
Enabling Secure HTTP for BBC Online - edward
http://www.bbc.co.uk/blogs/internet/entries/f6f50d1f-a879-4999-bc6d-6634a71e2e60
======
reedloden
> There are always practical limitations to site-wide technical changes, and
> HTTPS Everywhere is no different. Sites and content we consider ‘archival’
> that involve no signing in or personalisation, such as the News Online
> archive on news.bbc.co.uk, will remain HTTP-only. This is due to the cost
> we’d incur processing tens of millions of old files to rewrite internal
> links to HTTPS when balanced against the benefit.

Not to be snarky, but haven't people written tools to help with this? This
seems like a common issue. I mean, there's `sed` and similar tools, obviously,
but something that could go, validate that the link works over
[https://](https://), and update it. I don't see why that would need to be
some monumental amount of work.

HTTPS is more than just privacy. See [https://certsimple.com/blog/ssl-why-do-
i-need-it](https://certsimple.com/blog/ssl-why-do-i-need-it) and
[https://www.troyhunt.com/ssl-is-not-about-
encryption/](https://www.troyhunt.com/ssl-is-not-about-encryption/)

~~~
Karunamon
_Sites and content we consider ‘archival’ that involve no signing in or
personalisation,_

 _AUGH_! Seeing this "SSL is just for private things" mindset in 2016 is
really disheartening. It's to keep people from screwing with your connection,
not just snooping on it.

I really hope the browser vendors start treating HTTP the same way they treat
broken certs sometime soon. This will change once users start asking, en
masse, "Why am I getting all these warnings", not before.

~~~
wanda
Pretty sure a diluted form of the broken cert treatment for HTTP is available
behind a flag in Chrome, so it might be in the pipeline.

Source: [http://peter.sh/experiments/chromium-command-line-
switches/](http://peter.sh/experiments/chromium-command-line-switches/)

See:

    
    
        --mark-insecure-as

------
reedloden
> Earlier in 2016, the Chromium development team decided to implement a change
> to Google Chrome, preventing access to certain in-browser features on
> ‘insecure’ (non-HTTPS) web pages. In practice, this meant that key features
> of certain products, such as the location-finding feature within the
> Homepage, Travel News and Weather sites, would stop working if we didn’t
> enable HTTPS for those services.

I think this shows how valuable it is to use incentives to get people to Do
The Right Thing(tm). Perhaps more things should be changed to require HTTPS.

------
dajohnson89
It was gutsy (and insightful) of them to publish to the world their upgrade
experience. I wish people would be a little more positive about that instead
of pointing out how much they suck.

~~~
jamespo
A lot of people think they know better and think it's just a case of a few
webserver directives, but have no idea of the scope of the BBC content.

------
jpetrucc
> The CPU overhead of TLS encryption has historically been significant. We’ve
> done a lot of work behind the scenes to improve both the software and
> hardware layers to minimise the load impact of TLS whilst also improving
> security.

I thought that it hasn't been significant overhead for a while now?

related: [https://www.maxcdn.com/blog/ssl-performance-
myth/](https://www.maxcdn.com/blog/ssl-performance-myth/)
[https://istlsfastyet.com/](https://istlsfastyet.com/)

~~~
blowski
> Even a 2012 MacBook Air can sign an SSL key in only 6.1 milliseconds.

The BBC has to deal with machines much older and much less powerful than that.

~~~
Buge
Every TLS speed concern I've heard has been about the server speed, not the
client speed.

The servers shouldn't be running on old MacBook airs.

~~~
multjoy
It _is_ the BBC

------
sixhobbits
And just yesterday I told someone to visit BBC when trying to connect to
public wifi that requires a redirect to a login page first. Guess I'm going to
have to find a new go-to http site now

~~~
goodplay
Space-bar heater :)

ON a more serious note, I always use [http://example.com](http://example.com).
Being reserved and maintained by the IANA for documentation and testing, it's
the most stable site I can think of.

~~~
boulos
Be aware that plenty of ISPs sadly MITM example.com. I ran into this when our
test suite that curl'ed example.com and checked its output failed when we ran
our binary on a new provider.

------
ungzd
Despite such late upgrade to https, the site looks good, uses html5, works
without Flash and even not accuses me of piracy for using adblocker.

------
jsingleton
Although this is good news, it will stop me from injecting a hidden breaking
news banner to stop it popping up. Should still be able to block the domain,
but that won't cache for as long when off WiFi. [^1]

At least this will stop ISPs like BT from doing deep packet inspection and
serving stale pages from their cache. Once it's been rolled out to the news
site over the next year, of course.

If they use ChaCha-Poly then the load on low power devices shouldn't be much.
I did a lot of reading on this for my recent book and it's pretty good for
devices lacking hardware AES acceleration.

[^1]: [https://unop.uk/block-bbc-breaking-news-on-all-
devices](https://unop.uk/block-bbc-breaking-news-on-all-devices)

------
rocky1138
Good on BBC for coming right out and talking about their plans in public. Love
reading this stuff!

------
spurgu
Haha, here's what I got on the first page load:

string(240)
"[https://ssl.bbc.co.uk/dna/api/comments/CommentsService.svc/V...](https://ssl.bbc.co.uk/dna/api/comments/CommentsService.svc/V1/site/blog101/commentsforums/blogs_internet_f6f50d1f_a879_4999_bc6d_6634a71e2e60/?sortBy=Created&sortDirection=Descending&filterBy=none&itemsPerPage=10&startIndex=0&includepostid=")
string(40) "Error in cURL request: SSL connect error"

------
chriswwweb
I don't get it ... for me their entire website is still http only, even if I
add https myself I always get redirected back to http

~~~
chriswwweb
Ah ok I see [https://www.bbc.co.uk/travel](https://www.bbc.co.uk/travel) is
now https, but [https://www.bbc.com](https://www.bbc.com) still redirects me
to the http version, I thought when they mentioned their "domestic" website
they were talking about www.bbc.com or www.bbc.co.uk ... funny even their blog
post that informs us about their https support can only be accessed through
http ;)

------
nayuki
Did anyone else notice the irony that this proud announcement is served over
insecure HTTP?

------
cantagi
Apologies if I'm being naive, but how does it take 3 architects a whole year
to upgrade a family of websites to HTTPS? The BBC are way behind the times
here, although the article alludes to issues with suppliers.

~~~
vertex-four
The BBC's web infrastructure is a patchwork of disparate systems, run by
separate product teams, on lots of different technology dating back
potentially a couple of decades in some cases, with lots of third-party
dependencies. Additionally, many of the original teams developing their
websites are no longer with them, and as with most systems, documentation has
no doubt suffered over the years.

For each individual product, they need to figure out what modifications it
needs to become HTTPS-enabled (lots of links and identifiers are hard-coded to
HTTP, and third-party CDNs might not support HTTPS by default), and update
their testing procedures to ensure that it remains HTTPS-compatible, before
they can enable HTTPS. Given that this is the BBC (a publicly-funded entity),
they also have to ensure that everything continues to be fully supported on
browsers going back to IE6, Firefox 3, and Safari 3 - with partial support for
some browsers older than them.

In my opinion, a year is doing pretty well.

------
gilgongo
They enabled Secure HTTP don't forget. Not the insecure kind a lot of people
might be thinking about here.

------
johansch
BBC used to be the organization that other broadcasters followed when it came
to technology. Now it's the follower.

------
coltonv
> HTTPS has been around since 1996

A blog post about spending several years updating to a protocol that's been
around for 2 decades and has been standard for full sites for years. This
makes me feel like anyone who has an account on BBC should be afraid of their
security practices. Calling a plaintext password leak from BBC right now.

EDIT: People are taking this comment more seriously than I intended. I don't
actually think you should distrust BBC's security practices because of this,
but I do feel that major websites should have side-wide SSL by now. It is
clear that a lot of people below me disagree with that, that's okay, I'm glad
I spawned a debate here.

~~~
blowski
Calling FUD on your comment.

It hasn't been "standard on full sites for years", and still isn't now. Only
recently with the 'HTTPS everywhere' move has the idea that public sites with
no authentication should support HTTPS. And even now, that's not a universally
supported opinion, because of its effect on caching.

The BBC has used HTTPS on pages with forms that submit secure data, as has
been the historic standard.

Moving a site as massive as the BBC, which spans multiple domains and
subdomains and has millions of pages is a big task. Note how you can still see
news articles from the late 90s at the same URL. So, yeah, I can understand
why writing a blog post about it is worthwhile.

~~~
coltonv
Can you point out some other major sites used by the general public which have
spent the last few years without site-wide SSL to back up your claim?

~~~
blowski
I can do better than that - I can give you a report published by Google in
March 2016 which listed lots of them.

[https://www.google.com/transparencyreport/https/grid/](https://www.google.com/transparencyreport/https/grid/)

For example, the following are all in the world's top 100 websites and none of
them support any form of HTTPS. The link includes quite a few more.

* alibaba.com

* ask.com

* ask.fm

* baidu.com

* cnet.com

* cnn.com

* dailymail.co.uk

* ebay.com

* globo.com

* go.com

* goal.com

* goo.ne.jp

* imdb.com

* live.com

* mirror.co.uk

* naver.jp

* nytimes.com

* onet.pl

* pornhub.com

* telegraph.co.uk

* uol.com.br

* weibo.com

* wikia.com

* wikihow.com

* wp.pl

* yahoo.co.jp

* yelp.com

* youporn.com

~~~
coltonv
That's scary honestly. Thanks for sharing at least.

