
Moving the Washington Post to HTTPS - joosters
https://developer.washingtonpost.com/pb/blog/post/2015/12/10/moving-the-washington-post-to-https/
======
n0us
The Washington Post and the New York Times both seem to have excellent
engineering teams and both of their websites are in my opinion some of the
best news sites that I've seen on the web. (Vox is also very nice in my
opinion though they do not have ssl support apparently)

I would gladly pay a netflix-like subscription that gives me a "pass" to top
news sites with no advertising. I just don't want to manage a dozen
subscriptions to sites and it's difficult to choose between the different
options that they offer like "tablet, web, paper" "web, paper" "tablet only"
etc. Just take the difficulty away and give me access to the content in
whatever format I want, with an addon fee for print delivery.

~~~
benten10
I said this on HN yesterday, but I'll repeat again since it's VERY relevant.

I'd like the subscription, as you mention too!

What I'd like even more (for voluntary payment) is a subscription that divvies
up my monthly 'budget' according to the % of the time I spent on different
sites. Say I spend 50% of my browsing time on Nytimes, 30% on HN and 20% on
New Yorker, and my monthly allocated budget is $20. Then NYT gets $10, HN gets
$6, NYer $4, etc.

Or perhaps, a monthly budget where the money is deducted for subscription
sites, per article/time whatever. Once my budget is finished, I see 'normal'
web like everyone else does.

I don't really care about ads, but maybe people who don't want to see ads
could pay like, 2x as much, etc.

There doesn't seem to be a lot of innovation in this field. Perhaps it's the
difficulty of integrating everything in one place?

Edit after reading the comments: Google contributor just removes ads instead
of getting you 'special pass' right? Do the site owners get paid for the
'eyeballs' from the subscribers?

~~~
npongratz
Sounds nice in theory, but I'd be concerned about having my reading habits
tracked by yet another Central Scrutinizer. I already block ads mainly to
avoid creepy and invasive behavior by the ad networks, as well as the malware
that seeps through said networks. I am not going to opt-in to mass
surveillance.

~~~
thetmkay
It doesn't have to be.

Assume registration includes specifying a list of "preferred publishers" (like
what aggregated news apps ask on sign up in order to curate your feed)

Add a client side tracker (i.e. browser plugin) with the ability to track the
page views on each site.

One of three options:

1) no tracking - split the distribution evenly among your preferred sites

2) offline/batch tracking - at the end of the month, submit an aggregated
percentage breakdown of your sites

3) online tracking - sent to the server in real time (i.e. Central
scrutiniser)

And if you're really particular about tracking, it could just be an API, and
you can write to it whatever data you want to share.

------
jakobdabo
Let's hope WP becomes a trend-setter among news websites in this direction.
The only other one (that I know of) is RT.

SSLLabs grades WP's HTTPS support "A" [1].

I can see that they don't set HSTS headers and there's no OCSP stapling.

Also, their cookies are not set as "secure".

[1] -
[https://www.ssllabs.com/ssltest/analyze.html?d=www.washingto...](https://www.ssllabs.com/ssltest/analyze.html?d=www.washingtonpost.com&s=192.33.31.56&hideResults=on)

------
joosters
Why aren't big online publishers more concerned about the junk that the ad
networks are attaching onto their sites?

If an expert like Google can't even ensure that ads don't auto play or include
sound effects, what hope is there that they can protect against malware and
other dangerous content leaking in?

~~~
untog
_Why aren 't big online publishers more concerned about the junk that the ad
networks_

 _If an expert like Google can 't even ensure that ads don't auto play_

The latter answers the former. They are concerned, but there is basically
nothing they can do about it if they want to continue to earn money.

~~~
rwallace
What changed?

Many years ago, ads were very bad. Then Google got into the business and
enforced clean, tasteful ads and things were good for quite some time. But
then they started deteriorating again, worse every year until I finally
installed adblock early this year.

Did something cause the power balance to swing back away from Google or
something? If so, what?

------
esaym
I am not sure how I feel about the general HTTPS-ization of the web. I've used
squid ([http://www.squid-cache.org/](http://www.squid-cache.org/)) and
dansguardian ([http://dansguardian.org/](http://dansguardian.org/)) for nearly
15 years now. It greatly speeds up my web and keeps smut away from my family.

Yet it is becoming more and more useless everyday because of HTTPS. I used to
be able to quickly fly through google maps because most of the images were in
cache, even with only 1mbs internet. Then it went HTTPS only. So I started
using mapquest, then it too did the same. Bing maps still allows some non
HTTPS images, so I now use that sometimes.

I can see how some sites might want to be more private in nature. But news and
maps websites I am not seeing the point.

~~~
mattmanser
I listened to an interesting opinion on the BBC the other day that the
internet wasn't fit for purpose and that no sane parent should _ever_ allow
their child on it at all[1].

Her argument is that we don't expect parents to police their children all the
time in real life, shop owners have legal responsibilities to stop children
accessing inappropriate products, children are stopped from purchasing alcohol
in bars, etc. and yet on the internet somehow it's the parent's responsibility
all the time all of a sudden. And if your child is with other people, those
restrictions may be totally waived.

The problem is, it is trivial for a child to access incredibly disturbing and
PTSD inducing material that is accessible to any child with ease, beheadings,
murders, the most vile and disturbing porn you couldn't even imagine, all two
clicks of a button away from your 11 year old.

She definitely has a point. I'm not sure what the solution is as I love the
internet being open, but a huge proportion of the planet is made up of
children and they can go watch ISIS behead someone or a woman shit in the
mouth of a man whenever their classmate dares them.

[1]
[http://www.bbc.co.uk/programmes/p039wy7f](http://www.bbc.co.uk/programmes/p039wy7f)

~~~
xxpor
>The problem is, it is trivial for a child to access incredibly disturbing and
PTSD inducing material that is accessible to any child with ease, beheadings,
murders, the most vile and disturbing porn you couldn't even imagine, all two
clicks of a button away from your 11 year old. She definitely has a point. I'm
not sure what the solution is as I love the internet being open, but a huge
proportion of the planet is made up of children and they can go watch ISIS
behead someone or a woman shit in the mouth of a man whenever their classmate
dares them.

I'd much rather have my children see that and talk to me about it because they
trust me rather than not mentioning it because they worked around a web filter
(which is inevitable [check out my ubuntu live usb stick, or my ssh tunnel])
and are afraid of getting in trouble.

------
cpeterso
Are there any ad networks that are 100% HTTPS? HTTPS ads would work in both
HTTP and HTTPS content pages, but HTTP ads may cause mixed content problems.
Are the ad networks worried about HTTPS latency? Or are they just lazy? :)

~~~
ceocoder
AFAIK DoubleClick AdX moved to 100% SSL in June[1].

[1]
[https://support.google.com/adxbuyer/answer/3016708?hl=en](https://support.google.com/adxbuyer/answer/3016708?hl=en)

------
nandhp
> not only enable HTTPS on our site but also use our own custom EV
> certificate¹

Their certificate doesn't look EV to me. (I checked both developer. and www.)

~~~
ejcx
Their cert used to be an EV cert. I remember this because the address bar
looked absurd as an EV cert "The Washington Post" plus the extra iconography
associated with an EV cert. It took up a quarter of my URL bar on a small
screen macbook.

It looks like they are using instart logic, and are on the same cert as a
bunch of their other enterprise customers now.

~~~
thetmkay
FYI they had that because EV Certs are tied to the official company name, so
if you want a more 'colloquial' name, there's a special field called something
like 'doing business as'. Then the displayed green bar says:

> Official Business Name (Colloquial Business Name)

Which in the case of two very long names...

------
frik
Could you reduce the 114 requests and the 7.77s page load? Do you really need
6 analytics and 15 3rd party services?

Chrome DevTools timing said: 2.71s Scripting; 636ms Rendering; 210ms Painting

WashingtonPost.com crashes my iPad Safari, see:
[https://news.ycombinator.com/item?id=10697235](https://news.ycombinator.com/item?id=10697235)

~~~
popcornarsonist
This is almost certainly the ads that they're talking about in this post. They
don't really have any control over what kind of trackers are included in 3rd
party ads. I would wager that if you reload the site at different times of the
day, you'll get different numbers.

It's a sad reality of the advertising world—the people building the ads simply
don't care, and the ad networks can't (or won't) do good QA.

~~~
manigandham
It's a lot more complicated than that. Yes there are lots of ad networks that
are crappy and don't have good QA but lots of this is down to the buyers
themselves.

The big clients and agencies who do ad buys have thousands of requirements
including 3rd party verification, tracking, conversion pixels, etc.

We run one of the fastest ad networks available with everything optimized to
the fewest network requests, yet a single campaign from someone like ATT will
mean a dozen other tags that needed to be loaded if we run their ads.

It's a lack of trust, standards and actually technical understanding that's
hurting this industry the most.

------
darksoul
What's fascinating is how fast the washington post is, and how you get
different image types depending on the browser you use. Off to check out that
CDN provider they use.

------
MaxScheiber
Does anyone else have the following issue with the footnote hotlinking on this
blog post? When I click the "return" icon on a footnote to jump to the point
in the text where the footnote is, I end up several lines below where I
should. The sentence with the footnote is concealed by the black WaPo header
bar.

I can replicate this behavior in Chrome on Ubuntu, Chrome on El Capitan, and
Safari on El Capitan.

------
autotune
> Today, more than 99% of our traffic is redirected to HTTPS.

So what are the .9% of traffic that aren't? Web crawler bots?

~~~
Buge
I was thinking it was requests to certain pages that weren't redirected, not
requests from certain users.

Maybe some pages don't work on https due to mixed content and stuff like that.

------
fiatjaf
I thought they used Wordpress.

------
swagv
Sadly, like too much engineering writing, no attention is given to the "why".

~~~
untog
Isn't that pretty well established by now?

~~~
Someone1234
Yes, but there will always be die-hards who hate change.

I've just given up giving a full explanation and now just point to this:

[http://arstechnica.com/tech-policy/2013/04/how-a-banner-
ad-f...](http://arstechnica.com/tech-policy/2013/04/how-a-banner-ad-for-hs-
ok/)

And this:

[https://www.eff.org/deeplinks/2014/11/verizon-x-
uidh](https://www.eff.org/deeplinks/2014/11/verizon-x-uidh)

If they still aren't convinced then they weren't convincible to begin with.
There's other arguments too, but if the above doesn't sway them then none of
the other arguments would either.

------
foldor
As an aside, did the font on this page bother anyone else? The lowercase "w"
in particular just kept confusing me into thinking it was a word in italics
and my mind kept stressing it. I looked it up, and the font-family is
"Ubuntu".

------
kremmer21
Is this supposed to be an impressive project? Because if it is, I feel sorry
for the developers working there.

~~~
pfg
Deploying HTTPS on a site with tons of legacy components, third-party
dependencies and a lot of ad networks is definitely no small feat. There's a
reason why most news sites are still HTTP-only.

~~~
benten10
Agreed! Fun/difficult projects aren't always the 'latest and cutting edge'
ones. You can have impressive/difficult challenges SPECIALLY while getting
legacy components to work with more recent technology, even though the task
itself may seem 'simple' for more uhh, inexperienced, developers.

