Checking in on my Twitter feed this morning, I saw a local journalist shared a new story about a Mississippi politician doing something I didn't like. Shocking, I know. However, when the paper's site loaded in my browser, I was alerted that the connection was not private after HTTPS Everywhere forced an HTTPS URL. Womp womp. This made me wonder about the other popular local papers, too. Here's what I learned, and why I think it's important to call this out.
Mississippit Today's site can be served over HTTPS in its entirety. This is great, but it would be better if the site redirected HTTP traffic to HTTPS, forcing the use of encryption.
The Clarion-Ledger's website cannot be served over HTTPS.
Additionally, if you elect to continue to the site despite the privacy warning, you'll see that the Ledger's site breaks entirely.
Jackson Free Press
The Jackson Free Press website doesn't load at all over HTTPS. No warnings, no site.
In the interest of full disclosure, for what it's worth, I used to work at the Jackson Free Press years ago as their in-house web developer.
The Jackson Advocate's website, similar to the JFP's, does not load at all over HTTPS.
Why does this matter?
These local news orgs are not alone in their incomplete use of encryption. Secure the News, a project of the Freedom of the Press Foundation, monitors news sites for their implementation of encryption, and reports that "45% of news sites offer HTTPS, 28% default to HTTPS, [and] 0 sites [are] committed to change."
Providing a secure connection via HTTPS is a signal to a visitor that what they're seeing on your site is what you intend them to see. If you fact-check your sources, you cannot ignore the integrity of the distribution of your content.
Internet privacy has been in the news a lot lately with the US government giving ISPs a thumbs-up to sell users' browser histories, along with security concerns while the US and UK attempt to weaken encryption in a backwards attempt to boost security. So, now more than ever, organizations—large and small—ought to take steps to demonstrate to their audiences that both privacy and security are values they uphold.
Now, if security is a big concern, why isn't everything encrypted already? Mostly because it's seen as overkill, expensive, and difficult to implement. I could not disagree with these reasons more.
First, HTTPS is necessary for every site on the web and not just the sites that collect sensitive information.
Here's what Kayce Basques, Technical Writer at Google, has to say about the importance of HTTPS for protecting the integrity of your website.
Additionally, sites that don't think they need HTTPS are the very sites that need HTTPS the most, as they'll become the easiest targets. Blogs and other sources of information garner high traffic and, if compromised, can spread malware and leak sensitive data.
Another reason to provide HTTPS is that it protects your visitors privacy. Say an ISP looks at your web traffic, when browsing a site over HTTPS, you would only be shown as visiting a particular site, your activity on the site would not be easily observed*. Browsing a site without HTTPS, and everything you see and do can be seen by your ISP. Adrienne Porter Felt's infographic illustrates this nicely:
Coming back to the topic of local newspapers specifically, I'm sure that a big concern over encryption (and security in general) is cost, both financial and time.
Sites can now obtain an SSL or TLS certificate from LetsEncrypt for zero cost. In addition, many web hosts have built in deployment tools for these certificates, making it easy to sign up for and renew your certificates, thereby minimizing the time spent on maintaining your new site encryption.
I won't offer some prescriptive plan for these newspapers. There's a lot of moving parts to consider when implementing HTTPS, and you can't come up with some blanket way to do it. You have to consider tracking and analytics and advertising and other things.
But it bears repeating: if you fact-check your sources, you cannot ignore the integrity of the distribution of your content.
HTTPS is one step toward securing your site. Here's information on what more can be done: