The last year has seen enormous progress in encrypting the web. Two categories in particular have made extraordinary strides: news sites and US government sites. The progress in those fields is due to months of hard work from many technologists; it can also be attributed in part to advocacy and sound policy.
Freedom of the Press Foundation has been leading the call for news organizations to implement HTTPS. In December 2016, it launched Secure the News, which tracks HTTPS deployment across the industry, grading sites on the thoroughness of their implementation.
News sites are particularly hard to move to HTTPS because they often host archives stretching back years or decades, and those archives can contain embedded images, JavaScript, and videos from many different domains. That embedded content additionally has to be upgraded to HTTPS, which can mean upgrading many different subdomains, wrangling third-party hosting providers, and renegotiating CDN contracts. However, in the last year, many news sites have overcome the difficulties and deployed HTTPS in one form or another:
- Wired, April 2016
- BuzzFeed, May 2016
- TechCrunch, June 2016
- The Guardian, November 2016
- Quartz, January 2017
- New York Times, January 2017
- Ars Technica, January 2017
- The Next Web, January 2017
- FiveThirtyEight, January 2017
We applaud Wired in particular for documenting its process of achieving full HTTPS in a series of posts discussing its progress and providing useful advice for other sites switching to HTTPS.
The US government has also made great progress in securing its own websites. This is due in large part to the smart HTTPS-Only Standard issued in 2015 by the Office of Management and Budget. The standard mandates secure connections for federal websites. The General Services Administration tracks adoption of the standard with its website Pulse.
According to 18F, “HTTPS/HSTS use in the U.S. government looks to have outpaced the broader internet.” This is based on comparing research by Mozilla’s April King showing that about 33% of Alexa Top 1M sites support HTTPS, compared to 70% of federal government domains according to Pulse.
The common thread between the news industry’s huge progress and the federal government’s huge progress in deploying HTTPS? Metrics. Like EFF’s 2013 Encrypt the Web Report, Pulse and Secure the News provide important insight into how much progress is being made, and an incentive for individual sites to improve. It turns out that Pulse and Secure the News share a common ancestry: they are based on a tool called “pshtt,” released under a CC0 public domain dedication by the Department of Homeland Security and 18F. Pshtt makes it easy to scan sites for basic HTTPS implementation best practices and assemble a dashboard.
Under the Federal Source Code Policy, agencies are required to release at least 20 percent of custom-developed code as open source software and are “strongly encouraged” to release as much as possible. EFF applauds open source government software; as we wrote last August, code written by government employees is, by law, in the public domain and should be available to the public. We recommend that the next revision of the Federal Source Code Policy reflect that, by creating an “open-by-default” rule in place of the current 20 percent rule, regardless of whether the code was written by government employees or contractors.
The federal government is taking another bold step in securing its web presence: all newly-issued executive-branch domains under .gov will soon strongly enforce HTTPS. All newly registered domains will automatically be added to browsers’ HSTS preloading lists, ensuring that people visiting those domains will only connect over HTTPS. This change is particularly valuable and important because the easiest time to make a website use HTTPS is when it is first launched.
January also saw two other important steps in encrypting the web:
- Chrome and Firefox began to mark as non-secure any page that uses HTTP and has a password field.
- Crossref announced new guidelines asking academic publishers to use HTTPS
Congratulations to all the hard-working folks that are part of the movement to encrypt the web. If your web site does not yet use HTTPS, visit our Encrypt the Web page for more information about why and how to encrypt your site.