What does it do?
In simple terms, HTTPS provides two primary security benefits; encryption and verification. Encryption scrambles the data that is passed between your web browser and BuzzFeed’s servers, making it extremely difficult for “bad guys” (a hostile state, criminal enterprise, or just a nosy neighbor stealing your wifi) to see. Encryption has been getting a lot of press lately but the principles behind it have been around for thousands of years.
Verification is a lesser known, but equally important benefit of HTTPS. It helps prevent what is called a Man-in-the-Middle attack, or MITM attack. An MITM attack via your browser can change the content of any non-HTTPS website you’re visiting without you knowing. This means an attacker can modify news stories to change or remove info, or they can change the contact details on a BuzzFeed contributor's author page so you see a fake account the attacker controls.
If you click on the lock icon in your browser, you can examine BuzzFeed’s “certificate” which is how you verify that the website you’re seeing is the real deal and not modified in any way.
Why we did it
BuzzFeed switched to HTTPS primarily because we want to protect our readers and staff while they use our site. We want LGBT readers in Uganda to have been able to learn about troubling developments in their country without exposing themselves to authorities who are likely sniffing their web traffic. We want sources to be able to contact our investigations team discreetly by verifying their PGP fingerprints on our site. And we need our readers to trust that what they read on the BuzzFeed site is exactly what we’ve intended for them to see — and not tampered with by some nefarious actor. HTTPS ensures all of that.
Candidly, it’s easier for us to do this than most traditional media outlets. What prevents many sites from switching to HTTPS is ensuring that their embedded ad content is encrypted as well as their native content. Our native advertising model lets us avoid that issue. On the other hand, it was still a significant challenge for our engineering team to ensure that all of our embedded content (tweets, instagrams, youtube videos, etc.) is served over HTTPS. Fortunately most of the major platforms we embed are already doing it.
We also owe a lot to the early movers in this space, particularly the Washington Post whose engineering team provided us with tips from their own experience switching to HTTPS.
Moving to HTTPS is clearly the way forward for the industry overall. Over a year ago, Google encouraged users to embrace HTTPS, and in doing so, promote web security and secure browsing. The company has since announced that it will provide slight ranking boosts for HTTPS URLs and that its indexing system will be looking for more HTTPS pages. What does that mean in plain English? Where two pages from the same domain have the same content, Google will typically prefer the HTTPS page over regular HTTP.
Google isn’t the only major player pushing for HTTPS: The White House is requiring all government websites to use encryption by default by the end of 2016. The White House’s Office of Management and Budget explained that the new federal standard better protects private information from malicious actors, recognizing that HTTP can’t be relied upon to protect the confidentiality and integrity of data.
For companies that care about the privacy and security of their users, HTTPS is the only way to go.
So HTTPS will save the internet?
Not exactly. HTTPS isn’t a silver bullet for internet security. It’s just one part of a long process towards helping protect users’ data and information from those who want to exploit it. Criminal organizations and lone-wolf hackers are constantly searching for new ways to access such data, while many governments (including the US) are trying to bypass encryption with a regulatory approach. This means you still need to practice safe browsing habits.