Techdirt Is Now 100% SSL
from the it's-about-time dept
Back in December, the Washington Post had an article about how news sites could go full SSL, encrypting all connections, but probably wouldn’t, because most of the major ad networks simply aren’t set up to handle it — meaning that doing so, while it would protect their users, would likely harm revenue. Chris Soghoian, famed security researcher and technologist at the ACLU even claimed he was offering up two bottles of whiskey to any news site that would turn on SSL.
This actually hit home for us, because we had actually started exploring the very possibility of going full on SSL about a month earlier, and realized that we’d be giving up ad revenue to do it — but, after thinking about it, we decided to do so anyway. Over the last few months, we’ve actually ended partnerships with a few ad providers who were unprepared and unwilling to support full SSL, and set ourselves up to make the full switch. In fact, we’ve quietly made sure that most of the site was fully SSL-capable for quite some time now. And, today, in conjunction with the Reset the Net campaign in honor of the first anniversary of the very first Ed Snowden revelation, we’ve officially flipped the switch to make the site fully SSL. While we’ve been quietly testing it for a while now, and it’s been working fine, it’s possible that some of you will come across errors or issues along the way — so please let us know if you come across any problems.
I also believe that a number of other sites, including, potentially, some media sites, are making the leap as well, so we’re not alone in this — and I hope that Soghoian is busy sending out whiskey bottles (though, no need to send any here, thanks!). Either way, we believe that this is important in protecting your privacy and security, even if it means less ad revenue for us, and it’s great to see websites across the internet doing a variety of things to make users more secure, whether it’s better encrypting email, or adding more protection for their own users. It’s a huge testament to how much Snowden has made the world aware of the importance of greater encryption.
While we still have some ads on the site — from providers who were actually willing to support SSL — we are still taking a cut in revenue in doing this. As such, if you’d like to help keep this site going strong, we’d like to remind you of the other ways you can support us via the Insider Shop, where you can become an Insider, and get access to our Insider Chat or the Crystal Ball to get access to stories before anyone else. Or you can go all in with the Behind the Curtain offering, giving you access not just to the Insider Chat and the Crystal Ball, but the special “Crystal Ball Plus” that shows you many more stories before everyone else. See stories we’re working on days or even months ahead of time — and talk about them with us as well. We also have opportunities to get lunch with me or, even, spend a whole day with us (this has been a lot of fun for the folks who have done it). We also have a bunch of merchandise, including our popular “seized” t-shirt. If you don’t want to do any of that, then just keep on doing what you’ve already been doing, coming here every day, reading, sharing, commenting and discussing. Just know that you’re doing it in a way that protects your privacy.
Filed Under: privacy, reset the net, security, ssl
Comments on “Techdirt Is Now 100% SSL”
Whisky
Ask for Talisker – the whisky of Tech Journo’s.
Failing that Tobermory do a very nice 19 yo single cask bottling.
Yup, I’m connecting with AES-128bit encryption. Cheers!
Not 100% yet
The ads are still being served with non-protocol-relative URLs, giving a mixed-content warning. And Firefox doesn’t like your certificate, though not enough to give me a red page.
Re: Not 100% yet
I’m only kinda technical; what’s the risk with unsecure ads in this context? What information does that expose? (I’m not terribly worried about someone knowing what ads the ad vendors serve me; what information they have on me already is more important.)
Re: Re: Not 100% yet
My AV suggests hackers could manipulate the page. Also, an unsecure ad could be hacked to include a virus or other malware. Or the ad company could be hacked. Or, if of poor quality (probably doesn’t affect the ones TD uses, but you never know), the ad company could regularly ascribe to shady ads.
On top of that, the NSA could probably peek at the page through an unsecure ad, revealing what you’re reading (which, lately, has been a lot of pro-Snowden/ anti-NSA/ pro-Constitution stuff).
Re: Re: Not 100% yet
There’s no significant harm or risk in this case, but referer headers and the like can leak information, and so browsers warn about mixed page loads, and they generally won’t accept JavaScript for a secure page over an unsecure connection.
Re: Not 100% yet
The ads are still being served with non-protocol-relative URLs, giving a mixed-content warning. And Firefox doesn’t like your certificate, though not enough to give me a red page.
That’s not supposed to be happening… Looking into it…
Re: Re: Not 100% yet
Firefox shows a grey warning sign. Means that some content that is classed as passive, that is no scripts, is not sent over SSL.
So some object containing an image. video or audio.
Also despite white listing your site in Ghostery there are 2 advertisement slots that do not show adds.
Re: Re: Re: Not 100% yet
Firefox shows a grey warning sign.
With ABP (AdBlock+) turned on, everything is working fine. With ABP off, I am also getting errors on passive ads. Thought I turned ABP off for Techdirt, but apparently it was still running.
Non-encrypted address appears to be http://www.assoc-amazon.com/%5B..].
Re: Re: Re:2 Not 100% yet
Confirmed here too, Firefox showing partially encrypted, only thing I can find that is causing that is a 1×1 image from http://www.assoc-amazon.com/e/ir?o=1&t=techdirtcom-20&l=wey
Re: Re: Re: Not 100% yet
Chrome is showing a warning as well. Shows a yellow triangle over the padlock icon in the address bar. When you click it, the dropdown syas that “Your connection to http://www.techdirt.com is encrypte with 128-bit encryption. However, this page includes other resources which are not secure. blah blah blah”.
One detriment:
One detriment to making large sites https is network congestion as the internet provider loses all means to do compression or caching.
Granted: with the current proliferation of “customized” content and cookies, it’s a minority of web sites anyway that does not have to get generated and delivered individually.
Re: One detriment:
I adjusted my settings long ago to seek the page every visit & routinely delete the cookies (both automated by the browser & manually, since that doesn’t catch everything), at least after I close the browser, if not while it’s still open (depending on length of session, what sites I visited, etc.). I prefer getting the most up-to-date page available on every load or refresh. My connection is so fast, allowing caching is actually detrimental (been on systems where a normal refresh didn’t load important details newly added), as well as a security issue (especially now that we know the NSA is sniffing around EVERYONE).
Even before I started reading Techdirt (during the SOPA Blackout), I didn’t care for customized pages. I cold tell that they would be grabbing way more info than I would like to generate them.
Also, all those cookies can bog down a system (seen systems slowed to a crawl due to multiple THOUSANDS of cookies in the permanently hidden Content.ie5 folder (why does a folder have a file extension!?!), when friends asked me to find out why their used-to-be-fast computers were running so slow). Many, if not most, sites don’t properly maintain their cookies, or outright misprogram some parameters so they never expire (seen a few sites where a new cookie’s expiration date was days or the year before, if it even has one).
Re: Re: One detriment:
could*
I use adblock so no loss revenue from me. But I am sending you a couple of bucks right now as you definitely deserve it.
Hostname mismatch warning
I’ve been getting hostname mismatch warning for edge.quantserv.com on every page for the last few days on Techdirt (seems to have an akamai certificate).
Re: Hostname mismatch warning
I’m seeing the same for postrelease.com content getting served up with an akamai cert. Would be nice if this could be fixed.
Please Allow Anonymous BTC Contributions
Your “Friend of Techdirt” variable-amount item in the Insider Shop should be a great way to offer a “tip jar” for somebody who wants to contribute towards Techdirt but is not looking for anything in return.
However, all forms of contribution require an email address and physical address. BTC, in particular, should require none of those.
As a site that prides itself on allowing anonymous contributions in the form of prose, one would think that you would be interested in anonymous BTC contributions as well.
You don’t need a Web shopping cart for such a BTC tip jar — just publish a BTC address.
“Techdirt Is Now 100% SSL”
I don’t really care either way.
Re: Re:
And i dont really care that you dont really care
Now kill the Javascript
This page attempts to load Javascript from 17 sources, including some horribly anti-privacy, anti-security ones like Facebook. It’s time to excise as much of that as possible in order to avoid subjecting TD readers to the risks those impose. (And yes, I have NoScript running, which is how I counted those.)
I can’t believe you would delay something like enabling SSL for a full year because you place personal, monetary gain above the privacy and security of your site’s readers.
All kidding aside, you’ve spent the past year posting so many link to stories about companies that have still not implemented SSL?as recently as the story yesterday about how outbound emails from Google’s servers to Comcast’s servers are rarely ever encrypted using TLS?yet you have taken a full year implement SSL on your site (keep in mind, SSL 3.0 was released in 1996).
You’ve lambasted NIST and various telecoms for accepting millions of dollars from the NSA for access to their networks and data, yet you were reluctant to enable encryption on your own site for fear of losing ad revenue, and advertisers are certainly known for tracking people’s website visits and building profiles about their browsing habbits, i.e., engaging in surveillance.
Regardless, you did the right thing by enabling it, because as sarcastic as you might think this sounds, I genuinely believe that it is better to be late than never. Decisions are rarely, if ever, black or white.
But you’re not off the hook. I’m going to send this article to the folks over at TechDirt and see what they have to say about it!
Re: Re:
All kidding aside, you’ve spent the past year posting so many link to stories about companies that have still not implemented SSL?as recently as the story yesterday about how outbound emails from Google’s servers to Comcast’s servers are rarely ever encrypted using TLS?yet you have taken a full year implement SSL on your site (keep in mind, SSL 3.0 was released in 1996).
No, we’ve had SSL on the site for many, many years — including on login, meaning that all logged in users were mostly seeing SSL anyway. The switch here was to go full SSL even for non-logged in users. Generally speaking, it’s less important to do SSL for non-logged in users, because they’re usually not sharing information. However, to be that much more secure, we’ve now made that step as well.
You’ve lambasted NIST and various telecoms for accepting millions of dollars from the NSA for access to their networks and data, yet you were reluctant to enable encryption on your own site for fear of losing ad revenue
I may not have been entirely clear. We weren’t reluctant to enable it because of ad revenue. We decided to enable it across the board (rather than just for logged in users) — and then realized it wasn’t quite that easy because of partners who weren’t enabled to do that. So we had to figure out ways to deal with it.
Also, there is a MASSIVE difference between compromising a key encryption technique and/or not doing TLS on communications and leaving non logged in readers non-encrypted.
Re: Re: Re:
(I’m the original commenter)
Thanks for the clarification. I guess I can learn too that things are never black and white. 🙂
Re: Re: Re: Re:
Just like in computers…
Everything is black and white… its just that the big picture contains loads of Zeros and Ones to form what is a big ole gray looking picture… but when you get right down do it… its all just yes/no, on/off, black/white.
This is why humans suck so much. Everyone says… look at the bigger picture… guess what… we all spend so damn much time looking at the forest that we didn’t see the first tree that started rotting and infecting the rest.
The Imgur link in a certain news story released today, about the lack of foresight of some high school pranksters, is also not HTTPS, triggering a mixed content warning there as well. Everything has to be HTTPS, including frivolities like that, before the mixed content warning goes away.
Re: Re:
The Imgur link in a certain news story released today, about the lack of foresight of some high school pranksters, is also not HTTPS, triggering a mixed content warning there as well. Everything has to be HTTPS, including frivolities like that, before the mixed content warning goes away.
Yup. We’re trying to catch those, and our internal system now alerts us… but that story was actually written a few days ago before we turned that on. I’d thought we’d gone back and caught most of those, but looks like we missed that one… Will go fix now
I’ve been using HTTPS Everywhere (which I highly recommend, by the way), combined with a local ruleset for Techdirt, to force SSL here for a while now. I’d excluded the Insider Shop (rtb.techdirt.com) because it had produced a certificate mismatch error, but checking now, it appears that that has been fixed.
I’ve now turned that ruleset off, in the hopes that it will indeed be unnecessary for the future. If I encounter any issues, what would be the appropriate way to report them?
Thanks for the switch; I appreciate it. Hopefully having relatively high traffic sites like TD forcing SSL will begin to make a difference.
For debugging purposes: it doesn’t appear to have entirely taken yet. According to HTTPS Everywhere, Quantcast and Vimeo are not over ssl and Floor64 is partial. In case it matters for your debugging, I’m running Firefox in private mode, ABP and HTTPS Everywhere.
You son of a bitch....
“and I hope that Soghoian is busy sending out whiskey bottles (though, no need to send any here, thanks!).”
This is how you know your boss hates you: he refuses for free the thing you value most in this world….
Re: You son of a bitch....
Mike is blocking your porn?
Re: Re: You son of a bitch....
damnit michael you beat me to it…
Thanks
Just wanted to say, “Thank you” for doing this. I just signed up for “Techdirt Crystal Ball” ($15/year subscription) as a direct result of this choice.
If only SSL was secure
We’d like to think it is, but it isn’t. Not at all.
Re: If only SSL was secure
It is more secure than plaintext, that’s for sure. And decrypting traffic uses processing power and if more and more traffic gets encrypted the less it becomes feasible to decrypt all of it.
It is not not to completely prevent surveilance, that is likely impossible, but to make it as hard as possible.
Re: If only SSL was secure
Nothing is “secure” as an absolute. But some things are more secure than others. Using SSL is more secure than not.
It's not just about encryption and user privacy.
It’s also about making the NSA work a little harder when they man-in-the-middle techdirt.com as part of some enormous sweep of malcontents and ne’er-do-gooders. It’s always fun to make their guys go and hack pieces of Chrome to kill the cert-pinning trick Google came up with.
You gotta get that DMCA shirt back in stock, though. 😉
Whiskey vs Whisky
Matching-Prize:
I’d like to send you guys two bottles of Whisky. Please advise flavor and address where an over-21-year-old can sign.
Congratulations on being 100% unencrypted free!
Ehud
Tucson AZ
Thanks!
Thank you Mr. Masnick! Any decision to forego/delay income to “do the right thing” is call for praise. …and thanks for supporting Reset the Net.
Please consider accepting gift cards from other businesses as an alternative (or in addition to bitcoin). Many gift cards can be purchased with cash and there’s no learning curve disincentive as there is with bitcoin (for some).
Thanks for your efforts. Lately techdirt lite no longer working on iPhones instead full desktop version is displayed. Any connection to the SSL implemention?
If anyone’s interested in a convenient way to evaluate the quality of each site’s SSL, check out the FF extension SSleuth. It adds a small 1.0 – 10 rating icon in front of the browser’s URL and a left-click brings a drop down with a bunch of other relevant cipher-info. I highly recommend this for anyone interested in such things.
RSS feed still not secure
The RSS feed is still not available over SSL, so “100%” seems like an overstatement.
The link in the page header points to https://www.techdirt.com/techdirt_rss.xml , which gives a 302 redirect to the unencrypted http://feeds.feedburner.com/techdirt/feed . Each article link in the RSS feed then points to pages under (the unencrypted) http://feedproxy.google.com/ , which redirect to pages under (the still unencrypted) http://techdirt.feedsportal.com/ , which finally redirect to the actual articles (which, to be fair, are served over HTTPS).
Stuart
Well done Mike. I am sure you will be working out the kinks with this for a while. Because of this decision I did the $15/mo sign up. Keep up the good work.
Can you give us some numbers on the increase in direct support you end up receiving today and in the next few days directly through the store?
I would be curious to see how much this offsets the ad revenue you end up losing.
Should I? Does it matter?
This is almost certainly off-topic, and for that I apologize. If someone can refer me to a good resource in lieu of answering my question, I’d appreciate that.
Here’s my quandry – the sites I run do not collect information on site visitors, and all financial transactions are passed off to PayPal. PayPal handles record keeping as well. No credit card numbers on my site, no personal info.
The question is, would it help my site visitors if I started running SSL, HSTS & PFS and all the other stuff the reset the net folks suggest? I’m willing to dive down the rabbit hole, just not all that damn eager.
All the sources I’ve seen say that in my position, there’s no real need. Thoughts?
Re: Should I? Does it matter?
“would it help my site visitors if I started running SSL, HSTS & PFS and all the other stuff the reset the net folks suggest?”
Yes, it would, for a whole host of reasons. It helps to prevent spoofing, it helps to make the practice standard behavior for all websites, and most importantly: in this age of Big Data, even stuff that used to be innocuous, such as which specific pages are being viewed, the text of comments (even if they don’t contain obvious identifiers), etc., is sensitive information that deserves protection.
Re: Re: Should I? Does it matter?
Thanks John. I think I was trying to avoid that conclusion. “OH NO – A LEARNING EXPERIENCE!”
Re: Re: Re: Should I? Does it matter?
Well, if it helps any, your site doesn’t sound like the sort that requires some kind of emergency action. You could take your time to do it…
Re: Should I? Does it matter?
One mistake many people seem to make is to think SSL is just encryption. It’s not. It’s also authentication.
Look up “watering hole attacks”. Even if your site is innocuous, it might be the target of an exploit injection attack. Making it HTTPS-only makes it harder to pull that kind of attack (they’d have to hack your server, which risks leaving traces, instead of doing a simpler MITM somewhere).
So yeah, it’s worth it. Start small – leave more complex things like HSTS for last.
Uh... hate to rain on the parade, but...
http://www.wired.com/2014/06/heartbleed-redux-another-gaping-wound-in-ssl-uncovered/
Yeah.
Huh, glad to see it. Bold move.
As someone who posts from work...
…I appreciate the change. I have always dreaded commenting here because my work could see it if they wanted to.
Re: As someone who posts from work...
I have always dreaded commenting here because my work could see it if they wanted to.
Chances are, they still know. Mine certainly does, but then again, they know everything anyway (and I really don’t go out of my way to hide it from them.) It isn’t like I can hide my Techdirt window whenever my boss comes in when he can just go to Techdirt himself and look up my profile and see everything. Little less of an issue for ACs.
HTTPS doesn’t hide the end-points, only the traffic. Piping it though a VPN or Proxy or via SSH-forwarding through an AWS/Hosting Service host might help as well, though it may raise questions and may be more trouble than it is worth. Depends on why you are hiding your comments from work.
Re: As someone who posts from work...
This interactive from EFF shows who can see what when you use https (and/or Tor).
Re: As someone who posts from work...
Just make sure your work isn’t doing MITM on the SSL connections (some places do it by installing a special trusted certificate on all of their machines).
Great! 🙂
Good job, but...
…but FYI, something about the new setup is absolutely destroying page load times for Chrome on iPad (with the Google magic compression setting on, that routes http through their cache/compression). We’re talking worse than 20 seconds sometimes…
No problems with Safari on the same device, so this should be a “it’s a slow day, maybe I should look at that old problem” kind of thing… It’s probably something for Google to fix…
SHA-1
It’s time to ask CloudFlare to rekey your SSL certificate. Your private key uses the SHA-1 algorithm which, though not insecure yet, is on a steep deprecation path. Last October Chrome started marking such sites with a yellow alert symbol (similar to that used when loading JS from an insecure site), and in February Firefox followed suit. The cert is set to expire on Oct 15, which — even if it wasn’t expiring — is the last day Firefox, Chrome, Safari, or Opera would connect at all, with IE blocking access the following year.
New certificates use SHA-2, which is based on a similar algorithm but uses much longer key fingerprints, and is therefore much harder to break.