
The Guardian has moved to HTTPS - robin_reala
https://www.theguardian.com/info/developer-blog/2016/nov/29/the-guardian-has-moved-to-https
======
simmons
It's always good to see more web sites switching to HTTPS. I can't help
thinking about something I read on Twitter a couple of years ago, and I wonder
if they are mitigating the risk:

"I'm all in favor of news sites using HTTPS, but I assume they're also going
to pad all their articles to a uniform length?" \--
[https://twitter.com/matthew_d_green/status/53504312624809574...](https://twitter.com/matthew_d_green/status/535043126248095744)

~~~
sihil
An interesting attack and something that we'll consider. HTTP/2 should add a
significant amount of noise to this, but ultimately adding random padding to
every response or padding that compresses to a consistent length would be the
best solution.

------
andy_ppp
I am slightly worried that a lot of public Wifi seems to be unable to redirect
you to the login page (think Starbucks) if you visit [https://](https://)
sites. The Guardian was my go-to for such situation so that I could login and
get online.

I'm not sure how these redirects work (DNS? Inserting JS into the page?) but
it seems to be a common problem.

~~~
marcoperaza
There seems to be some protocol by which operating systems automatically
launch the login page upon connecting to the WiFi network. Unfortunately, it
seems to fail pretty often and probably doesn't work for bridged connections.

~~~
JimDabell
There's no standard protocol in widespread use. Typically operating systems
attempt to fetch a known resource when connecting to a new Wi-Fi network, and
if it redirects, then they treat the destination as the captive portal sign-in
page and display it with special chrome / modally. The URL each platform
attempts to load varies by vendor and version.

~~~
ethagnawl
Do you have any links to resources or know what name(s) people use when
talking about this strategy? I'd be interested to know which URL Debian
attempts to fetch, but I'm not sure how I'd even begin to search for the
answer.

~~~
kalleboo
"Captive portal detection"

And here's your answer: [http://network-test.debian.org/nm](http://network-
test.debian.org/nm)

~~~
ethagnawl
Thanks!

------
moreira
The more websites on HTTPS the merrier. It's interesting that they mention
being able to use new HTML/JS features that are now only available over HTTPS.
That's one way to push more people for HTTPS even if they don't care about the
privacy/security reasons.

------
LeoPanthera
So what's involved in compromising a site using HTTPS? Off the top of my head,
you would have to have control over a trusted CA, and the ability to MITM a
connection to the site. Probably not plausible for bedroom hackers, but seems
trivial for state actors.

Do browsers offer any kind of certificate pinning for arbitrary sites? It
seems strange that this is a default feature in ssh but not https.

~~~
dogma1138
HTTPS doesn't provide any protection to the website, it can hinder MITM
attacks against modern browsers and aware users, but it doesn't reduce the
attack surface on the website (in fact it actually increases it).

As for certificate pinning, some browser do e.g. I'm pretty sure that Chrome
has certificate pinning for at least some google services.

Also HSTS with HPKP (HTTP Public Key Pinning) can be used to further increase
the resilience of HTTPS services against MITM attacks (both local and network
adjacent).

That said if an adversary is capable of doing even basic network adjacent
attacks they can still do a redirection via DNS which is why it's important to
not have HTTP support only or have a fully enforced redirect which will likely
to get the target stuck on a redirect loop.

For DNS redirection attacks all they need to do is to be faster than the DNS
responder or poison the local DNS cache.

~~~
witty_username
HTTPS stops MITM except for nation-state attackers.

How does it increase the attack surface?

~~~
dogma1138
On the website?

An additional library e.g. OpenSSL (heartbleed), HTTPS crypto attacks (e.g.
beast), an additional business processes that can be compromised both from the
CA/issuers standpoint and from the website admin POV, and an additional
resource to protect and securely distribute(private keys).

All and all you now have a greater attack surface as an entity, it doesn't
mean that you shouldn't use HTTPS, but as far as risk management goes things
change.

You as a user aren't affected unless you erroneously implicitly trust
encrypted traffic considerably more than unencrypted one.

HTTPS also doesn't stops MITM attacks from non-state actors. People trust
untrusted certificates, the certificate supply chain can be easily poisoned as
time and time again we've seen that everyone and their mother managed to make
CA's issue certificates under false pretences or otherwise erroneously and DNS
/ packet racing attacks still can work unless the website implements HTTPS
strictly.

~~~
witty_username
> An additional library e.g. OpenSSL (heartbleed), HTTPS crypto attacks (e.g.
> beast), an additional business processes that can be compromised both from
> the CA/issuers standpoint and from the website admin POV, and an additional
> resource to protect and securely distribute(private keys).

If these things are attacked, your security is not worse than HTTP.

HPKP and HSTS fix the problems you've described.

~~~
dogma1138
Again you are talking about 2 different attack vectors here, the GP was
talking about compromising the website, an attack against the traffic between
the website and the client does not compromises the website in any case.

And no if these things are attacked, at least as far as the library goes
things aren't no worse than HTTP because it's a completely different threat
scenario which can actually compromise the website/host rather than just
poison a single client session.

For example [https://cve.mitre.org/cgi-
bin/cvename.cgi?name=CVE-2016-6309](https://cve.mitre.org/cgi-
bin/cvename.cgi?name=CVE-2016-6309) which poentially allows for RCE if you use
a vulnerable version of OpenSSL exposes your website to completely different
threats than if you would only use HTTP, not worse, not better just an
additional and quite different threat.

This is why when you implement HTTPS or any other additional service you need
to understand how it changes the attack surface of your service from both a
technical and operational perspective.

------
dbg31415
[https://observatory.mozilla.org/analyze.html?host=www.thegua...](https://observatory.mozilla.org/analyze.html?host=www.theguardian.com)

Still getting a 50/100... somehow that's a "C" on the Mozilla curve.

------
thinkMOAR
"The reasons for our move"

If they wrote this 5+ years ago, kudos. Now, today... seems a bit like a very
bad (and very late) ad campaign or excuse.. And in all fairness, it could have
summarized, as 'we cared more about money then serving https to our readers'

~~~
mgbmtl
As far as I know, they are one of the few big media outlets to support https.
So yes, this should have been done earlier, but kudos to them for pioneering
this in their field and for publishing a short instruction manual for whoever
else is planning this.

I'm not surprised that they are worried about the financial impact of https on
their (very modest) revenue. It's a big investment for an industry struggling
financially.

~~~
0xmohit
RT switched to HTTPS a while back. [https://www.rt.com/](https://www.rt.com/)

> I'm not surprised that they are worried about the financial impact of https
> on their (very modest) revenue.

I don't see anything to that effect in the article.

------
andrewfromx
time to review this superuser answer and ponder some deep questions about
public wifi's [http://superuser.com/questions/1132148/how-do-you-force-
publ...](http://superuser.com/questions/1132148/how-do-you-force-public-wifi-
connect-modal-to-open-on-macos) and new vocab word of the day is "captive
portal"

------
devy
The Guardian uses Fastly CDN as a result the TLS certificate is Fastly's SAN
certificate, which also has over 150+ DNS entries to cover. Just thought it's
interesting to point out.

$ openssl s_client -connect theguardian.com:443 | openssl x509 -noout -text |
grep 'DNS:' | tr ', ' '\n' depth=1 /C=BE/O=GlobalSign nv-sa/CN=GlobalSign
Organization Validation CA - SHA256 - G2 verify error:num=20:unable to get
local issuer certificate verify return:0 DNS:i.ssl.fastly.net DNS: _.am-
autoparts.com DNS:_.am-autopartsqa.com DNS: _.i.ssl.fastly.net DNS:_.s.tmol.io
DNS:4ormat.com DNS: _.4ormat.com DNS:500px.net DNS:_.500px.net DNS:500px.org
DNS: _.500px.org DNS:abtasty.com DNS:_.abtasty.com DNS:api.yerdle.com
DNS:biomedcentral.com DNS: _.biomedcentral.com DNS:bliyoo.bruna.nl
DNS:cdn.mmgcache.net DNS:cleverbot.io DNS:_.cleverbot.io DNS:collective-
media.net DNS: _.collective-media.net DNS:decalgirl.com DNS:_.decalgirl.com
DNS:engagesciences.com DNS: _.engagesciences.com DNS:famous.co DNS:_.famous.co
DNS:fitbit.com DNS: _.fitbit.com DNS:format.com DNS:_.format.com
DNS:github.app.secretcdn.net DNS: _.github.app.secretcdn.net DNS:global-
pop.tumblr.com DNS:_.global-pop.tumblr.com DNS:goodeggs.com DNS:
_.goodeggs.com DNS:grindr.com DNS:_.grindr.com DNS:guim.co.uk DNS:
_.guim.co.uk DNS:hackster.io DNS:_.hackster.io DNS:harveynichols.com DNS:
_.harveynichols.com DNS:help.optimizely.com DNS:huevosbuenos.com
DNS:_.huevosbuenos.com DNS:img.society6.com DNS: _.img.society6.com
DNS:inverse.com DNS:_.inverse.com DNS:kilmer.io DNS: _.kilmer.io
DNS:kindsnacks.com DNS:_.kindsnacks.com DNS:learn.optimizely.com
DNS:live.cf.public.springer.com DNS: _.live.cf.public.springer.com
DNS:logoscdn.com DNS:_.logoscdn.com DNS:m.au.vjukebox.com
DNS:m.ca.vjukebox.com DNS:m.uk.vjukebox.com DNS:m.us.vjukebox.com
DNS:maps.tmol.co DNS:mapsapi.tmol.co DNS:mapsapi.tmol.io DNS:mapsint.tmol.co
DNS:mapsintqa.tmol.co DNS:mapsqa.tmol.co DNS:meerkatapp.co DNS:
_.meerkatapp.co DNS:modafinilcat.com DNS:my.ticketmaster.ca DNS:offerpop.com
DNS:_.offerpop.com DNS:ogol.io DNS: _.ogol.io DNS:optimizely.com
DNS:performance.service.gov.uk DNS:_.performance.service.gov.uk
DNS:preview.performance.service.gov.uk DNS:
_.preview.performance.service.gov.uk DNS:production.performance.service.gov.uk
DNS:_.production.performance.service.gov.uk DNS:q-static.com DNS:
_.q-static.com DNS:qa.cashstar.com DNS:_.qa.cashstar.com DNS:reissdev.com DNS:
_.reissdev.com DNS:s.sellocdn.com DNS:_.s.sellocdn.com DNS:s2.tmol.co
DNS:s2.tmol.io DNS:scanscout2.com DNS: _.scanscout2.com DNS:screenshot.click
DNS:_.screenshot.click DNS:skedge.me DNS: _.skedge.me DNS:snapshot.raintank.io
DNS:spotfront.mathtag.com DNS:springer.com DNS:_.springer.com
DNS:squarecdn.com DNS: _.squarecdn.com DNS:staging.performance.service.gov.uk
DNS:_.staging.performance.service.gov.uk DNS:static.awesomeom.com
DNS:subscribe.theguardian.com DNS:teamtreehouse.com DNS: _.teamtreehouse.com
DNS:theguardian.com DNS:_.theguardian.com DNS:timeout.cat DNS: _.timeout.cat
DNS:timeout.com DNS:_.timeout.com DNS:timeout.es DNS: _.timeout.es
DNS:timeout.fr DNS:_.timeout.fr DNS:timeoutkorea.kr DNS: _.timeoutkorea.kr
DNS:timeoutmexico.mx DNS:_.timeoutmexico.mx DNS:u.sellocdn.com DNS:
_.u.sellocdn.com DNS:venue.tmol.co DNS:venue.tmol.io DNS:venueint.tmol.co
DNS:venueqa.tmol.co DNS:vjukebox.com DNS:_.vjukebox.com DNS:www.alarmgrid.com
DNS:www.edgee.com DNS:www.freshbooks.com DNS:www.graspwise.com
DNS:www.modafinilcat.com DNS:www.msdayofgiving.org DNS:www.neste.com
DNS:www.optimizely.com DNS:www.optimizelystaging.com DNS:www.reiss.com
DNS:www1.ticketmaster.ca DNS:www1.ticketmaster.com DNS:xkcd.com DNS:*.xkcd.com
^C

~~~
sihil
We're working on it!

We're in the process of switching to a dedicated certificate that only
contains Guardian properties.

------
noir-york
Great! Now if only they would move back to the center...

~~~
padraic7a
Just out of curiosity, where would you place them currently?

~~~
noir-york
Left of center?

Their news coverage is good (SportsDirect being a case in point). Its the
opinion pages which makes me wonder.

~~~
padraic7a
Yeah I would agree that they're left of centre. But I would say that they have
moved more to the right in the last few years.

I guess that probably says something about our politics too :-)

~~~
noir-york
Interesting that you believe that they've moved right. I sorta think they've
(particularly the opinion pages) moved left, especially with regards to social
issues.

> I guess that probably says something about our politics too

I was gonna agree with you and then I thought that in fact, it should be
possible to place someone's politics on a scale that is independent of the
observer. Keynesian is to the left of supply-side economics for instance.
Social issues are on their own scale.

