It’s Time to Move to HTTPS

Written by Joseph Lorenzo Hall, Greg Norcie

2016-10-04-https-4-blog

You’ve heard us talk extensively about the importance of moving the web to HTTPS – the encrypted version of the web’s HTTP protocol.

Today, CDT is releasing a one-pager aimed toward website system administrators (and their bosses!) that describes the importance of HTTPS.

The very short version of our argument is as follows:

  • Without HTTPS, ISPs and governments can spy on what your users are doing;
  • Using HTTPS prevents malicious actors from injecting malware into the traffic you serve;
  • You already need HTTPS to do payments if you accept money;
  • Without HTTPS, ISPs can strip out your ads/referrals and add their own;
  • Without HTTPS, your website cannot utilize HTTP/2 for optimal performance;
  • Without HTTPS, you can’t use the latest web features that require HTTPS (e.g., geolocation); and
  • Without HTTPS, you can’t know if your users received important resources like your terms of service and privacy policy without modification.

At CDT we’ve been looking into ways to motivate increased HTTPS adoption, which is now at well over half of all web requests. However, the amount of unencrypted HTTP is still massive, and there are a lot of large websites that do not use HTTPS. Enter Google’s transparency report, which recently added a section that tracks HTTPS adoption on the top 100 websites. It assesses sites in terms of three factors: do they support HTTPS, do they do so by default, and do they use modern cryptography. Many major sites like Facebook, Google, and Wikimedia have made the switch. One wrinkle emerges from Google’s report quite clearly: the two big industry sectors not doing so hot in terms of HTTPS are news sites and the adult entertainment industry.

If you are a sysadmin at a top-100 adult site, allow us to help you navigate the switch to a more secure web for your users.

To that end, we are excited to announce a partnership to increase HTTPS adoption for online adult entertainment. Over the coming months, CDT will work with the Free Speech Coalition (FSC) – the trade association for the adult entertainment industry – and other HTTPS evangelists to engage with adult website operators and make the case that we make here: HTTPS is the best of all worlds in terms of protecting traffic online and delivering the best experience for users. We plan to conduct a series of webinars and outreach events in partnership with FSC to reach their large network of members. If you are an adult website operator who has questions we can answer, please don’t hesitate to reach out to us or the folks at FSC. If you are a sysadmin at a top-100 adult site, allow us to help you navigate the switch to a more secure web for your users.

As Google’s transparency report exposed, adult websites are moving slowly; large adult websites seem to overwhelmingly use plain HTTP, or serve ads over plain HTTP. The few adult websites in the top-100 that scored well in Google’s metrics were “cam” sites – websites that facilitate remote adult interactions via real-time video chat between two individuals. That seemed intuitive; all the other top-100 adult sites were focused on one-way broadcast of adult videos, images, etc., rather than two-way real-time communication, which could be exceedingly more sensitive than passive consumption of adult content.

There is some good news for adult entertainment sites in terms of how difficult it might be to switch to HTTPS. Princeton researchers Steven Englehardt and Arvind Narayanan published research earlier this year that, in part, showed adult websites have many fewer trackers than news sites. Similarly, in research submitted to the FTC’s PrivacyCon conference, Altaweel, Hils, and Hoofnagle find similar results – top adult sites track less (these researchers go on to raise the lack of HTTPS as a serious issue of which visitors are likely unaware). One of the biggest factors in slow adoption by news sites of HTTPS was the complexity of their ad infrastructure and website analytics; they had to track down every single instance of an insecure page element being sent and work with their partners to correct that behavior. So, perhaps the adult industry won’t face the same barriers to HTTPS adoption that journalism has faced?

A more secure Web is in all of our interests

Even with the challenges, there has been some good movement from news sites recently: The Washington Post, Wired, ProPublica, TechCrunch, and Buzzfeed are great examples of news properties that have all moved to HTTPS (Zack Tollman at Wired has gone so far as to document the process and various snags they’ve run into during their move to HTTPS).

A more secure Web is in all of our interests – and that includes every corner, from news sites to the more private parts. We look forward to working with diverse organizations, including the Free Speech Coalition, to increase HTTPS adoption and improve all of our security as we interact online.

Share Post