Today’s a big day on WIRED.com. Take a look at your browser’s address bar. See that lock icon next to the URL? Starting today, we're making the switch to HTTPS. We’re starting on our Security vertical—where many of our loyal readers already know a thing or two about cybersecurity. And over the next month, we will roll it out across the site. A lock icon and an extra "s" in our web address may not look like a big deal, but they represent a huge upgrade, one that fundamentally transforms the security of our site.
What is HTTPS, you ask? It refers to HTTP requests transmitted over a secure encrypted channel. In simpler terms, visiting an HTTPS site rather than a regular old HTTP site protects you against an array of malicious activities, including site forgery and content alteration.
When visiting a correctly configured and maintained HTTPS site, you can expect three things: authenticity, integrity, and encryption.
The authenticity protection means that the site that loads is confirmed to be the site you intended to visit. When you go to the new and improved HTTPS version of WIRED.com, your browser will verify our site to ensure you’re seeing WIRED.com and not a forgery. (This might sound wild, but hackers can fairly easily replace real HTTP websites or pages with fake ones.)
The integrity protection means that the data transferred between WIRED’s server and your browser has not been altered. Now that we’re switching to HTTPS, if someone tries to tamper with WIRED content before your browser receives it, your browser will issue a warning. You can rest assured that what you're reading is exactly what our writers wrote.
The encryption protection means no one can spy on content as it travels from our server to your browser. If someone is trying to surveil that content, it will be unintelligible to them unless they manage to decrypt it—which is really difficult to do.
As a leader in tech journalism for more than 20 years, WIRED’s switch to HTTPS might sound long overdue. But implementing this vital security layer remains a big challenge for media sites like us.
When delivering a website over HTTPS, every single asset loaded from the site must be delivered via HTTPS. For instance, if we embed an asset like a Hulu video that uses HTTP, the overall security of the browsing session is downgraded because the Hulu assets are served insecurely. Even if most of a site’s assets use HTTPS, browsers may block individual assets, such as images or Javascript files, served over HTTP because they compromise security.
And that’s our big challenge: To successfully roll out HTTPS, we must first ensure that as much of our content---all 23 years of it---as possible does not contain references to HTTP assets. That's a lot of content, created by thousands of authors using several different content management systems, that's been through many migrations and transformations. Wrangling it all to ensure we deliver secure assets everywhere takes time and experimentation.
Beyond our original content, WIRED serves content and experiences from third parties that provide advertising, analytics, recirculation, and embedded media integrations. Ensuring it's all prepared for HTTPS requires coordination amongst internal teams and external vendors—and like most media outlets, we rely on advertising to pay the bills so we can keep telling you stories you want to read.
As you can imagine, preparing our site’s advertising for this change was one of the big hurdles to rolling this out. The sheer volume of entities involved in ad delivery makes it a significant challenge to reliably serve every ad on WIRED over HTTPS. Our internal ad teams must enforce strict standards around HTTPS compliance for ads with all creatives—something WIRED’s advertising teams started working toward 10 months ago, when the real work of moving the site to HTTPS began. But Robbie Sauerberg, our general manager of advertising, says the work is worth it "because we’re WIRED. It was important for the whole team that we are not only first or early movers on all things ad tech, but also that we treat our savvy readership with the experience they demand."
We need to get this right so we can offer an experience we can be proud of and, we hope, inspire other news organizations to embrace HTTPS. To do so, we are approaching this as a series of experiments, meaning that we will increase risk over time as we prepare our site for a full HTTPS transition. We did a limited test last week, when we brought HTTPS to our Business vertical for almost 24 hours. After evaluating the performance, we were happy to discover our content and ad deliverability worked as expected, allowing us to proceed with of our official rollout.
Today, we officially start the switch with the Security vertical. Think of this as our canary in the coal mine. We are using it to ensure other parts of the site are ready for HTTPS. We want to identify any issues before turning it on everywhere. The trial runs through May 12, when we plan to flip the switch on HTTPS across the site.
As we explained, enabling HTTPS on a media site isn't easy. Many have discussed the importance of HTTPS on news and media sites, and a few notable sites have already achieved it. We plan to discuss our implementation openly, sharing our successes and our failures. And we'll publish a detailed technical article when we finish the transition. We hope our transparency helps other media sites begin their own HTTPS transitions.
We’ll keep you updated as the process unfolds, so stay tuned as we transform WIRED.com into the HTTPS-secured site we’ve always wanted it to be.