Techdirt Is Now 100% SSL
from the it's-about-time dept
Back in December, the Washington Post had an article about how news sites could go full SSL, encrypting all connections, but probably wouldn't, because most of the major ad networks simply aren't set up to handle it -- meaning that doing so, while it would protect their users, would likely harm revenue. Chris Soghoian, famed security researcher and technologist at the ACLU even claimed he was offering up two bottles of whiskey to any news site that would turn on SSL.This actually hit home for us, because we had actually started exploring the very possibility of going full on SSL about a month earlier, and realized that we'd be giving up ad revenue to do it -- but, after thinking about it, we decided to do so anyway. Over the last few months, we've actually ended partnerships with a few ad providers who were unprepared and unwilling to support full SSL, and set ourselves up to make the full switch. In fact, we've quietly made sure that most of the site was fully SSL-capable for quite some time now. And, today, in conjunction with the Reset the Net campaign in honor of the first anniversary of the very first Ed Snowden revelation, we've officially flipped the switch to make the site fully SSL. While we've been quietly testing it for a while now, and it's been working fine, it's possible that some of you will come across errors or issues along the way -- so please let us know if you come across any problems.
I also believe that a number of other sites, including, potentially, some media sites, are making the leap as well, so we're not alone in this -- and I hope that Soghoian is busy sending out whiskey bottles (though, no need to send any here, thanks!). Either way, we believe that this is important in protecting your privacy and security, even if it means less ad revenue for us, and it's great to see websites across the internet doing a variety of things to make users more secure, whether it's better encrypting email, or adding more protection for their own users. It's a huge testament to how much Snowden has made the world aware of the importance of greater encryption.
While we still have some ads on the site -- from providers who were actually willing to support SSL -- we are still taking a cut in revenue in doing this. As such, if you'd like to help keep this site going strong, we'd like to remind you of the other ways you can support us via the Insider Shop, where you can become an Insider, and get access to our Insider Chat or the Crystal Ball to get access to stories before anyone else. Or you can go all in with the Behind the Curtain offering, giving you access not just to the Insider Chat and the Crystal Ball, but the special "Crystal Ball Plus" that shows you many more stories before everyone else. See stories we're working on days or even months ahead of time -- and talk about them with us as well. We also have opportunities to get lunch with me or, even, spend a whole day with us (this has been a lot of fun for the folks who have done it). We also have a bunch of merchandise, including our popular "seized" t-shirt. If you don't want to do any of that, then just keep on doing what you've already been doing, coming here every day, reading, sharing, commenting and discussing. Just know that you're doing it in a way that protects your privacy.
Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community.
Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis.
While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.
–The Techdirt Team
Filed Under: privacy, reset the net, security, ssl
Reader Comments
Subscribe: RSS
View by: Time | Thread
Whisky
Failing that Tobermory do a very nice 19 yo single cask bottling.
[ link to this | view in chronology ]
[ link to this | view in chronology ]
Not 100% yet
[ link to this | view in chronology ]
Re: Not 100% yet
[ link to this | view in chronology ]
Re: Re: Not 100% yet
On top of that, the NSA could probably peek at the page through an unsecure ad, revealing what you're reading (which, lately, has been a lot of pro-Snowden/ anti-NSA/ pro-Constitution stuff).
[ link to this | view in chronology ]
Re: Re: Not 100% yet
[ link to this | view in chronology ]
Re: Not 100% yet
That's not supposed to be happening... Looking into it...
[ link to this | view in chronology ]
Re: Re: Not 100% yet
So some object containing an image. video or audio.
Also despite white listing your site in Ghostery there are 2 advertisement slots that do not show adds.
[ link to this | view in chronology ]
Re: Re: Re: Not 100% yet
With ABP (AdBlock+) turned on, everything is working fine. With ABP off, I am also getting errors on passive ads. Thought I turned ABP off for Techdirt, but apparently it was still running.
Non-encrypted address appears to be http://www.assoc-amazon.com/[..].
[ link to this | view in chronology ]
Re: Re: Re: Re: Not 100% yet
[ link to this | view in chronology ]
Re: Re: Re: Not 100% yet
[ link to this | view in chronology ]
One detriment:
Granted: with the current proliferation of "customized" content and cookies, it's a minority of web sites anyway that does not have to get generated and delivered individually.
[ link to this | view in chronology ]
Re: One detriment:
Even before I started reading Techdirt (during the SOPA Blackout), I didn't care for customized pages. I cold tell that they would be grabbing way more info than I would like to generate them.
Also, all those cookies can bog down a system (seen systems slowed to a crawl due to multiple THOUSANDS of cookies in the permanently hidden Content.ie5 folder (why does a folder have a file extension!?!), when friends asked me to find out why their used-to-be-fast computers were running so slow). Many, if not most, sites don't properly maintain their cookies, or outright misprogram some parameters so they never expire (seen a few sites where a new cookie's expiration date was days or the year before, if it even has one).
[ link to this | view in chronology ]
Re: Re: One detriment:
[ link to this | view in chronology ]
[ link to this | view in chronology ]
Hostname mismatch warning
[ link to this | view in chronology ]
Re: Hostname mismatch warning
[ link to this | view in chronology ]
Please Allow Anonymous BTC Contributions
However, all forms of contribution require an email address and physical address. BTC, in particular, should require none of those.
As a site that prides itself on allowing anonymous contributions in the form of prose, one would think that you would be interested in anonymous BTC contributions as well.
You don't need a Web shopping cart for such a BTC tip jar -- just publish a BTC address.
[ link to this | view in chronology ]
I don't really care either way.
[ link to this | view in chronology ]
Re:
[ link to this | view in chronology ]
Now kill the Javascript
[ link to this | view in chronology ]
All kidding aside, you've spent the past year posting so many link to stories about companies that have still not implemented SSL—as recently as the story yesterday about how outbound emails from Google's servers to Comcast's servers are rarely ever encrypted using TLS—yet you have taken a full year implement SSL on your site (keep in mind, SSL 3.0 was released in 1996).
You've lambasted NIST and various telecoms for accepting millions of dollars from the NSA for access to their networks and data, yet you were reluctant to enable encryption on your own site for fear of losing ad revenue, and advertisers are certainly known for tracking people's website visits and building profiles about their browsing habbits, i.e., engaging in surveillance.
Regardless, you did the right thing by enabling it, because as sarcastic as you might think this sounds, I genuinely believe that it is better to be late than never. Decisions are rarely, if ever, black or white.
But you're not off the hook. I'm going to send this article to the folks over at TechDirt and see what they have to say about it!
[ link to this | view in chronology ]
Re:
No, we've had SSL on the site for many, many years -- including on login, meaning that all logged in users were mostly seeing SSL anyway. The switch here was to go full SSL even for non-logged in users. Generally speaking, it's less important to do SSL for non-logged in users, because they're usually not sharing information. However, to be that much more secure, we've now made that step as well.
You've lambasted NIST and various telecoms for accepting millions of dollars from the NSA for access to their networks and data, yet you were reluctant to enable encryption on your own site for fear of losing ad revenue
I may not have been entirely clear. We weren't reluctant to enable it because of ad revenue. We decided to enable it across the board (rather than just for logged in users) -- and then realized it wasn't quite that easy because of partners who weren't enabled to do that. So we had to figure out ways to deal with it.
Also, there is a MASSIVE difference between compromising a key encryption technique and/or not doing TLS on communications and leaving *non* logged in readers non-encrypted.
[ link to this | view in chronology ]
Re: Re:
Thanks for the clarification. I guess I can learn too that things are never black and white. :)
[ link to this | view in chronology ]
Re: Re: Re:
Everything is black and white... its just that the big picture contains loads of Zeros and Ones to form what is a big ole gray looking picture... but when you get right down do it... its all just yes/no, on/off, black/white.
This is why humans suck so much. Everyone says... look at the bigger picture... guess what... we all spend so damn much time looking at the forest that we didn't see the first tree that started rotting and infecting the rest.
[ link to this | view in chronology ]
[ link to this | view in chronology ]
Re:
Yup. We're trying to catch those, and our internal system now alerts us... but that story was actually written a few days ago before we turned that on. I'd thought we'd gone back and caught most of those, but looks like we missed that one... Will go fix now
[ link to this | view in chronology ]
I've now turned that ruleset off, in the hopes that it will indeed be unnecessary for the future. If I encounter any issues, what would be the appropriate way to report them?
[ link to this | view in chronology ]
For debugging purposes: it doesn't appear to have entirely taken yet. According to HTTPS Everywhere, Quantcast and Vimeo are not over ssl and Floor64 is partial. In case it matters for your debugging, I'm running Firefox in private mode, ABP and HTTPS Everywhere.
[ link to this | view in chronology ]
You son of a bitch....
This is how you know your boss hates you: he refuses for free the thing you value most in this world....
[ link to this | view in chronology ]
Re: You son of a bitch....
[ link to this | view in chronology ]
Re: Re: You son of a bitch....
[ link to this | view in chronology ]
Thanks
[ link to this | view in chronology ]
If only SSL was secure
[ link to this | view in chronology ]
Re: If only SSL was secure
It is not not to completely prevent surveilance, that is likely impossible, but to make it as hard as possible.
[ link to this | view in chronology ]
Re: If only SSL was secure
[ link to this | view in chronology ]
It's not just about encryption and user privacy.
You gotta get that DMCA shirt back in stock, though. ;)
[ link to this | view in chronology ]
Whiskey vs Whisky
I'd like to send you guys two bottles of Whisky. Please advise flavor and address where an over-21-year-old can sign.
Congratulations on being 100% unencrypted free!
Ehud
Tucson AZ
[ link to this | view in chronology ]
Thanks!
Please consider accepting gift cards from other businesses as an alternative (or in addition to bitcoin). Many gift cards can be purchased with cash and there's no learning curve disincentive as there is with bitcoin (for some).
[ link to this | view in chronology ]
[ link to this | view in chronology ]
[ link to this | view in chronology ]
RSS feed still not secure
The link in the page header points to https://www.techdirt.com/techdirt_rss.xml , which gives a 302 redirect to the unencrypted http://feeds.feedburner.com/techdirt/feed . Each article link in the RSS feed then points to pages under (the unencrypted) http://feedproxy.google.com/ , which redirect to pages under (the still unencrypted) http://techdirt.feedsportal.com/ , which finally redirect to the actual articles (which, to be fair, are served over HTTPS).
[ link to this | view in chronology ]
Stuart
[ link to this | view in chronology ]
I would be curious to see how much this offsets the ad revenue you end up losing.
[ link to this | view in chronology ]
Should I? Does it matter?
Here's my quandry - the sites I run do not collect information on site visitors, and all financial transactions are passed off to PayPal. PayPal handles record keeping as well. No credit card numbers on my site, no personal info.
The question is, would it help my site visitors if I started running SSL, HSTS & PFS and all the other stuff the reset the net folks suggest? I'm willing to dive down the rabbit hole, just not all that damn eager.
All the sources I've seen say that in my position, there's no real need. Thoughts?
[ link to this | view in chronology ]
Re: Should I? Does it matter?
Yes, it would, for a whole host of reasons. It helps to prevent spoofing, it helps to make the practice standard behavior for all websites, and most importantly: in this age of Big Data, even stuff that used to be innocuous, such as which specific pages are being viewed, the text of comments (even if they don't contain obvious identifiers), etc., is sensitive information that deserves protection.
[ link to this | view in chronology ]
Re: Re: Should I? Does it matter?
[ link to this | view in chronology ]
Re: Re: Re: Should I? Does it matter?
[ link to this | view in chronology ]
Re: Should I? Does it matter?
Look up "watering hole attacks". Even if your site is innocuous, it might be the target of an exploit injection attack. Making it HTTPS-only makes it harder to pull that kind of attack (they'd have to hack your server, which risks leaving traces, instead of doing a simpler MITM somewhere).
So yeah, it's worth it. Start small - leave more complex things like HSTS for last.
[ link to this | view in chronology ]
Uh... hate to rain on the parade, but...
Yeah.
[ link to this | view in chronology ]
[ link to this | view in chronology ]
As someone who posts from work...
[ link to this | view in chronology ]
Re: As someone who posts from work...
Chances are, they still know. Mine certainly does, but then again, they know everything anyway (and I really don't go out of my way to hide it from them.) It isn't like I can hide my Techdirt window whenever my boss comes in when he can just go to Techdirt himself and look up my profile and see everything. Little less of an issue for ACs.
HTTPS doesn't hide the end-points, only the traffic. Piping it though a VPN or Proxy or via SSH-forwarding through an AWS/Hosting Service host might help as well, though it may raise questions and may be more trouble than it is worth. Depends on why you are hiding your comments from work.
[ link to this | view in chronology ]
Re: As someone who posts from work...
[ link to this | view in chronology ]
Re: As someone who posts from work...
[ link to this | view in chronology ]
[ link to this | view in chronology ]
Good job, but...
No problems with Safari on the same device, so this should be a "it's a slow day, maybe I should look at that old problem" kind of thing... It's probably something for Google to fix...
[ link to this | view in chronology ]
SHA-1
New certificates use SHA-2, which is based on a similar algorithm but uses much longer key fingerprints, and is therefore much harder to break.
[ link to this | view in chronology ]