users in the same manner. Eavesdropping on people reading the news is a real danger that has already happened, as demonstrated by the NSA and GCHQ spying on visitors to WikiLeaks.org. And last year we learned how GCHQ employees used a “QUANTUM insert” technique against readers of Slashdot.org, a popular technology news website.
As The Washington Post reported in April, news organizations are struggling to encrypt their online products. The barriers to doing so are often blamed on third-party advertisers and content delivery networks (CDNs), as well as a misplaced concern over performance and page load times. But this is not an insurmountable problem. Earlier this week Reddit announced HTTPS support, and it’s crucial to highlight what made this possible: they had to abandon reliance on Akamai, a company that seems to be stubbornly blocking the move to HTTPS, and switch to a new one, CloudFlare.
We’ve found that several major news organizations are not doing enough — in many cases not doing anything at all — to keep readers safe, and we’re presenting the data below. Even all of those groups that were partners in the Snowden reporting have not encrypted their websites by default: The New York Times, The Guardian, The Washington Post, ProPublica and Der Spiegel. Nevertheless there are some good examples out there, which others in the industry should look to as a model of how to do things right: The Intercept, Techdirt, and MuckRock are all accessible only via HTTPS.
We feel it is vital that news organizations protect their readers by enabling basic encryption by default, which means that SSL/TLS should be preferred and enforced with HTTP destinations redirecting visitors to HTTPS. In addition they should turn on HTTP Strict Transport Security (HSTS) to ensure that only secure connections are ever used, plus Perfect Forward Secrecy (PFS) to make sure past user sessions can't be decrypted if the server's key is compromised. We encourage news organizations to talk to partners (such as Akamai) and advertisers about offering HTTPS for content delivery and advertising as well.
In the coming weeks we are going to be asking many of these major sites if they have plans to switch over to HTTPS, and if not, what their obstacles are. Our hope is that we can both encourage them to switch, and find help for them if they need it.
In the meantime, please tell the news websites that you visit your feelings about HTTPS. Tweet to them, e-mail them, and demand that they do more to protect readers. There’s even a Twitter account and Tumblr, HTTP Shaming, that’s helping. In 2014 there’s no reason not to encrypt.