Local HTTPS

After installing HTTPS Everywhere, I realized a local newspaper wasn't using HTTPS, so I decided to look into other popular local papers. Nothing surprising, but the use of HTTPS locally is depressing nonetheless.

Checking in on my Twitter feed this morning, I saw a local journalist shared a new story about a Mississippi politician doing something I didn’t like. Shocking, I know. However, when the paper’s site loaded in my browser, I was alerted that the connection was not private after HTTPS Everywhere forced an HTTPS URL. Womp womp. This made me wonder about the other popular local papers, too. Here’s what I learned, and why I think it’s important to call this out.

Mississippi Today

Mississippit Today’s site can be served over HTTPS in its entirety. This is great, but it would be better if the site redirected HTTP traffic to HTTPS, forcing the use of encryption.

A screenshot of a portion of the Mississippi Today website, showing the green browser icon indicating that the connection is secure via HTTPS.

The Clarion-Ledger

The Clarion-Ledger’s website cannot be served over HTTPS.

A screenshot of a Chrome browser tab showing that the Clarion-Ledger website produces a privacy error message when loaded over HTTPS.

Additionally, if you elect to continue to the site despite the privacy warning, you’ll see that the Ledger’s site breaks entirely.

A screenshot of an error message on the Clarion-Ledger's website that reads 'An error occurred while processing your request' with an accompanying reference ID number.

Jackson Free Press

The Jackson Free Press website doesn’t load at all over HTTPS. No warnings, no site.

A portion screenshot of a Chrome browser tab showing that jacksonfreepress.com will not load via HTTPS.

In the interest of full disclosure, for what it’s worth, I used to work at the Jackson Free Press years ago as their in-house web developer.

Jackson Advocate

The Jackson Advocate’s website, similar to the JFP’s, does not load at all over HTTPS.

A portion screenshot of a Chrome browser tab showing that jacksonadvocate.com will not load via HTTPS.

Why does this matter?

These local news orgs are not alone in their incomplete use of encryption. Secure the News, a project of the Freedom of the Press Foundation, monitors news sites for their implementation of encryption, and reports that “45% of news sites offer HTTPS, 28% default to HTTPS, [and] 0 sites [are] committed to change.”

Providing a secure connection via HTTPS is a signal to a visitor that what they’re seeing on your site is what you intend them to see. If you fact-check your sources, you cannot ignore the integrity of the distribution of your content.

Internet privacy has been in the news a lot lately with the US government giving ISPs a thumbs-up to sell users’ browser histories, along with security concerns while the US and UK attempt to weaken encryption in a backwards attempt to boost security. So, now more than ever, organizations—large and small—ought to take steps to demonstrate to their audiences that both privacy and security are values they uphold.

Now, if security is a big concern, why isn’t everything encrypted already? Mostly because it’s seen as overkill, expensive, and difficult to implement. I could not disagree with these reasons more.

First, HTTPS is necessary for every site on the web and not just the sites that collect sensitive information.

Here’s what Kayce Basques, Technical Writer at Google, has to say about the importance of HTTPS for protecting the integrity of your website.

HTTPS helps prevent intruders from tampering with the communications between your websites and your users’ browsers. Intruders include intentionally malicious attackers, and legitimate but intrusive companies, such as ISPs or hotels that inject ads into pages. Intruders exploit unprotected communications to trick your users into giving up sensitive information or installing malware, or to insert their own advertisements into your resources. For example, some third parties inject advertisements into websites that potentially break user experiences and create security vulnerabilities.
Kayce Basques, Why HTTPS Matters

Additionally, sites that don’t think they need HTTPS are the very sites that need HTTPS the most, as they’ll become the easiest targets. Blogs and other sources of information garner high traffic and, if compromised, can spread malware and leak sensitive data.

For many years, web site owners chose to only implement HTTPS for a small number of pages, like those that accepted passwords or credit card numbers. However, in recent years, the Internet security community has come to realize that all web pages need protection. Pages served over HTTP are vulnerable to eavesdropping, content injection, and cookie stealing, which can be used to take over your online accounts.
Electronic Frontier Foundation, Encrypting the Web

Another reason to provide HTTPS is that it protects your visitors privacy. Say an ISP looks at your web traffic, when browsing a site over HTTPS, you would only be shown as visiting a particular site, your activity on the site would not be easily observed*. Browsing a site without HTTPS, and everything you see and do can be seen by your ISP. Adrienne Porter Felt’s infographic illustrates this nicely:

The question 'What can your ISP see in your browsing history?' is listed above two example answers. The first answer, 'HTTP website: your ISP knows that you think might be pregnant but haven't visited a doctor yet' is superimposed over a screenshot of webmd.com. The second answer, 'HTTPS website: your ISP knows that you visit Wikipedia a lot, but not about your embarrassing obsession with White House pets.'

Coming back to the topic of local newspapers specifically, I’m sure that a big concern over encryption (and security in general) is cost, both financial and time.

Sites can now obtain an SSL or TLS certificate from LetsEncrypt for zero cost. In addition, many web hosts have built in deployment tools for these certificates, making it easy to sign up for and renew your certificates, thereby minimizing the time spent on maintaining your new site encryption.

What now?

I won’t offer some prescriptive plan for these newspapers. There’s a lot of moving parts to consider when implementing HTTPS, and you can’t come up with some blanket way to do it. You have to consider tracking and analytics and advertising and other things.

But it bears repeating: if you fact-check your sources, you cannot ignore the integrity of the distribution of your content.

More information

HTTPS is one step toward securing your site. Here’s information on what more can be done: