Techdirt Is Now 100% SSL

from the it's-about-time dept

Back in December, the Washington Post had an article about how news sites could go full SSL, encrypting all connections, but probably wouldn’t, because most of the major ad networks simply aren’t set up to handle it — meaning that doing so, while it would protect their users, would likely harm revenue. Chris Soghoian, famed security researcher and technologist at the ACLU even claimed he was offering up two bottles of whiskey to any news site that would turn on SSL.

This actually hit home for us, because we had actually started exploring the very possibility of going full on SSL about a month earlier, and realized that we’d be giving up ad revenue to do it — but, after thinking about it, we decided to do so anyway. Over the last few months, we’ve actually ended partnerships with a few ad providers who were unprepared and unwilling to support full SSL, and set ourselves up to make the full switch. In fact, we’ve quietly made sure that most of the site was fully SSL-capable for quite some time now. And, today, in conjunction with the Reset the Net campaign in honor of the first anniversary of the very first Ed Snowden revelation, we’ve officially flipped the switch to make the site fully SSL. While we’ve been quietly testing it for a while now, and it’s been working fine, it’s possible that some of you will come across errors or issues along the way — so please let us know if you come across any problems.

I also believe that a number of other sites, including, potentially, some media sites, are making the leap as well, so we’re not alone in this — and I hope that Soghoian is busy sending out whiskey bottles (though, no need to send any here, thanks!). Either way, we believe that this is important in protecting your privacy and security, even if it means less ad revenue for us, and it’s great to see websites across the internet doing a variety of things to make users more secure, whether it’s better encrypting email, or adding more protection for their own users. It’s a huge testament to how much Snowden has made the world aware of the importance of greater encryption.

While we still have some ads on the site — from providers who were actually willing to support SSL — we are still taking a cut in revenue in doing this. As such, if you’d like to help keep this site going strong, we’d like to remind you of the other ways you can support us via the Insider Shop, where you can become an Insider, and get access to our Insider Chat or the Crystal Ball to get access to stories before anyone else. Or you can go all in with the Behind the Curtain offering, giving you access not just to the Insider Chat and the Crystal Ball, but the special “Crystal Ball Plus” that shows you many more stories before everyone else. See stories we’re working on days or even months ahead of time — and talk about them with us as well. We also have opportunities to get lunch with me or, even, spend a whole day with us (this has been a lot of fun for the folks who have done it). We also have a bunch of merchandise, including our popular “seized” t-shirt. If you don’t want to do any of that, then just keep on doing what you’ve already been doing, coming here every day, reading, sharing, commenting and discussing. Just know that you’re doing it in a way that protects your privacy.

Filed Under: , , ,

Rate this comment as insightful
Rate this comment as funny
You have rated this comment as insightful
You have rated this comment as funny
Flag this comment as abusive/trolling/spam
You have flagged this comment
The first word has already been claimed
The last word has already been claimed
Insightful Lightbulb icon Funny Laughing icon Abusive/trolling/spam Flag icon Insightful badge Lightbulb icon Funny badge Laughing icon Comments icon

Comments on “Techdirt Is Now 100% SSL”

Subscribe: RSS Leave a comment
58 Comments
Lurker Keith says:

Re: Re: Not 100% yet

My AV suggests hackers could manipulate the page. Also, an unsecure ad could be hacked to include a virus or other malware. Or the ad company could be hacked. Or, if of poor quality (probably doesn’t affect the ones TD uses, but you never know), the ad company could regularly ascribe to shady ads.

On top of that, the NSA could probably peek at the page through an unsecure ad, revealing what you’re reading (which, lately, has been a lot of pro-Snowden/ anti-NSA/ pro-Constitution stuff).

David says:

One detriment:

One detriment to making large sites https is network congestion as the internet provider loses all means to do compression or caching.

Granted: with the current proliferation of “customized” content and cookies, it’s a minority of web sites anyway that does not have to get generated and delivered individually.

Lurker Keith says:

Re: One detriment:

I adjusted my settings long ago to seek the page every visit & routinely delete the cookies (both automated by the browser & manually, since that doesn’t catch everything), at least after I close the browser, if not while it’s still open (depending on length of session, what sites I visited, etc.). I prefer getting the most up-to-date page available on every load or refresh. My connection is so fast, allowing caching is actually detrimental (been on systems where a normal refresh didn’t load important details newly added), as well as a security issue (especially now that we know the NSA is sniffing around EVERYONE).

Even before I started reading Techdirt (during the SOPA Blackout), I didn’t care for customized pages. I cold tell that they would be grabbing way more info than I would like to generate them.

Also, all those cookies can bog down a system (seen systems slowed to a crawl due to multiple THOUSANDS of cookies in the permanently hidden Content.ie5 folder (why does a folder have a file extension!?!), when friends asked me to find out why their used-to-be-fast computers were running so slow). Many, if not most, sites don’t properly maintain their cookies, or outright misprogram some parameters so they never expire (seen a few sites where a new cookie’s expiration date was days or the year before, if it even has one).

Anonymous Coward says:

Please Allow Anonymous BTC Contributions

Your “Friend of Techdirt” variable-amount item in the Insider Shop should be a great way to offer a “tip jar” for somebody who wants to contribute towards Techdirt but is not looking for anything in return.

However, all forms of contribution require an email address and physical address. BTC, in particular, should require none of those.

As a site that prides itself on allowing anonymous contributions in the form of prose, one would think that you would be interested in anonymous BTC contributions as well.

You don’t need a Web shopping cart for such a BTC tip jar — just publish a BTC address.

Anonymous Coward says:

Now kill the Javascript

This page attempts to load Javascript from 17 sources, including some horribly anti-privacy, anti-security ones like Facebook. It’s time to excise as much of that as possible in order to avoid subjecting TD readers to the risks those impose. (And yes, I have NoScript running, which is how I counted those.)

Anonymous Coward says:

I can’t believe you would delay something like enabling SSL for a full year because you place personal, monetary gain above the privacy and security of your site’s readers.

All kidding aside, you’ve spent the past year posting so many link to stories about companies that have still not implemented SSL?as recently as the story yesterday about how outbound emails from Google’s servers to Comcast’s servers are rarely ever encrypted using TLS?yet you have taken a full year implement SSL on your site (keep in mind, SSL 3.0 was released in 1996).

You’ve lambasted NIST and various telecoms for accepting millions of dollars from the NSA for access to their networks and data, yet you were reluctant to enable encryption on your own site for fear of losing ad revenue, and advertisers are certainly known for tracking people’s website visits and building profiles about their browsing habbits, i.e., engaging in surveillance.

Regardless, you did the right thing by enabling it, because as sarcastic as you might think this sounds, I genuinely believe that it is better to be late than never. Decisions are rarely, if ever, black or white.

But you’re not off the hook. I’m going to send this article to the folks over at TechDirt and see what they have to say about it!

Mike Masnick (profile) says:

Re: Re:

All kidding aside, you’ve spent the past year posting so many link to stories about companies that have still not implemented SSL?as recently as the story yesterday about how outbound emails from Google’s servers to Comcast’s servers are rarely ever encrypted using TLS?yet you have taken a full year implement SSL on your site (keep in mind, SSL 3.0 was released in 1996).

No, we’ve had SSL on the site for many, many years — including on login, meaning that all logged in users were mostly seeing SSL anyway. The switch here was to go full SSL even for non-logged in users. Generally speaking, it’s less important to do SSL for non-logged in users, because they’re usually not sharing information. However, to be that much more secure, we’ve now made that step as well.

You’ve lambasted NIST and various telecoms for accepting millions of dollars from the NSA for access to their networks and data, yet you were reluctant to enable encryption on your own site for fear of losing ad revenue

I may not have been entirely clear. We weren’t reluctant to enable it because of ad revenue. We decided to enable it across the board (rather than just for logged in users) — and then realized it wasn’t quite that easy because of partners who weren’t enabled to do that. So we had to figure out ways to deal with it.

Also, there is a MASSIVE difference between compromising a key encryption technique and/or not doing TLS on communications and leaving non logged in readers non-encrypted.

Anonymous Coward says:

Re: Re: Re: Re:

Just like in computers…

Everything is black and white… its just that the big picture contains loads of Zeros and Ones to form what is a big ole gray looking picture… but when you get right down do it… its all just yes/no, on/off, black/white.

This is why humans suck so much. Everyone says… look at the bigger picture… guess what… we all spend so damn much time looking at the forest that we didn’t see the first tree that started rotting and infecting the rest.

Mike Masnick (profile) says:

Re: Re:

The Imgur link in a certain news story released today, about the lack of foresight of some high school pranksters, is also not HTTPS, triggering a mixed content warning there as well. Everything has to be HTTPS, including frivolities like that, before the mixed content warning goes away.

Yup. We’re trying to catch those, and our internal system now alerts us… but that story was actually written a few days ago before we turned that on. I’d thought we’d gone back and caught most of those, but looks like we missed that one… Will go fix now

The Wanderer (profile) says:

I’ve been using HTTPS Everywhere (which I highly recommend, by the way), combined with a local ruleset for Techdirt, to force SSL here for a while now. I’d excluded the Insider Shop (rtb.techdirt.com) because it had produced a certificate mismatch error, but checking now, it appears that that has been fixed.

I’ve now turned that ruleset off, in the hopes that it will indeed be unnecessary for the future. If I encounter any issues, what would be the appropriate way to report them?

Anonymous Coward says:

Thanks for the switch; I appreciate it. Hopefully having relatively high traffic sites like TD forcing SSL will begin to make a difference.

For debugging purposes: it doesn’t appear to have entirely taken yet. According to HTTPS Everywhere, Quantcast and Vimeo are not over ssl and Floor64 is partial. In case it matters for your debugging, I’m running Firefox in private mode, ABP and HTTPS Everywhere.

Anonymous Coward says:

Re: If only SSL was secure

It is more secure than plaintext, that’s for sure. And decrypting traffic uses processing power and if more and more traffic gets encrypted the less it becomes feasible to decrypt all of it.

It is not not to completely prevent surveilance, that is likely impossible, but to make it as hard as possible.

Michael Donnelly (profile) says:

It's not just about encryption and user privacy.

It’s also about making the NSA work a little harder when they man-in-the-middle techdirt.com as part of some enormous sweep of malcontents and ne’er-do-gooders. It’s always fun to make their guys go and hack pieces of Chrome to kill the cert-pinning trick Google came up with.

You gotta get that DMCA shirt back in stock, though. πŸ˜‰

Anonymous Coward says:

Thanks!

Thank you Mr. Masnick! Any decision to forego/delay income to “do the right thing” is call for praise. …and thanks for supporting Reset the Net.

Please consider accepting gift cards from other businesses as an alternative (or in addition to bitcoin). Many gift cards can be purchased with cash and there’s no learning curve disincentive as there is with bitcoin (for some).

Anonymous Coward says:

RSS feed still not secure

The RSS feed is still not available over SSL, so “100%” seems like an overstatement.

The link in the page header points to https://www.techdirt.com/techdirt_rss.xml , which gives a 302 redirect to the unencrypted http://feeds.feedburner.com/techdirt/feed . Each article link in the RSS feed then points to pages under (the unencrypted) http://feedproxy.google.com/ , which redirect to pages under (the still unencrypted) http://techdirt.feedsportal.com/ , which finally redirect to the actual articles (which, to be fair, are served over HTTPS).

Kalvan (profile) says:

Should I? Does it matter?

This is almost certainly off-topic, and for that I apologize. If someone can refer me to a good resource in lieu of answering my question, I’d appreciate that.

Here’s my quandry – the sites I run do not collect information on site visitors, and all financial transactions are passed off to PayPal. PayPal handles record keeping as well. No credit card numbers on my site, no personal info.

The question is, would it help my site visitors if I started running SSL, HSTS & PFS and all the other stuff the reset the net folks suggest? I’m willing to dive down the rabbit hole, just not all that damn eager.

All the sources I’ve seen say that in my position, there’s no real need. Thoughts?

John Fenderson (profile) says:

Re: Should I? Does it matter?

“would it help my site visitors if I started running SSL, HSTS & PFS and all the other stuff the reset the net folks suggest?”

Yes, it would, for a whole host of reasons. It helps to prevent spoofing, it helps to make the practice standard behavior for all websites, and most importantly: in this age of Big Data, even stuff that used to be innocuous, such as which specific pages are being viewed, the text of comments (even if they don’t contain obvious identifiers), etc., is sensitive information that deserves protection.

Anonymous Coward says:

Re: Should I? Does it matter?

One mistake many people seem to make is to think SSL is just encryption. It’s not. It’s also authentication.

Look up “watering hole attacks”. Even if your site is innocuous, it might be the target of an exploit injection attack. Making it HTTPS-only makes it harder to pull that kind of attack (they’d have to hack your server, which risks leaving traces, instead of doing a simpler MITM somewhere).

So yeah, it’s worth it. Start small – leave more complex things like HSTS for last.

ltlw0lf (profile) says:

Re: As someone who posts from work...

I have always dreaded commenting here because my work could see it if they wanted to.

Chances are, they still know. Mine certainly does, but then again, they know everything anyway (and I really don’t go out of my way to hide it from them.) It isn’t like I can hide my Techdirt window whenever my boss comes in when he can just go to Techdirt himself and look up my profile and see everything. Little less of an issue for ACs.

HTTPS doesn’t hide the end-points, only the traffic. Piping it though a VPN or Proxy or via SSH-forwarding through an AWS/Hosting Service host might help as well, though it may raise questions and may be more trouble than it is worth. Depends on why you are hiding your comments from work.

Anonymous Coward says:

Good job, but...

…but FYI, something about the new setup is absolutely destroying page load times for Chrome on iPad (with the Google magic compression setting on, that routes http through their cache/compression). We’re talking worse than 20 seconds sometimes…

No problems with Safari on the same device, so this should be a “it’s a slow day, maybe I should look at that old problem” kind of thing… It’s probably something for Google to fix…

TwelveBaud (profile) says:

SHA-1

It’s time to ask CloudFlare to rekey your SSL certificate. Your private key uses the SHA-1 algorithm which, though not insecure yet, is on a steep deprecation path. Last October Chrome started marking such sites with a yellow alert symbol (similar to that used when loading JS from an insecure site), and in February Firefox followed suit. The cert is set to expire on Oct 15, which — even if it wasn’t expiring — is the last day Firefox, Chrome, Safari, or Opera would connect at all, with IE blocking access the following year.

New certificates use SHA-2, which is based on a similar algorithm but uses much longer key fingerprints, and is therefore much harder to break.

Add Your Comment

Your email address will not be published. Required fields are marked *

Have a Techdirt Account? Sign in now. Want one? Register here

Comment Options:

Make this the or (get credits or sign in to see balance) what's this?

What's this?

Techdirt community members with Techdirt Credits can spotlight a comment as either the "First Word" or "Last Word" on a particular comment thread. Credits can be purchased at the Techdirt Insider Shop Β»

Follow Techdirt

Techdirt Daily Newsletter

Techdirt Deals
Techdirt Insider Discord
The latest chatter on the Techdirt Insider Discord channel...
Loading...