NY Times Urges News Sites To Embrace HTTPS/SSL... In An Article That Can't Be Read Via HTTPS

from the fail dept

Fri, Nov 14th 2014 1:25pm — Mike Masnick

Earlier this year, Techdirt announced that it had gone over to HTTPS as a default to better protect everyone's privacy on this site. As the Freedom of the Press Foundation recently pointed out, it appears that we're one of only three media properties that do so, along with Muckrock and the Intercept. A few others have SSL, but not by default. But most don't even have HTTPS at all.

That's why it was really interesting to see the NY Times publish a piece encouraging news organization to "embrace HTTPS," detailing why it's a good idea, and knocking down many of the excuses that some have used not to move forward. The piece is co-authored by Rajiv Pant, the CTO of the NY Times. Thus, you'd expect that the NY Times has SSL, right? Wrong. Hell, just try to visit that very article with the HTTPS version and you get:

So, kudos to the NYT for pushing HTTPS for news organizations, but it seems like the kind of thing worth doing after you've done it yourself.

Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community.

Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis.

While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.

–The Techdirt Team

Filed Under: https, media sites, ny times, privacy, rajiv pant, security, ssl
Companies: ny times

22 Comments

If you liked this post, you may also be interested in...

Reader Comments

Subscribe: RSS

View by: Time | Thread

Anonymous Coward, 14 Nov 2014 @ 1:38pm

Americans Say They Want Privacy, but Act as if They Don’t
An interesting article in the New York Times: “Americans Say They Want Privacy, but Act as if They Don’t”, by Claire Cain Miller, Nov 12, 2014
Americans say they are deeply concerned about privacy on the web and their cellphones. They say they do not trust Internet companies or the government to protect it. Yet they keep using the services and handing over their personal information. . . .

Wow. Who knew?
[ link to this | view in chronology ]
- Anonymous Coward, 14 Nov 2014 @ 2:16pm
  
  Re: Americans Say They Want Privacy, but Act as if They Don’t
  Obama really is like other Americans after all: Say one thing, do another.
  [ link to this | view in chronology ]
- McCrea (profile), 14 Nov 2014 @ 5:49pm
  
  Re: Americans Say They Want Privacy, but Act as if They Don’t
  Most of the fellow Americans I know say we'll never have privacy.
  [ link to this | view in chronology ]
- Anonymous Coward, 17 Nov 2014 @ 8:54am
  
  Re: Americans Say They Want Privacy, but Act as if They Don’t
  And people continue to use Windows and Mac instead of Linux which is free software... And use Google Chrome... and Gmail... and then cry for privacy.
  [ link to this | view in chronology ]
alanbleiweiss (profile), 14 Nov 2014 @ 1:40pm

Implementation fails
As someone who audits sites for a living, I can't tell you how sad it is out there. Most site managers / devs who roll out HTTPS make big mistakes.

I've seen it do so much harm it's pathetic. And the bigger the site, the more likely there's a lack of proper QA testing overall long before a site tries to go "all" HTTPS.

So this is a perfect example of that.
[ link to this | view in chronology ]
- Mike Masnick (profile), 14 Nov 2014 @ 2:45pm
  
  Re: Implementation fails
  So this is a perfect example of that.
  
  I don't think so. I think this is them not doing it at all, and just saying everyone should. I assume the NYT will be doing it soon, but still odd...
  [ link to this | view in chronology ]
  - alanbleiweiss (profile), 14 Nov 2014 @ 3:13pm
    
    Re: Re: Implementation fails
    I disagree. If you're not going to allow proper https functionality, the correct best practices functionality should have the https version automatically redirect via 301 server redirect to the non https version.
    
    This ensures that anyone getting to the page will actually get a page.
    [ link to this | view in chronology ]
  - The Wanderer (profile), 20 Jun 2016 @ 6:42am
    
    Re: Re: Implementation fails
    More than a year and a half later, I just checked; the article is still accessible at the HTTP link, but the HTTPS link still returns a "could not connect to server" error.
    
    Looks like this was more a "non-binding opinion piece" than anything else...
    [ link to this | view in chronology ]
Anonymous Coward, 14 Nov 2014 @ 1:46pm

This might have been rushed out. In the headline Urgers should be Urges and in the body encrouaging should be encouraging.
[ link to this | view in chronology ]
Anonymous Coward, 14 Nov 2014 @ 2:11pm

Do as I say not as I do, down on the farm we call that a hypocrite. Good to see techdirt on board. Hopefully there will be something more secure, open source, and readily available in the near future.
[ link to this | view in chronology ]
Anonymous Coward, 14 Nov 2014 @ 2:12pm

Is there an opposite for the phrase "preaching to the choir," something like, "preaching by the heathens?"

Well, I guess it would just be "politician speaks," if we're just going for a phrase that covers the utterance of hypocritical statements.
[ link to this | view in chronology ]
Anonymous Anonymous Coward, 14 Nov 2014 @ 2:21pm

Confusion
I am trying to figure out who lives in the glass house and should not be throwing stones; is it the NYT, the article author, every media organization that is not supporting https, or everybody else?
[ link to this | view in chronology ]
Anonymous Coward, 14 Nov 2014 @ 2:28pm

Urgers?
[ link to this | view in chronology ]
Anonymous Coward, 14 Nov 2014 @ 3:04pm

https://plus.google.com/+PierreFar/posts/7hu6HDob2jn & http://newstweek.com/overview refer.
[ link to this | view in chronology ]
markzip (profile), 14 Nov 2014 @ 4:30pm

Tracking and advertising
I suspect that the very biggest reason that the Times has not gotten there yet is revealed in this section:

The Challenges

To successfully move to HTTPS, all requests to page assets need to be made over a secure channel. It’s a daunting challenge, and there are a lot of moving parts. We have to consider resources that are currently being loaded from insecure domains — everything from JavaScript to advertisement assets.

If the assets for an advertisement aren’t able to serve over an HTTPS channel, the advertisement will probably not display on the page, directly affecting revenue. It can be difficult to determine if each advertisement will load over HTTPS. Considering the importance of advertisements, this is very likely to be a significant hurdle to many media organizations’ implementation of HTTPS. While some advertising platforms, including Google’s DoubleClick for Publishers (DFP), do support HTTPS loading, there are still a number of ad networks that may not be HTTPS-compatible.

That particular NY Times article has references to (at minimum) the following third-party resources:
Dynamic Yield, Google Analytics, New Relic, Web Trends, Adobe Typekit, Scorecard Research, Revsci, Chartbeat.

Mike, can you tell us how difficult it was for you guys to go HTTPS? This very TechDirt article is pulling even more third party resources: Bizo, ChartBeat, DoubleClick, Facebook Connect, Flattr, Google Analytics, Google+ Platform, Gravatar, Quantcast, Reddit, Scorecard Research, Twitter Button, Akamai (not sure that counts), Google APIs, Google Tag Services. And possibly others I cannot see.

Just how much of a challenge is it?
[ link to this | view in chronology ]
- Anonymous Coward, 15 Nov 2014 @ 1:50am
  
  Re: Tracking and advertising
  Just how much of a challenge is it?
  A very large one, apparently, since they still aren't finished. The RSS feed, published through Google FeedBurner, still uses plaintext HTTP.
  [ link to this | view in chronology ]
- Anonymous Coward, 16 Nov 2014 @ 3:41am
  
  Re: Tracking and advertising
  https://www.techdirt.com/articles/20140604/16164727464/techdirt-is-now-100-ssl.shtml
  [ link to this | view in chronology ]
Calvin, 14 Nov 2014 @ 4:58pm

HTTPS sucks
I have an older browser and had been reading this site daily for more than three years. When it started using https, my computer started running hot, so I didn't read as much. And something happened in the past month so that I can't read this site at all unless I switch to a browser I hate.

What's the point of https on a site like this? All I want to do is read the posts. What's the point of encryption if I'm not sending credit-card information or other personal stuff? Encryption just for the sake of encryption just seems dumb.
[ link to this | view in chronology ]
- Anonymous Coward, 14 Nov 2014 @ 5:21pm
  
  Re: HTTPS sucks
  What's the point of https on a site like this?
  
  The articles that I choose to read here at Techdirt, that is, the urls of the pages I visit at this site, ought not to be any business or concern of my ISP. Absent a secure connection, anyone in position to eavesdrop on the communication between my browser and Techdirt's server would be in position to determine which articles I read here.
  
  The liberty to read in freedom ought to be cherished. See, generally, Tattered Cover v City of Thorton (Colo. 2002).
  [ link to this | view in chronology ]
Anonymous Coward, 14 Nov 2014 @ 11:43pm

Are we sure this is an actual NYT article or is it some Law enforcement data grab.
[ link to this | view in chronology ]
toyotabedzrock (profile), 16 Nov 2014 @ 1:39am

I'm a bit fuzzy on what use a news site needs ssl for.
[ link to this | view in chronology ]
- Anonymous Coward, 16 Nov 2014 @ 8:30am
  
  Re:
  I'm a bit fuzzy on what use a news site needs ssl for.
  Well, suppose the news site was delivering “communist political propaganda”, as was the case in Lamont v Postmaster General (1965).
  
  Would you want your neighbors, or your employer, or the government to find out you were reading “communist political propaganda”?
  [ link to this | view in chronology ]