OTB Goes Secure

Overnight, we moved to content encryption. Here's what that means for you.

Overnight, Jason Lefkowitz, our IT guy, moved us from HTTP to HTTPS. The move should be seamless:

You shouldn’t have to do anything different anywhere to make use of this; all HTTP pages have been upgraded to HTTPS, and requests for the old HTTP URLs should automatically get redirected to their HTTPS equivalents. This redirect announces itself as permanent, so crawlers like Google should pick up on it and update their indexes so that they will link to the HTTPS versions directly.

As to the why:

Moving to HTTPS has advantages for both content editors and readers. For content editors, all your activity (including login) in the WP backend will now be encrypted, so when accessing the backend through public networks (coffee shop Wi-Fi, airport, etc.) you can be confident that nobody will be able to eavesdrop on your activity. For readers, HTTPS is a guarantee that the page the user receives is exactly the same as the page the server sent, so there’s no possibility of some man in the middle like their ISP injecting ads or doing any other monkeying with the page.

The web has slowly been moving in this direction. A Wired article from four years ago notes,

Most major websites use either the SSL or TLS protocol to protect your password or credit card information as it travels between your browser and their servers. Whenever you see that a site is using HTTPS, as opposed to HTTP, you know that SSL/TLS is being used. But only a few sites – like Facebook and Gmail – actually use HTTPS to protect all of their traffic as opposed to just passwords and payment details.

Many security experts — including Google’s in-house search guru, Matt Cutts — think it’s time to bring this style of encryption to the entire web. That means secure connections to everything from your bank site to Wired.com to the online menu at your local pizza parlor.

To get way more technical than most of us need:

White hat hacker Moxie Marlinspike knows as well as anyone how insecure SSL/TLS can be. A former Twitter engineer, he’s uncovered multiple critical bugs in the protocols over the course of his career and has proposed an alternative way handling trust and verification in the protocol. But he still thinks that using HTTPS in as many places as possible would be a good thing. “I think there’s value to making network traffic as opaque as possible, even for static content,” he says. “Ideally we would replace plain text on the internet entirely.”

When you use HTTPS, the data is coded so that, in theory, only you and the server you’re communicating with read the contents of the messages passing back and forth between your computer and the server.

Most major websites only use HTTPS to protect your password when you login, or your credit card information when you make a purchase. But that started to change in 2010 when software developer Eric Butler released a free tool called FireSheep to show just how easy it was to temporarily take control of someone else’s account over a shared network — such as a public Wi-Fi connection.

Butler agrees that more use of HTTPS would be a good thing, pointing out that using HTTP makes it easier for governments or criminals to spy on what internet users are doing online. And Micah Lee, a technologist for The Intercept, points out that there are many situations in which it makes sense to use HTTPS besides just protecting passwords or other sensitive information.

For example, HTTPS doesn’t just encrypt the information passing between a server and your computer: It also verifies that the content you’re downloading is coming from the people you expect it to be coming from — again, in theory. That’s something that a regular HTTP connection can’t do.

“Any sort of attacks that involve tricking the victim into connecting to the attacker’s server instead of the real server gets halted by HTTPS,” Lee said via email. “And this is really important, even for non-secret content, because of integrity: you really don’t want attackers modifying the content of websites you’re visiting without your knowledge.”

For example, a country that doesn’t want its citizens getting certain information from Wikipedia can set up a system that feeds users fake Wikipedia pages. “Without HTTPS, censorship isn’t just possible,” Lee says. “It’s simple for powerful attackers like governments, and it’s impossible for ordinary users to detect.”

There are other ways that a rogue government or criminal hacker could cause problems by replacing insecure content with their own fake pages. Lee points out that many journalists post their PGP encryption keys on their websites using only HTTP. An attack could show a potential whistleblower a fake page with a fake encryption key, causing them to turn incriminating evidence over to, for example, the government or their employer.

One of the most dangerous possibilities, however, is that hackers could replace software downloads with malware. “Websites that publish software have no business ever using HTTP,” Lee says. “They should always use HTTPS. If they don’t, they’re putting software users at risk.”

Jason warns that,

The one thing you should be aware of regarding this move is the need to avoid so-called “mixed content.” HTTPS pages need to load _all_ their resources over secure connections—images, stylesheets, third-party scripts, everything. If any resources are loaded via plain old unencrypted HTTP, the browser will display a warning to let the user know that the page is not 100% secure. I’ve checked all the common places where mixed content might creep in and upgraded them where necessary, but it’s always possible I missed something, so if your browser starts squawking at you about a page not being completely secure send me the URL of the page and I’ll take care of it.

Likewise, if you notice something, let me know and I’ll pass it along.

FILED UNDER: OTB History
James Joyner
About James Joyner
James Joyner is a Security Studies professor at Marine Corps University's Command and Staff College and a nonresident senior fellow at the Scowcroft Center for Strategy and Security at the Atlantic Council. He's a former Army officer and Desert Storm vet. Views expressed here are his own. Follow James on Twitter @DrJJoyner.

Comments

  1. Franklin says:

    No problems yet, thanks.

  2. CSK says:

    I’m getting a message now, on this page, that says that “this page is not secure.”

  3. James Joyner says:

    @CSK: Interesting. I’ve tried it on my home and work computer and am not seeing it. Windows 10 Chrome, Firefox, and Edge.

  4. CSK says:

    @James Joyner:
    I’m using Windows 10 and Firefox as well. The home page is secure. But when I click on an article, the yellow triangle with the exclamation point shows up over the padlock icon.

    Edited to add: I just tried it with Edge. I get a colorless padlock icon. Not green. No yellow triangle over it.

  5. James Joyner says:

    @CSK: Ah. I see what you’re saying now. I wasn’t getting any sort of pop-up but, yes, different than home page.

  6. CSK says:

    Okay, now I’m getting the green padlock on this page, anyway.

  7. CSK says:

    Sigh. Now it’s gone back to the yellow triangle.

  8. James Joyner says:

    @CSK: Playing around a bit, I’ve determined that older posts with closed comments (it happens automatically if no comment has been posted in 21 days) are fully secure whereas newer ones with open commenting are in the in-between category. (None seem to be “insecure.”) My guess is that it has to do with the Engage feed that shows under comments of recent posts. I’ve got Jason looking into it.

    UPDATE: I briefly turned off the Engage feed and, while the page flashed “Secure” briefly, it quickly turned back to the intermediate setting.

  9. Mister Bluster says:

    Safari 11.1 (12605.1.33.1.3)…whatever that means.
    The address window shows a grey/colorless locked padlock icon followed by: outsidethebeltway.com

    when I click on that I see: the OTB Interstate Shield in grey followed by https://outsidethsebeltway.com/otb-goes-secure/

    and I go to the page

    no triangles, Bermuda or otherwise

    How secure am I?

  10. Stormy Dragon says:

    I’m surprised it took you this long to switch. Starting during last year, Google added a search ranking penalty for non-https sites, so staying unsecured was actually costing you traffic since then.

  11. James Joyner says:

    @CSK: Should be fixed now. It was an old plugin that was supposed to suggest that you sign up for a Gravatar if you didn’t have one.

    @Stormy Dragon: We were running on autopilot for the last couple of years in terms of IT support.

  12. de stijl says:

    It may be unrelated, but I see no HTML buttons (italics, blockquote, bold, etc.)

  13. CSK says:

    @de stijl:

    Nor do I–though the green padlock is in place.

  14. James Joyner says:

    @de stijl: Fixed now. Some sort of “theme bug.”