Using https to secure the Web for journalism

From today, you now have an alternative web address to visit the CPJ website. As well as our usual http://cpj.org/ address, you can visit our site securely at https://cpj.org/. We’ve turned on this feature to help protect our readers who are at risk of surveillance and censorship, and as part of a wider advocacy mission to encourage social networking and media sites to do the same.

Traditionally, websites have only served a few pages securely. Your bank almost certainly uses a secure Web page to give your account details; your favorite websites almost certainly will send you to a secure page when they ask you to log in. You can tell when they do because the address of the page starts with “https” rather than “http,” and most browsers will show a padlock icon when this happens. 

But the vast majority of web pages use “http” and are sent unencrypted and insecurely. Even websites like The New York Times and Washington Post that do offer complete “https” versions of their sites often do not publicize this secure alternative to their main address. Sites like Facebook and Twitter have secure versions, too, but they have been prone to breakdowns.

What does this mean for at-risk journalists? Unsecure, unencrypted Web pages can be monitored by anyone who can tap Internet traffic as it passes over telecommunications infrastructure. The online journalists we document at CPJ are targeted by organizations or individuals with either local regulatory power, or criminal influence, to do exactly that. If these journalists are communicating using social networking sites or commenting on media stories via unencrypted sessions, they are vulnerable to surveillance and exposure by the lax default security of the majority of websites.

Securely served websites have another advantage in the fight against state censorship of the press. Currently, the biggest pressure on governments who decide to block key websites from their populations is the clumsiness of those blocks. Citizens may be unaware of journalist intimidation and censorship in their own countries, but if a regime has to block all of YouTube or Facebook or a local social site to prevent damaging news from spreading, the wired part of their public quickly recognizes and frequently rebels against such a blatant trampling of their free speech.

But as we’ve noted before, Internet censorship is getting subtler. Without https, it’s possible for regimes to target and block individual Web addresses rather than whole sites. They can also block pages on an ad hoc basis, filtering on the basis of the presence of certain phrases on the page, such as the name of an opposition leader or a rebellious province.

Sending Web pages securely stops both of these techniques. If you can’t spy on Web traffic, you can’t scan for keywords. And if you can’t see which Web page a person is visiting on a site, you can’t selectively block. If more sites used https, censorship would remain clumsy–and visible.

Historically using https came with a cost: in computer processing time, and in unavoidable delays encoding and decoding the data. These days, those costs are far smaller, and the risks far greater. Google, a company for which the smallest increases in processing demands and transmission delays can cost millions, has begun to switch to serving secure Web pages. After the attack on its servers by China, it turned on secure Web pages by default for all of its Gmail users. It now also offers an encrypted version of its search engine, at https://encrypted.google.com/. Its engineers have proposed new techniques and standards that would make wider use of https easier for other companies. And while journalists are in the frontline for surveillance and censorship, the amount of private or valuable content revealed by everyone through unsecured Web traffic is growing.

Switching to https is not without its challenges (our Web developer John Emerson led us through the process), but the rewards are worth it. It’s time for more companies to turn on https for all their traffic: and it’s time for technologists to make it easier for them to do so. Doing so will make the Internet safer for at-risk journalists and a free press, but it’ll also make it more secure and private for us all.