[Cryptography] HTTPS usage at major media sites
John Denker
jsd at av8n.com
Sun Nov 1 23:54:21 EST 2015
Here are some observations and remarks on the use of crypto at certain
high-volume media sites.
Sites that redirect HTTP to HTTPS:
https://www.washingtonpost.com/
https://www.theintercept.com/
Sites that offer both HTTPS and HTTP, without redirecting:
https://www.youtube.com/
Sites that redirect HTTPS to HTTP:
http://www.nytimes.com/ (note 3)
http://www.pbs.org/
http://www.theguardian.com/
http://www.thedailybeast.com/
http://www.buzzfeed.com/
http://www.bbc.co.uk/
Sites that present an invalid certificate (typically because the
CDN answers port 443, but the content originator never bothered
to obtain a certificate):
https://www.npr.org/
https://www.huffingtonpost.com/
https://www.mcclatchydc.com/
https://www.foxnews.com/
https://www.cnn.com/
https://www.latimes.com/
https://www.reuters.com/
Sites with a botched HTTPS implementation, e.g. mixed content:
https://www.thenation.com/
https://www.nhk.or.jp/
**** Remarks ****
1) Only a smallish minority of media sites offer any semblance of
useful HTTPS.
2) A year ago there were none, so this is progress.
3) A year ago, the New York Times CTO co-authored a blog post listing
all the reasons why a newspaper site should use HTTPS.
http://open.blogs.nytimes.com/2014/11/13/embracing-https/
I find it amusing that the Washington Post took his advice, but his
own paper did not.
4) Contrary to what it says in that blog post, applying HTTPS to a
newspaper site provides little if any privacy. That's because
traffic analysis is too easy. The article lengths and the pattern
of image fetches give the game away.
As I have said before:
Metadata is data.
A cryptosystem that leaks metadata is a cryptosystem that leaks.
We seriously need to raise our game. We need to come up with systems
that do a much better job of protecting privacy.
More information about the cryptography
mailing list