Fifteen Months After the NSA Revelations, Why Aren’t More News Organizations Using HTTPS?

Kevin Gallagher

More than fifteen months after the NSA revelations laid bare the overwhelming scope of online surveillance and fueled the demand for privacy, virtually none of the top news websites—including all those who have reported on the Snowden documents—have adopted the most basic of security measures to protect the integrity of their content and the privacy of their readers: deploying HTTPS.

An HTTPS connection is easily recognized by the most novice of Internet users for the lock icon it displays in your web browser’s address bar. It signifies that the connection between you and the website you are reading is encrypted, so a malicious actor—whether a criminal trying to eavesdrop on you through public WiFi or a government that has access to raw Internet traffic—cannot see the information that you are transmitting or requesting from a particular website.

A regular HTTP connection means that such attackers can potentially spy on your username and password, and search terms or articles you are reading. Unencrypted traffic, or plaintext, is also easy to filter, allowing for selective censorship of articles, subjects, specific reporters or outlets by authoritarian governments. You also can’t be sure if you’re visiting the right website, rather than an impostor (which could happen if you’re a victim of simple DNS hijacking).

For a sense of how risky an unencrypted connection might be for users, consider the following scenario: a private company sells a device that takes advantage of unencrypted YouTube streams. It will target a user, wait for them to watch some cat videos, intercept that traffic and replace it with malicious code that gives the operator total control over the target’s computer without his or her knowledge. This is exactly what was discovered by Morgan Marquis-Boire, a researcher at Citizen Lab, First Look Media’s director of security and a member of our technical advisory board.

Websites that don’t encrypt traffic by default can potentially be used to compromise users in the same manner. Eavesdropping on people reading the news is a real danger that has already happened, as demonstrated by the NSA and GCHQ spying on visitors to WikiLeaks.org. And last year we learned how GCHQ employees used a “QUANTUM insert” technique against readers of Slashdot.org, a popular technology news website.

https.png

As The Washington Post reported in April, news organizations are struggling to encrypt their online products. The barriers to doing so are often blamed on third-party advertisers and content delivery networks (CDNs), as well as a misplaced concern over performance and page load times. But this is not an insurmountable problem. Earlier this week Reddit announced HTTPS support, and it’s crucial to highlight what made this possible: they had to abandon reliance on Akamai, a company that seems to be stubbornly blocking the move to HTTPS, and switch to a new one, CloudFlare.

We’ve found that several major news organizations are not doing enough — in many cases not doing anything at all — to keep readers safe, and we’re presenting the data below. Even all of those groups that were partners in the Snowden reporting have not encrypted their websites by default: The New York Times, The Guardian, The Washington Post, ProPublica and Der Spiegel. Nevertheless there are some good examples out there, which others in the industry should look to as a model of how to do things right: The Intercept, Techdirt, and MuckRock are all accessible only via HTTPS.

https_survey.png

We feel it is vital that news organizations protect their readers by enabling basic encryption by default, which means that SSL/TLS should be preferred and enforced with HTTP destinations redirecting visitors to HTTPS. In addition they should turn on HTTP Strict Transport Security (HSTS) to ensure that only secure connections are ever used, plus Perfect Forward Secrecy (PFS) to make sure past user sessions can't be decrypted if the server's key is compromised. We encourage news organizations to talk to partners (such as Akamai) and advertisers about offering HTTPS for content delivery and advertising as well.

In the coming weeks we are going to be asking many of these major sites if they have plans to switch over to HTTPS, and if not, what their obstacles are. Our hope is that we can both encourage them to switch, and find help for them if they need it.

In the meantime, please tell the news websites that you visit your feelings about HTTPS. Tweet to them, e-mail them, and demand that they do more to protect readers. There’s even a Twitter account and Tumblr, HTTP Shaming, that’s helping. In 2014 there’s no reason not to encrypt.

Read more about Security

First major study looks at how SecureDrop is used in newsrooms in North America

Today the Tow Center for Digital Journalism at Columbia Journalism School has published a first-of-its-kind study on how newsrooms are using SecureDrop, our open-source whistleblower submission system that is now ...

Publishing the unredacted SecureDrop 0.3.4 audit report

In July, we announced the release of SecureDrop 0.3.4 and published the accompanying security audit by iSEC partners (now NCC Group). The audit found 10 issues, one of which ...

US officials have no problem leaking classified information about surveillance—as long as it fits their narrative

In the past few days there have been a flurry of stories about the Russian plane that crashed in the Sinai peninsula, which investigators reportedly think may have been caused ...