BuzzFeed switches to HTTPS encryption default in new security upgrade
Encryption has certainly been pushed into the spotlight recently. Following the now infamous legal conflict between Apple and the FBI over unlocking an encrypted iPhone and WhatsApp’s decision to enable end-to-end encryption in their service, cybersecurity is quickly becoming a bigger priority for companies and organisations across the globe.
Now, BuzzFeed readers will notice a padlock icon and an extra “s” in the site’s web address as the media company shifts from using the basic HTTP web protocol to the more secure HTTPS encryption by default on all of its pages. HTTPS is an internet protocol that secures the connection between a website and a device application, such as a user’s browser, keeps data safe and protects readers from surveillance or malicious online attacks.
“Encryption scrambles the data that is passed between your web browser and BuzzFeed’s servers, making it extremely difficult for ‘bad guys’ (a hostile state, criminal enterprise, or just a nosy neighbor stealing your wifi) to see,” BuzzFeed said in a blog post on 17 May.
The company said the decision to switch to HTTPS is primarily to protect readers and staff who use the site.
“We want LGBT readers in Uganda to have been able to learn about troubling developments in their country without exposing themselves to authorities who are likely sniffing their web traffic,” wrote Buzzfeed’s director of global security Jason Reich, director of engineering Clement Huyghebaert and assistant general counsel Nabiha Syed.
“We want sources to be able to contact our investigations team discreetly by verifying their PGP fingerprints on our site. And we need our readers to trust that what they read on the BuzzFeed site is exactly what we’ve intended for them to see — and not tampered with by some nefarious actor. HTTPS ensures all of that.”
The shift also makes sense for the popular website given Google’s decision last year to givepreference to encrypted pages in its search results.
BuzzFeed says the migration was easier than it would be for most online media outlets due to its advertising model. HTTPS can only be enabled if all of the embedded components in a page uses it too, which can be challenging for websites that have unencrypted third-party ad content.
“It was still a significant challenge for our engineering team to ensure that all of our embedded content (tweets, Instagrams, Youtube videos, etc.) is served over HTTPS,” they wrote. “Fortunately most of the major platforms we embed are already doing it.”
In 2014, Google expanded its use of the encrypted HTTPs connection for users checking or sending email on Gmail’s servers.
In June 2015, the White House Office of Management and Budget announced a policy requiring all publicly accessible Federal websites and web services to adopt HTTPS by the end of 2016. The Washington Post started to transition its site to use HTTPS later that month. BuzzFeed also mentions that the Post’s engineering team did give them “tips from their own experience switching to HTTPS”.
More recently, Wired.com also began the transition to HTTPS but did note that they have hit a snag in the process. However, many notable media companies are yet to jump in on the encryption bandwagon.
Still, BuzzFeed does emphasise that while HTTPS “isn’t a silver bullet for internet security”, it is a step forward to help protect user data and privacy from actors looking to exploit it, both regulatory and malicious.
