OTB Goes Secure
Overnight, we moved to content encryption. Here's what that means for you.
Overnight, Jason Lefkowitz, our IT guy, moved us from HTTP to HTTPS. The move should be seamless:
You shouldn’t have to do anything different anywhere to make use of this; all HTTP pages have been upgraded to HTTPS, and requests for the old HTTP URLs should automatically get redirected to their HTTPS equivalents. This redirect announces itself as permanent, so crawlers like Google should pick up on it and update their indexes so that they will link to the HTTPS versions directly.
As to the why:
Moving to HTTPS has advantages for both content editors and readers. For content editors, all your activity (including login) in the WP backend will now be encrypted, so when accessing the backend through public networks (coffee shop Wi-Fi, airport, etc.) you can be confident that nobody will be able to eavesdrop on your activity. For readers, HTTPS is a guarantee that the page the user receives is exactly the same as the page the server sent, so there’s no possibility of some man in the middle like their ISP injecting ads or doing any other monkeying with the page.
The web has slowly been moving in this direction. A Wired article from four years ago notes,
Most major websites use either the SSL or TLS protocol to protect your password or credit card information as it travels between your browser and their servers. Whenever you see that a site is using HTTPS, as opposed to HTTP, you know that SSL/TLS is being used. But only a few sites – like Facebook and Gmail – actually use HTTPS to protect all of their traffic as opposed to just passwords and payment details.
Many security experts — including Google’s in-house search guru, Matt Cutts — think it’s time to bring this style of encryption to the entire web. That means secure connections to everything from your bank site to Wired.com to the online menu at your local pizza parlor.
To get way more technical than most of us need:
White hat hacker Moxie Marlinspike knows as well as anyone how insecure SSL/TLS can be. A former Twitter engineer, he’s uncovered multiple critical bugs in the protocols over the course of his career and has proposed an alternative way handling trust and verification in the protocol. But he still thinks that using HTTPS in as many places as possible would be a good thing. “I think there’s value to making network traffic as opaque as possible, even for static content,” he says. “Ideally we would replace plain text on the internet entirely.”
When you use HTTPS, the data is coded so that, in theory, only you and the server you’re communicating with read the contents of the messages passing back and forth between your computer and the server.
Most major websites only use HTTPS to protect your password when you login, or your credit card information when you make a purchase. But that started to change in 2010 when software developer Eric Butler released a free tool called FireSheep to show just how easy it was to temporarily take control of someone else’s account over a shared network — such as a public Wi-Fi connection.
Butler agrees that more use of HTTPS would be a good thing, pointing out that using HTTP makes it easier for governments or criminals to spy on what internet users are doing online. And Micah Lee, a technologist for The Intercept, points out that there are many situations in which it makes sense to use HTTPS besides just protecting passwords or other sensitive information.
For example, HTTPS doesn’t just encrypt the information passing between a server and your computer: It also verifies that the content you’re downloading is coming from the people you expect it to be coming from — again, in theory. That’s something that a regular HTTP connection can’t do.
“Any sort of attacks that involve tricking the victim into connecting to the attacker’s server instead of the real server gets halted by HTTPS,” Lee said via email. “And this is really important, even for non-secret content, because of integrity: you really don’t want attackers modifying the content of websites you’re visiting without your knowledge.”
For example, a country that doesn’t want its citizens getting certain information from Wikipedia can set up a system that feeds users fake Wikipedia pages. “Without HTTPS, censorship isn’t just possible,” Lee says. “It’s simple for powerful attackers like governments, and it’s impossible for ordinary users to detect.”
There are other ways that a rogue government or criminal hacker could cause problems by replacing insecure content with their own fake pages. Lee points out that many journalists post their PGP encryption keys on their websites using only HTTP. An attack could show a potential whistleblower a fake page with a fake encryption key, causing them to turn incriminating evidence over to, for example, the government or their employer.
One of the most dangerous possibilities, however, is that hackers could replace software downloads with malware. “Websites that publish software have no business ever using HTTP,” Lee says. “They should always use HTTPS. If they don’t, they’re putting software users at risk.”
Jason warns that,
The one thing you should be aware of regarding this move is the need to avoid so-called “mixed content.” HTTPS pages need to load _all_ their resources over secure connections—images, stylesheets, third-party scripts, everything. If any resources are loaded via plain old unencrypted HTTP, the browser will display a warning to let the user know that the page is not 100% secure. I’ve checked all the common places where mixed content might creep in and upgraded them where necessary, but it’s always possible I missed something, so if your browser starts squawking at you about a page not being completely secure send me the URL of the page and I’ll take care of it.
Likewise, if you notice something, let me know and I’ll pass it along.