Sites that don't offer HTTPS encryption are running out of excuses

Analysis: The barriers that once stood in the way of a fully secure web don't exist anymore.

(Image: stock photo via ZDNet)

Here's a thought.

You lock the doors to your house every night. You keep a passcode on your iPhone. You shield the ATM keypad when you type in your code. We all almost unconsciously do things that make us safer. And if we don't, or we forget, we become less secure and run the risk of someone invading our privacy or stealing our things.

Why is that any different online? Fun fact: it's not.

Your online banking, email account, and social networks are all locked down with site encryption, which doesn't just prevent snoopers and hackers from reading your username and password as it travels across the internet, but it also offering a strong level of assurance that the page has not been modified in any way. (Which, by the way, happensmoreoften than you'd think.) You'll see that lit-up green bar in your browser or a padlock and you'll feel assured and safe.

Feds only have themselves to blame for Apple and Google's smartphone encryption efforts Feds only have themselves to blame for Apple and Google's smartphone encryption efforts The US government is crying foul over Apple and Google's efforts to bolster smartphone encryption. Because accusations that they're going "beyond the law" goes both ways.

So, why don't you apply the same logic to the rest of the web? Here's another fun fact: you probably should.

The reality is that most sites you visit on a daily or weekly basis offer no encryption at all.

Check out any of the main US news websites and not one offers encryption by default. If you look at the top twenty news sites listed on Techmeme (by presence), not a single site offers encryption by default. (Disclosure alert: neither does ZDNet or sister-site CNET.)

For what it's worth, only Recode and The Verge provide an encrypted option, but you have to manually type it in at the address bar.

"When visiting your website over an unencrypted connection, readers are basically disclosing to anyone who is listening that they are interested in the article they are reading, and you are opening yourselves up to revenue stealing by third parties," said Daniel Roesler, UtilityAPI chief technology officer, who wrote in a personal capacity on his blog.

He also called it "embarrassing" and "hypocritical" that many of those sites (including this one) have written extensively about both private and state surveillance in recent years.

The good news is that major websites sites, which take up the bulk of the web's traffic, are starting to wake up. This week alone both Reddit and Wikipedia announced efforts to encrypt their site traffic.

Reddit, which had more than 172 million unique visitors as of mid-June, will begin serving up all pages over HTTPS from June 29. Wikipedia, with 439 million unique visitors in June so far, said it would begin encrypting traffic immediately.

It's undoubtedly a good move for both sites, with a comparable collective user base to Europe's population. They follow in the footsteps of Netflix, which announced the move earlier this year, and even the feds, who have begun to encrypt their sites (despite counter-rhetoric damning the move).

Encryption today isn't what it used to be. It's not as expensive and cumbersome to implement. Encryption isn't just for the online corporate elite, which used to shell out thousands of dollars for a security certificate.

Today, it's stronger, more advanced, and generally a lot easier to implement -- and crucially, it's cheaper than ever. In some cases, it costs nothing. Privacy groups like the Electronic Frontier Foundation are pushing for companies to adopt website encryption by offering it for free.

A mass move to the secure web won't happen overnight, but the longer companies put it off, the fewer excuses they'll have left for their privacy-conscious customers.

Show Comments