In February, Emily Schechter, the Chrome Security Product Manager at Google, announced in a blog post that beginning with the release of Chrome version 68, “Chrome will mark all HTTP sites as ‘not secure’.” This means that Chrome users will see a visible warning next to the Web address for sites using unencrypted HTTP to serve up pages—a warning that Google has been rolling out slowly over the past few months, starting with pages that have forms requesting information.
Chrome 68 ships this month, so the deadline to avoid its “badge of shame” is looming. Some major sites are pressing to beat the deadline—the BBC recently made the move to HTTPS by default for its websites, as BBC News principal software engineer James Donohue recounted in a Medium post on July 6. But other major news sites—including Fox News, Time, and Newsweek—still leave their traffic unencrypted. As a result, they leave their Web content vulnerable to code insertion by Internet service providers or by malicious third parties that manage to place themselves between sites and their readers.
Admittedly, it’s not easy for major sites to switch to secure HTTP. Ars Technica went to HTTPS by default in January 2017, after a major engineering effort. Accommodating our own static and dynamic content systems, as well as third-party content (including advertisements and content from other Condé Nast sites) complicated the task. For sites with the amount of content and traffic that Fox News, Time, and Newsweek handle, it’s a big task.
Yet it’s one that the majority of major news sites have already tackled. The New York Times turned on HTTPS about the same time Ars did, while The Guardian had moved to HTTPS a few months earlier. In fact, Fox News is the only site among the top 25 news sites worldwide to have not adopted HTTPS.
Sites like Fox, Time, and Newsweek do encrypt some pages, such as those that accept payments for subscriptions. But there are compelling reasons to encrypt news sites that go beyond payment security or getting Google to raise a search score. With ISPs increasingly free to inject content into network traffic, and with attacks based on malicious Border Gateway Protocol advertisements that allow someone to “man in the middle” webpages (as the NSA was shown to have done in some of its operations), unencrypted news sites could have malicious advertisements or fake news content injected into them. And even without malicious action, the content viewed by users of these sites could easily be collected by ISPs to gather data about users.
The persistence of HTTP traffic isn’t a huge surprise, sadly. While Google’s Schechter said that 68 percent of webpages rendered by Chrome on Windows and Android is now encrypted—and over 78 percent in Chrome on MacOS and ChromeOS—a significant percentage of the content on the Internet remains on HTTP. In a February analysis of the top one million websites (based on data from Amazon’s Alexa), security researcher Scott Helme found that 60 percent of sites still don’t use HTTPS by default.