Transport Layer Security (TLS), previously known as SSL or Secure Sockets Layer, encrypts and authenticates the connection between the browser and a website, protecting the site from attacks that could impersonate the server, manipulate content, or expose user activity. TLS prevents the monitoring of a site’s communications, which increases security while protecting a site’s users. It also provides a mechanism for site validation (i.e., verifying that the site you are connected to is the site you typed into your browser).
Building credibility and trust with TLS
Given the concerns outlined above, TLS is especially applicable to news sites. News organizations bear a public responsibility to accurately report the news, and need to take the steps necessary to ensure credibility. The security of online news content is one of the first steps in verifying its veracity while protecting readers. Offering a secure, verified, and encrypted connection protects the end users’ privacy and ensures the authenticity of the content they’re viewing. In this instance, TLS isn’t so much about protecting the content, but protecting those accessing it. Think of a library: the books themselves are accessible to the public, but an individual’s checkout history isn't.
Lack of adoption
A recent blog post points out that many news sites do not enable TLS. Included in the list are popular sites like The Wall Street Journal, The New York Times, USA Today, and The Washington Post, among others.
Why is TLS such an underused resource among news sites? One possibility is the historic perspective of TLS as something primarily used to protect passwords and credit card data. News sites that don't make much use of these features may not see the need for the heightened security associated with ecommerce or online banking.
Another possibility is that businesses lack the time and resources necessary to make the switch.
The performance myth
A widely-held but increasingly untrue belief is that TLS encryption is performance-intensive, and therefore incurs additional costs. But overhead isn't as high as it used to be. Plus, “modern hardware has made great improvements to minimize costs” for implementing TLS, according to Ilya Grigorik in his book High Performance Browser Networking.
There's some truth to the myth that TLS can lead to decreased performance, especially if sites aren't using a content delivery network to help offload traffic. While implementing an additional layer of security can be done at relatively little expense, costs can multiply exponentially when a site grows rapidly. A CDN can significantly mitigate these costs by offloading traffic from the origin, and allowing sites to terminate secure connections (such as the TLS and TCP handshake) closer to the user.
Media companies are focusing on scaling effective technology to manage their growth — investing in technology for mobile apps, responsive websites, and more interactive content online. Security is a factor in that growth, and it's no longer a given that performance must be sacrificed as a result.
Fortunately, there's a way for sites to easily adopt TLS without straining infrastructure. At Fastly, we’re working with online media companies like Fast Company to do some of the heavy lifting by terminating secure connections at the edge.
Harry Guillermo, a senior developer at Fast Company, says, “At Fast Company, we want to offer a more personalized experience for our readers. This means protecting users’ secure information — that’s why we need to offer the additional layer of security TLS provides. That, paired with a CDN that lets us cache closer to the user, gives us the competitive edge we need to offer readers content in real time while protecting their personal information.”
A changing landscape
Google has started giving sites using secure HTTPS connections a ranking boost; it's only a matter of time before TLS becomes the norm rather than the exception. In fact, there is already a grassroots movement in place to encrypt the entire web in 2015. As more sites adopt TLS, readers will expect their news to be authentic and their activity on news sites to be private. Increasing the security and authenticity of news sites will empower readers while giving organizations the full authority and confidence to report the news.
You may also like:
TLS at the edge and server-side security
We’re huge fans of Transport Layer Security (TLS) at Fastly. Here’s a behind-the-scenes look at how we do encryption at the edge, which can also serve as overall best practices for handling server-side...
Getting an A in security: SHA-2 migration and disabling RC4
As many of you know, TLS best practices have changed a lot in the past two years. Recently, Fastly has changed how we configure TLS to make it even more secure. This includes migrating our…
Caching the Uncacheable: CSRF Security
In this post, I investigate several strategies for maintaining security while improving cacheability. I use Ruby on Rails for the examples, but the techniques apply to nearly any web application framework.