When it comes to security best practices, most publishers are better at writing about them than actually implementing them.
For years, researchers have made the call for news sites to adopt HTTPS, a more secure, encrypted alternative to HTTP that both prevents digital eavesdropping and assures readers that the site they’re reading hasn’t been altered by governments or criminals. And while a handful of sites such as The Washington Post, Vice News, TechDirt, and The Intercept have made the switch, the vast majority of the biggest news sites have not. (Web users can spot sites with HTTPS by the small lock that appears in their browser’s address bar.)
Joining that small, secure group is Wired, which says it’s making the switch to HTTPS starting with its security vertical and for users who pay for the ad-free version of the site. It plans to bring the feature to the rest of Wired.com over the next few weeks.
Wired made the move in order to help lead the news industry’s push to HTTPS and to give Wired.com readers a little bit more assurance that their reading experience is secure, according to Zack Tollman, Wired’s application architect. “We want to give readers that encryption guarantee. It’s important for them to know that they’re actually visiting Wired.com and that no one is tampering with content while it’s in flight to their browser,” he said.
While that’s a noble cause, actually making it happen is another matter. Switching a site over from HTTP to HTTPS can take hundreds of hours from start to finish, a job that most publishers aren’t willing, or don’t have the engineering resources, to pull off. Technically, the biggest part of making the switch is as simple as swapping every mention ofhttp
to https
in a site’s code, but that process means auditing the entire codebase that makes up publishers’ sites. Even The Washington Post, which started last year, hasn’t completely finished the process yet.
“This is not a small job. It takes time and a big lift from a lot of people to organize it, but you have to make that decision that it’s important to you and push for it,” Tollman said.
While some smaller publishers have switched over to HTTPS in recent years, the job is far more difficult for a bigger site like Wired, which has content going back for over 20 years, most of which was initially published on different content management systems. Big news sites are also extremely complex. In the switch over to HTTPS, Wired had to rope in people from its product, engineering, editorial, analytics, and advertising teams. It’s a process that took roughly 160 hours over the course of three months, said Tollman.The biggest challenge, however, was advertising. While some ad networks and exchanges support HTTPS, adoption is spotty. This means that publishers that rush to switch to HTTPS risk not being able to work with certain ad partners, which in turn means potentially losing out on revenue. That’s a tough sell for most media organizations already fighting to make ends meet.
Wired’s strategy to mitigate the risks of the HTTPS hurting its ad deliver is to make the rollout slowly, starting with one section and gradually expanding it to others. “We’re only risking ad impressions on that one vertical,” Tollman said. Wired also hopes readers will tell them if they spot anything wonky with the HTTPS version of the site, which it’s initially offering the feature to its paid users, which it says are its most engaged readers mostly likely to be willing to help. (The Washington Post, which started the process of switching to HTTPS last summer, used a similar tactic. It first implemented the feature for its internal users, before adding it to its national security and tech policy coverage.)
Ultimately, the goal of the move is to help other publishers make the switch as well. Wired plans to be transparent about its switching process and will share both its insights and even some code. “We know there are a lot of challenges here that people are not aware of when they’re first starting out. With HTTPS, we want Wired to be there, but also want the whole web to be there as well,” Tollman said.