Before you enter your credit card into an unknown website, you probably (hopefully) check your browser for the padlock icon that means your connection to that site uses HTTPS encryption, which helps prevent hackers and eavesdroppers. But you probably don’t apply that same perfunctory padlock check to news sites, despite the fact that a media outlet’s lack of encryption can endanger journalists’ sources, expose your reading habits, and even allow censorship and tampering with stories. Now a new, constantly updated encryption ranking site performs that check for you—and may just help push more news organizations to better lock themselves down.
On Thursday, the Freedom of the Press Foundation launched Secure the News, a project that automatically scans more than a hundred media websites and grades their use of encryption. The tool doesn’t merely check if news sites are encrypted; it also analyzes the finer tuning of their HTTPS, highlighting factors like whether the they implement encryption by default, and their vulnerability to so-called HTTPS downgrade attacks that can strip away their protections. For now, it’s a grim report card: 75 of the 104 sites received a D or F, and only 4 received an A for their encryption efforts.
The goal of that harsh grading, says FPF engineer Garrett Robinson, is to pressure the majority of news sites that haven’t considered implementing encryption to add it, and to incentivize those who do use it to make security tweaks that won’t ever be visible to most visitors. “We’re trying to promote the adoption of best practices for digital security by news organizations with the intention of protecting the security and privacy of their readers, their sources, and their employees,” says Robinson. “This ought to be the standard for the web and for the news industry.”
All the News That’s Fit to Encrypt
HTTPS encryption has become the standard for any site where visitors enter credit card details or passwords. Without it, anyone from the hacker on your Starbucks Wi-Fi network to your internet provider to any government agency can see your private data. But it remains a tougher and less obvious upgrade for media outfits. Rather than the relatively static pages of banks and retailers, news sites often assemble pages on the fly from a mix of sources, including advertising networks over which they have little or no control.
For your browser to consider a site HTTPS, all of those distinct pieces have to be encrypted. That presents a significant hurdle for sites from flipping the encryption switch even when they actively want to. When WIRED decided to implement HTTPS in April of this year, for example, the full rollout took five months, with plenty of snags along the way. It currently rates a B+. The New York Times called for news sites to move to HTTPS in 2014, but still hasn’t made the switch. (It currently rates a D on the Secure the News ranking, escaping an F only because putting HTTPS in front of its address redirects to the non-encrypted site.)
But Robinson argues encrypting the news is worth the effort. It prevents eavesdroppers from knowing who reads news stories on specific, sensitive issues, like classified leaks or medical issues. It protects potential sources or whistleblowers who visit the contact pages of reporters, or click through to explanations of how to use a site’s anonymous leaking tools like SecureDrop or GlobaLeaks. And it prevents interlopers from tampering with connections to insert fake content, malware-laced ads, or to censor specific news stories, as countries like Iran and China have done. “They have to choose between blocking the entire site or not censoring at all,” says Robinson. “When oppressive regimes are faced with that choice, they tend to back off.”
A Regular Check-Up
Aside from merely whether they offer an encrypted version of their site, Secure the News’s automated scanner crawls through sites and grades them based on factors like whether _*that*_ encrypted version _*is*_ the default seen by visitors or merely an option, as in the case of the tech news site Gizmodo or Bostonglobe.com. It gives extra kudos to sites that protect users from techniques that strip away HTTPS encryption through a downgrade attack that surreptitiously tricks their browser into loading the unencrypted version of the site. That hack can be prevented through the use of a security feature called HTTPS Strict Transport Security, (HSTS) and in the best case through a feature known as pre-loaded HSTS, which ensures only the HTTPS version of a site loads through a locked-in agreement with the user’s web browser. On Secure the News’s ranking, only surveillance-focused news site the Intercept offered that HSTS feature, earning it the only A+ grade. (Two of the site’s creators, perhaps more than coincidentally, also sit on the Freedom of the Press Foundation’s board.)
The media industry isn’t being uniquely singled out. 2016 has been, in many ways, the year of HTTPS: Google announced that it will soon punish any non-HTTPS site that accepts passwords or credit cards with a “not secure” warning in Chrome. The Center for Democracy and Technology and the adult industry trade group the Free Speech Coalition launched an initiative to encourage adoption of HTTPS on porn sites. And the non-profit Let’s Encrypt helped millions of sites make the transition to HTTPS by offering free “certificates,” the encryption keys that allow sites to initiate secure connections with browsers.
And while the vast majority of popular media sites ranging from CNN to NPR to the Wall Street Journal utterly fail the site’s tests today, Robinson says he’s still optimistic about major news organizations adopting encryption. After all, sites like the WashingtonPost.com and the Guardian.co.uk have made the switch to HTTPS in just the last year, and Robinson hopes more will follow. “Now seems like a good time to launch this thing,” Robinson says. “I think the industry is beginning to pick up steam.” And if his tool can create some healthy competition among news sites to out-encrypt one another, so much the better for every reader, source, and reporter on the web.