Many website operators have wrestled with the decision to move all their web infrastructure to support HTTPS protocols. The upside is obvious: better protection and a more secure pathway between browser and server.

Having a secure connection also makes it harder for cybercriminals to insert man-in-the-middle (MitM) or man-in-the-browser (MitB) attacks, and it prevents users from getting malware through this channel. It also prevents fraudsters from injecting unwelcome ads into the browsing session.

There are other benefits as well. Internet providers can’t easily track what pages users are seeing when this traffic traverses their networks, since the traffic is encrypted. Plus, Google offers benefits to sites that make use of HTTPS in its search rankings.

Making the Switch

But it isn’t as easy as just swapping out one protocol for another. The Guardian released an interesting case study about the publication’s own experience in this matter, which should be required reading for any IT department that is considering a switch from HTTP to HTTPS.

One issue is that many of the publication’s partners, such as advertising agencies and networks, didn’t support HTTPS. This is, perhaps, the biggest limiting factor in making the move to encryption. Before these entities began supporting HTTPS, the publication was not able to adopt the more secure protocols.

Second, the editorial team had to migrate older content, particularly interactive content, over to HTTPS and ensure that nothing broke in the transfer. The team decided to tackle it piecemeal, with one audience and one project at a time, to gain experience and resolve problems for each project before moving on to the next one.

Completing the HTTPS Transition

The IT staff made use of three important techniques: monitoring, stack changes and using early adopters. Monitoring is key — did overall readership drop as a result of the implementation? What about page error rates or other warnings? Keeping a close eye on these metrics is a great early warning system.

Next, they made changes to their web stack and migrated their back-end systems first before making any changes to their front ends. This made problems easier to identify and fix. Part of the stack changes required them to work with their content network provider to add redirection rules, log all mixed mode warnings and employ various automated scripts to update their old URLs to take advantage of HTTPS. They also got rid of their URL-shortening service, since Twitter no longer counts characters in its message URL links.

Finally, the team asked for users’ help, partly to get additional early warnings of any errors in the migration. This included having The Guardian’s own journalists participate in the process so that they would view the secure version of the site early in the process.

All told, the publication’s editorial, sales and IT staffs collaborated over the three-year transition, and now it is completely running over HTTPS. The teamwork provides a great model for other organizations looking to make the switch.

more from Endpoint

IOCs vs. IOAs — How to Effectively Leverage Indicators

Cybersecurity teams are consistently tasked to identify cybersecurity attacks, adversarial behavior, advanced persistent threats and the dreaded zero-day vulnerability. Through this endeavor, there is a common struggle for cybersecurity practitioners and operational teams to appropriately leverage indicators of compromise (IOCs) and indicators of attack (IOAs) for an effective monitoring, detection and response strategy. Inexperienced security […]

TrickBot Gang Uses Template-Based Metaprogramming in Bazar Malware

Malware authors use various techniques to obfuscate their code and protect against reverse engineering. Techniques such as control flow obfuscation using Obfuscator-LLVM and encryption are often observed in malware samples. This post describes a specific technique that involves what is known as metaprogramming, or more specifically template-based metaprogramming, with a particular focus on its implementation […]