The Verge now serves 100 percent of its pages on HTTPS by default, which was a significant undertaking. We asked Ian Carrico, a performance engineer on the Vox Media Product team, to explain what that means, and dive into some of the details.
On March 21st, 2017 we enabled The Verge to be accessible via HTTPS, and today we’re happy to say 100 percent of Verge traffic is being sent through HTTPS by default. With recent actions by Congress, it has become more important than ever to protect our users’ privacy in every way we can. We have been working for over a year to ensure all of our content is ready for an HTTPS-only world, and we’re happy to reach this milestone.
Privacy is hard to protect
Every day there seems to be more stories on privacy being under attack on the web. There are so many attack vectors on the web, it is getting harder and harder to protect a single user’s privacy on a daily basis. HTTPS does not protect against all possible attacks, but it has been important for us to work where we can to ensure users’ privacy.
What does HTTPS protect against?
HTTPS encrypts the traffic between your device and the website you are accessing. It ensures all data, from the pages you read to the form data you input, is encrypted. It protects against snoopers on insecure Wi-Fi, ISPs, or other man-in-the-middle attacks from seeing the content of the websites.
Does this make sure that no ISP can track and sell what you are doing on the internet? No, not completely — there are several requests that are made when you access any website that will not be fully protected. First, the DNS requests are made insecurely by default. These requests can show ISPs the websites that you are visiting— but not the exact pages.
For example, say you’re surfing YouTube. With HTTPS, your ISP will not be able to see that you’re mainly watching cat videos, but they will be able to see that you are visiting YouTube.
Extra steps we’ve taken
Just allowing our sites to be served on HTTPS is not enough — we also wanted to ensure that we could protect our users’ privacy as best as we can at this juncture. So we’ve disabled browsers from showing any insecure content (including images) while visiting our sites. This means any third-party content that is not loaded securely will not be downloaded at all. This also extends to comments, and we will be adding in notifications to remind people to embed only secure images.
We have also enabled HTTP Strict Transport Security headers on our site, preventing a user from being sent back to HTTP once they have visited the site using HTTPS. As of writing, these headers expire quickly (after five minutes), but we will be extending these to ensure that users do not accidentally head back to the insecure version of the site.
What else you can do
First, enable HTTPS Everywhere right now. This project between the Electronic Frontier Foundation and The TOR Project ensures that any site that can be accessed with HTTPS keeps you on the secure version of their site.
If you’re on insecure Wi-Fi or other public networks, always browse the internet on a VPN. There are many products out there that do not log any traffic, and correctly anonymize your traffic as you surf the internet. I’ve been using NordVPN for the past few weeks on my phone and laptop. There are a host of other services you can compare their offerings as well.
A year of work from our engineers
This change was more than just buying a certificate and turning on HTTPS. It has been a year-long effort at Vox Media involving everybody from our server administrators to editors. We did massive alterations to old content to ensure that all of it was completely secure. For us, a lot of work was needed to ensure that not just the websites, but all of our local development machines, staging servers, and internal services were ready.
While we’ve wanted to make this change since 2015, and many folks had made small steps toward this goal, nobody had taken up the full project. In early 2016, I wrote up a project plan to move us over to HTTPS and began work. At first, most of the work was communicating with the many teams at Vox what needed to change. There were several audits done for the third-party services we used, as well as internal services (such as video) that needed to be updated. I could write an entire post thanking the dozens of engineers who made the hundreds of small changes throughout various code bases, the hours that our advertising teams put in communicating with partners or updating the thousands of slots that needed a URL change, or how helpful our editorial teams have been to push for better video embeds and ensuring we still have the best content on the web.
Some of the larger changes that were made to ensure we had complete support were:
- Utilizing Let’s Encrypt on all of our staging servers to ensure developers could test all of our sites.
- Rewriting all of our advertising code to remove vendors who were insecure, and writing custom code to ensure we had full HTTPS support.
- Changing many staging URLs to ensure we had the right certificates (e.g., instead of using staging.service.voxmedia.com, we used staging-service.voxmedia.com)
- Mass-edited all of our previous feature content to ensure that we used only secure URLs.
- Built new systems within our editor to check for secure content, and alert our writers that insecure content was going to be blocked
None of this was done in a vacuum. We’ve been working with other media companies to learn from their experience moving to HTTPS, from The Washington Post to Wired. We were able to gain valuable insight and more thoughtfully make our own transition. In fact, I copied some of our security headers from Zack Tollman’s work at Condé Nast, and he was a valuable resource in this entire transition.
What’s coming next
This announcement is not to say that we are done! We have a lot more planned with HTTPS in the future. We are planning on starting the move for SB Nation and all of the related blogs over to HTTPS in the next couple weeks. We will also be enabling longer HSTS headers as soon as our initial testing of HTTPS is complete, which we expect to be later this month.
The move to HTTPS also gives us exciting new technology to work with. We have already enabled HTTP/2, enabling faster load times on our site. We are working on tests to utilize this new protocol even more and further decrease our own load times. We also are making plans to design an experience with new browser APIs, such as service workers, that require full HTTPS support. All of this will enable a richer, faster user experience across The Verge and all other Vox Media networks.
Edit 5/1: Removed sentence concerning the first URL being sent unencrypted. The TLS handshake does not include the full URL.