The Freedom of the Press Foundation ranks “The Intercept” the most secure news site
The American non-profit Freedom of the Press Foundation recently performed a study of some of the world’s most popular news sites, grading each one on its web security implementations.
The Intercept, an American news site created by eBay founder Pierre Omidyar took first place.
The Freedom of the Press Foundation’s study took into account a number of factors, like whether the site was available over HTTPS, defaulted to HTTPS, had HTTP Strict Transport Security (HSTS) enabled and whether it was HSTS preloaded. The study graded on a scale of F to A+. Only four sites graded out in the A-range, with ProPublica, TechCrunch and The Guardian receiving an A- and The Intercept receiving the lone A+.
What set The Intercept apart was the fact that it’s the only news site to use HSTS preloading.
What is HSTS and HSTS Preloading?
HSTS or HTTP Strict Transport Securityy is a mechanism that ensures that users cannot be forced onto an insecure copy of a website. This is a common tactic for cybercriminals and hackers form of a “man-in-the-middle” attack. HSTS prevents this by notifying an internet user’s browser that connections to this site may only ever be made securely and to never accept any insecure version of the site.
HSTS Preloading takes this concept a step further. Rather than send the HSTS header to the browser, a site sends that information to organizations like Google and Mozilla so that they can load it into their web browsers, hence the term “preloading”. This ensures that even if a visitor has never accessed the site, there will be no chance of third-party interference with the connection—even on the very first visit.
Why is HTTPS So Important for a News Site?
You may be wondering why it would be so important for a news site be served over HTTPS. After all, many do not require users to log in or provide any personal information.
The answer to this is multi-faceted. For starters, encryption is about to become a requirement in 2017 as the browsers move from incentivizing HTTPS to penalizing for insecure HTTP connections. So, beyond simple security, news sites need to encrypt just for the sake of avoiding negative visual indicators and browser warnings.
But from the standpoint of good security practices, HTTP allows third parties to potentially spy on a connection, sometimes injecting their own content or keeping tabs on what pages a user is viewing. And, in the event a site does require visitors to log in, as is the case with many news sites that have put up paywalls, HTTP connections provide third parties with an opportunity to steal sensitive information like usernames and passwords.
The Freedom of the Press Foundation’s study found, rather alarmingly, that just 28% of news sites even offer HTTPS connections, and far fewer, 14%, default to it.
The foundation called on all news sites to do more to protect readers’ privacy:
“With HTTPS enabled by default you can protect reader privacy, improve your website’s security, better protect your sources, prevent censorship, improve your search rankings, provide a better user experience, see your website loading speeds potentially increase and avoid Google shaming.”
That being said, migrating to HTTPS can be a challenge. For instance, the British news outlet, Marshall Project (ranked second on the list), only switched to HTTPS this past November. It took the site six months to test and troubleshoot issues before it could finally make the switch.
Other sites with large sitemaps and numerous digital assets will likely need the same – or even more – time in order to make such a sizable change.