
HTTPS on NYTimes.com - el_duderino
https://open.blogs.nytimes.com/2017/01/10/https-on-nytimes-com/
======
toomanybeersies
It's nice to see more news media moving towards using HTTPS.

NYTimes now joins a small club, alongside the Guardian and the Washington
Post.

Here's a dev blog post on the WaPo moving to https:
[https://developer.washingtonpost.com/pb/blog/post/2015/12/10...](https://developer.washingtonpost.com/pb/blog/post/2015/12/10/moving-
the-washington-post-to-https/)

And one on the Guardian moving to https:
[https://www.theguardian.com/info/developer-
blog/2016/nov/29/...](https://www.theguardian.com/info/developer-
blog/2016/nov/29/the-guardian-has-moved-to-https)

~~~
redcastle
Google Chrome is supposed to soon start flashing a "not secure" warning on
HTTP sites that have password forms [0]. That's probably at least one
motivation for these publisher moves to HTTPS

[0] [https://security.googleblog.com/2016/09/moving-towards-
more-...](https://security.googleblog.com/2016/09/moving-towards-more-secure-
web.html)

~~~
mparlane
What happens with local LAN machines, like the admin webpage for your wireless
access point? It's not like they can go HTTPS?

~~~
hirsin
This is an issue we're encountering. One solution is trust on first use of a
self signed cert, which makes the scary untrusted page a one time cost. This
isn't terribly easy in the browser though. With more IOT devices entering the
market, this could become a more common issue.

Using https for a local network connection will also be more common, in the
case you decide you don't trust the network.

~~~
kelnos
I think for the case of the home router admin page (or really any admin page
on your local network), the browser can easily detect that it's being served a
page on the local net, and could provide a less scary warning that has some
text that acknowledges that you're on your local net and that either ignoring
the password form security warning (for http) or accepting the self-signed
cert (for https) is probably ok. Whether they'll do this is another
question...

~~~
Whitestrake
It absolutely makes sense not to display warnings that HTTPS isn't in use in
circumstances where HTTPS is not feasible - i.e. local addresses. It's simple
enough for a browser to determine. I don't think conditionally accepting a
self-signed cert is necessary.

------
mtkd
They mention it has been a complex undertaking and not complete yet - does
anyone know why they can't just sit a traffic manager in front of everything
with SSL offloading?

Also does anyone know what the new personalisation features are that they
mention being able to offer now HTTPS in place?

~~~
justinph
At any large media organization, there are tremendous amounts of content no
longer connected to any CMS that may have hard-coded insecure links/resources
in them. Some of them may live on obscure servers or domains. Or the
developers/journalists who worked on them and have knowledge of their
construction are long gone. These pages are very laborious to find and update.

If you don't mind 404ing or breaking a ton of your old content, it's probably
not too difficult. But if you're the newspaper of record, it's a big deal that
URLs live on and continue to work as expected.

~~~
kelnos
You also mention "insecure resources", wich I think is a big deal too. I'd
imagine there'd be the oddA hard-coded http link to an image that serves an
important purpose to an article... that suddenly going missing because a
browser refuses to load it would be bad.

But I think you hit the nail on the head -- being the "newspaper of record"
means you want to ensure that all your content displays like it did the day it
was published.

~~~
fjdlwlv
HTTP URLs redirect to HTTPS

------
caconym_
The thing the NYT needs to fix (as of earlier last year) is the fact that you
can't cancel your subscription without calling them (which is not the case for
signing up). I spent 20 minutes[1] on the phone telling them that yes, I
really did want to cancel. It was a worse experience than dealing with
Comcast, not least because I felt bad for the poor woman who obviously had
some financial incentive to get me to stay on with them.

[1] This number is approximate. Could have been less, could have been more; it
was a while ago.

edit: I feel kinda bad now that this is the top comment in a thread about
something positive the NYT did; if anyone tells me that they've since added
online unsubscribe, I will change this comment accordingly.

~~~
GCA10
Echoes of Comcast ... the NYT is constantly promoting 50% off the posted rates
for new subscribers, without ever offering such terms to existing customers.
But if you're a "frustrated" long-time customer who's on the verge of
canceling, then suddenly the 50% discount is rolled out.

In most other industries, loyal customers get better treatment. Or it's the
same deal for everyone. These sorts of inverted pricing structures may squeeze
more revenue out of a few long-term, inattentive customers, but the hidden
cost in churn, irritation and haggling is considerable.

~~~
caf
Insurance is another industry with the same inverted pricing structure.

~~~
fjdlwlv
What? Your prices go up every year? I've never seen that.

~~~
caf
Yes (although I should clarify that I'm referring to car / house / contents
insurance here). Typically the premium offered at renewal time will increase
every year, but if you come in as a new customer you can get a substantially
lower premium.

------
bonyt
"I'm all in favor of news sites using HTTPS, but I assume they're also going
to pad all their articles to a uniform length?"

Source:
[https://twitter.com/matthew_d_green/status/53504312624809574...](https://twitter.com/matthew_d_green/status/535043126248095744)

~~~
Klathmon
This isn't an "all or nothing" situation.

Enabling HTTPS is a benefit even if it's not perfect. The integrity and
authentication it provides are alone a MASSIVE benefit (especially for a news
site).

Now you'll know that your news is coming from their servers, and nobody else
is tampering with it.

Then taking into account that it does provide confidentiality, you get rid of
"dragnet" style data gathering and inspection.

You'd need to be targeted by someone who not only has a lot of time, but also
is very up to date on the pages of NYT and their sizes to be able to track
your article by its size.

No matter what, it's still harder than it was before to snoop on what you are
doing.

It's a net gain in just about every single way.

~~~
jczhang
"Now you'll know that your news is coming from their servers, and nobody else
is tampering with it."

I'm a HTTPS noob, can you explain how or why someone would tamper it on normal
HTTP? Who would care to target me and what are the chances that NYT has been
tampered with ever before?

~~~
EvilTerran
To take an example that's already happened...

How? By being the user's ISP.

Why? To inject adverts.

What are the chances it affected nytimes.com? Almost certain.

Behold: [http://arstechnica.com/tech-policy/2014/09/why-comcasts-
java...](http://arstechnica.com/tech-policy/2014/09/why-comcasts-javascript-
ad-injections-threaten-security-net-neutrality/) \- and that's not the only
case of it.

~~~
Klathmon
And as that last link points out, this isn't a theoretical thing.

Not only do ISPs do it, but wifi hotspots, dodgy wifi routers, malware on
anything in-between, and in some (admittedly rare cases) your government.

And the why isn't just ads. But passive tracking (ISPs have been known to
analyze your traffic passively and sell that information), active tracking
(the famous Verizon super cookie), "page optimization" which frequently breaks
sites, and in some cases malware injection into images, executables, or
anything else the bad actor could do automatically.

------
fanpuns
Oh no, this was my go-to site whenever I had to login to public wifi and https
wouldn't redirect :(

~~~
tblyler
[http://neverssl.com/](http://neverssl.com/) my friend.

~~~
tux3
I use [http://plop.org](http://plop.org), a whole four characters shorter!

~~~
akoster
I like that one. My domains for this purpose are:
[http://i.net/](http://i.net/) and [http://ip4.me/](http://ip4.me/) (or
[http://ip6.me](http://ip6.me), if you know you have IPv6 connectivity)

------
schoen
A nice farewell gift for Chris Soghoian's time at ACLU (during which he
constantly tried to get news organizations, law firms, and government agencies
to use HTTPS and STARTTLS).

------
cesarb
Interestingly, Certificate Patrol warned me that the certificate at that site
changed from a "Domain Validation" to an "Organization Validation" certificate
from the same CA.

Why did they do that change, and what would be the advantage for them of an OV
instead of a DV certificate?

~~~
Someone1234
OV are considered more secure than DV due to the higher registration
requirements[0]. Additionally a DV certificate is good for a single domain, OV
certificates are good for all of that organisation's domains. For example the
NYT's certificate is valid for:

    
    
          DNS Name=nytimes.com
          DNS Name=*.blogs.nytimes.com
          DNS Name=*.blogs.stg.nytimes.com
          DNS Name=*.dev.nytimes.com
          DNS Name=*.nyt.com
          DNS Name=*.nytimes.com
          DNS Name=*.stg.nytimes.com
    

This simplifies deployment significantly.

[0] [https://www.ssl.com/article/dv-ov-and-ev-
certificates/](https://www.ssl.com/article/dv-ov-and-ev-certificates/)

~~~
vertex-four
DV certs can certainly have wildcards and multiple domains, and no, OV certs
are not "more secure" \- they simply contain additional fields which suggest
that a CA has taken some amount of effort to verify that the domains belong to
a given organisation, which the end user can read. This is generally more-or-
less useless, as I'm pretty sure we all know that nytimes.com is owned by the
New York Times.

~~~
dx034
And who reads the certificate anyway? I've never heard that an end user
actually reads the content of the certificate. They just look for the green
lock.

It would often be confusing anyway, as the legal entities the certificate is
issued to can be named very different from the brand.

------
hackuser
A good step forward. Does the NY Times itself track what its users read? Does
it provide that information to others?

If so, this change amounts to not protecting user privacy as much as insisting
that only the NYT can monetize their users' privacy.

~~~
TurningCanadian
Random coffee shop / hotel / etc wifi owners and other users on the network
will only know that you're reading nytimes.com, and not which particular
section/article.

~~~
TurningCanadian
And your session cookie..

~~~
semiquaver
Session cookies are transmitted as headers which are protected by HTTPS.

~~~
TurningCanadian
Sorry, I meant that as an additional reply to

"If so, this change amounts to not protecting user privacy as much as
insisting that only the NYT can monetize their users' privacy."

The cookie is now hidden from the MITM. Before, not only could they see what
pages you see, but they could login as you.

------
snug
I wonder what the reason for HTTPS only for "Articles published in 2014 and
later"

~~~
r3bl
Yeah, one would think that it's an easy job, but media organizations tend to
have different projects, CMSs, designs, sometimes even (sub)domains for
different things.

Media websites are constantly-evolving beasts, with a small tech team trying
to hack shit up to make them work, and killing older content is never even an
option.

At the end, with a limited amount of (mostly human) resources, you kind of
have to draw the line somewhere and introduce the change, otherwise you will
end up postponing it for possibly months.

------
CptJamesCook
If only we could get adult websites to do the same.

~~~
angry-hacker
Eporner.com did it recently. I'm not sure if they are the first or how big
they are compared to pornhub etc., but I happened to notice other day because
they asked feedback on their frontpage about https.

------
paradite
I'm curious of what's the technologies that are only available with https
mentioned in the post. Service workers?

~~~
tompic823
HTTP/2 only supports HTTPS, which means HTTP connections don't benefit from
HTTP/2's speed improvements. In addition, recent versions of Chrome only allow
use of the location API by sites served over HTTPS. These are just two
immediate examples that come to mind, but more exist.

------
TheOneTrueKyle
Went through a frustrating process when switching to https on my baking blog
so I imagine that frustration scales with size.

------
artursapek
Judging by the certificate issue date, they've been working on this since
September. Congrats on shipping!

------
BuuQu9hu
Finally. Redirecting from https to http is quite annoying.

------
hamhamed
About time

------
steambap
Good to see they are using HTTPS.

------
thampiman
How is this news worth upvoting though?

~~~
bsdetector
Context is the key.

They say HTTPS is complex to enable and imply they've been working on it for
up to two years. And they finally get it done nine days before Trump.

Some people and organizations are panicking, either about his behavior or that
net neutrality is out the window or about some boogeyman. That's why this
story is relevant, now, because it's an indication that NYT may feel the
internet will soon be a much more hostile environment.

------
peterwwillis
They were hacked in 1998 by "H4ck1ng F0r G1rl13z", by Adrian Lamo in 2012, by
the Syrian Electronic Army in 2013, and claimed Russia attempted to hack them
5 months ago (and in the same breath said they have no evidence of this). Glad
their security team is on the ball with this new-fangled encryption thingy.

