We’ve made a huge change here at WIRED. We’re now encrypting everything that moves between our servers and your browser. Stories. Videos. Ads. Everything. That means no one can tinker with our content before it reaches you.
Take a look at the address bar of your browser. You should see a little green padlock icon. You may also see that our URL has the letters “https” in front of it, instead of the usual “http.” This means that your connection to our site is encrypted. If you’ve been playing close attention, you may have seen this on certain parts of our site before. We started protecting connections to our Security section last April, but now every single page on Wired.com should be delivered to your browser over an encrypted connection now.
That’s bigger than it sounds. Encryption makes it harder for someone to “impersonate” our site by forwarding you to a fake version of Wired.com, whether the attacker is a cybercriminal or a repressive government. With HTTPS enabled, you can be sure that you’re visiting the real Wired.com, and you’re seeing our articles exactly as we intended them. Many big sites now offer HTTPS, including Google Search and Facebook.
But if HTTPS is so great, why didn’t we do this sooner? Because, frankly, it’s pretty hard for a site like ours, which has been around for 23 years, to implement. We hope to make it easier for other media organizations to make the change, so we’ve published a technical article outlining what we did and the challenges we faced. But if you want a less technical explanation of what we did and why, then read on.
Website encryption isn’t new. HTTPS depends on an encryption protocol called Transport Layer Security, or TLS, which has been around since 1999 and essentially replaced an earlier standard called Secure Socket Layer, or SSL, which was first released in 1995. SSL made it possible for websites to collect credit card information over the web by encrypting the data as it traveled over the web so someone snooping on your connection couldn’t intercept your details, and by using cryptographic certificates to ensure that you were handing over your info to the right website. But in the early days, these standards were primarily used only to protect credit card transactions online, not entire websites. After all, blogs and wikis and band and restaurant websites were available to the public, so why encrypt them?
Then, in 2010, a software developer named Eric Butler released a free tool called FireSheep that showed just how easy it was to hijack someone’s credentials over a shared Internet connection, such as a public WiFi hotspot. That helped boost awareness of all the ways hackers could take advantage of unencrypted Internet traffic. More sites started adding HTTPS to protect, at minimum, their login pages. But people started realizing that even public-facing websites needed more protection.
One of the biggest dangers is that a government that controls an Internet service provider can redirect users to fake versions of sites, such as Wikipedia, to spread propaganda and the end-user would never know the difference. It’s also possible for an attack to use malware to hijack your browser, sending you to fake sites in order to collect your passwords—or even trick you into downloading even more malware by sending you to the wrong place to download, say, a different web browser or an instant message client.
Over the years, sites like Google, Facebook and Wikipedia made the switch to all-HTTPS connections. After Edward Snowden revealed the extent of the US government’s online surveillance, the call for widespread encryption grew stronger. In 2014, Internet advocacy group Encrypt All the Things to promote widespread use of HTTPS, and earlier this year, a group called Let’s Encrypt began giving away free TLS certificates to anyone. The barrier to entry is now lower than ever.
WIRED has been advocating HTTPS for years, but actually implementing it was a big technical and organizational challenge. As we explained at the time, making HTTPS work site-wide meant making sure every single piece of content–every image, ad, or embedded video we’ve posted over the past 23 years–was served over HTTPS. And we had to work with our advertisers to make sure that all the images, pieces of JavaScript code and other files they provide us are also delivered over HTTPS.
We started our transition last year by working with our advertising partners to ensure that they provided us their content over secure connections, and we rolled out our first encrypted section in April of this year. We originally planned to expand this trial to the rest of the site in May, but we ran into a few problems. After the switch, for instance, we noticed a big drop in the number of people visiting our security section via Google and other search engines. Some visitors saw esoteric error messages when visiting pages that still had some traces of HTTP content. And some pages simply failed to load.
Most of those errors were quick fixes, but dealing with our search engine traffic—and making sure every single piece of content is delivered over a secure connection—took time. We changed the way we redirect our old, unencrypted HTTP pages, updated our sitemaps to reflect the new URLs and have fixed countless examples of mixed HTTP and HTTPS content on our site. And, ultimately, we made things work (for a full run-down of our trials and tribulations, check out this post from our very own Zack Tollman).
It may have taken longer than we hoped, but we’re still among the first major publications to make the change. We hope our work will inspire and guide other publications and websites to encrypt all of their traffic. We all owe it to our readers to keep you safe.
