Many website operators have wrestled with the decision to move all their web infrastructure to support HTTPS protocols. The upside is obvious: better protection and a more secure pathway between browser and server.

Having a secure connection also makes it harder for cybercriminals to insert man-in-the-middle (MitM) or man-in-the-browser (MitB) attacks, and it prevents users from getting malware through this channel. It also prevents fraudsters from injecting unwelcome ads into the browsing session.

There are other benefits as well. Internet providers can’t easily track what pages users are seeing when this traffic traverses their networks, since the traffic is encrypted. Plus, Google offers benefits to sites that make use of HTTPS in its search rankings.

Making the Switch

But it isn’t as easy as just swapping out one protocol for another. The Guardian released an interesting case study about the publication’s own experience in this matter, which should be required reading for any IT department that is considering a switch from HTTP to HTTPS.

One issue is that many of the publication’s partners, such as advertising agencies and networks, didn’t support HTTPS. This is, perhaps, the biggest limiting factor in making the move to encryption. Before these entities began supporting HTTPS, the publication was not able to adopt the more secure protocols.

Second, the editorial team had to migrate older content, particularly interactive content, over to HTTPS and ensure that nothing broke in the transfer. The team decided to tackle it piecemeal, with one audience and one project at a time, to gain experience and resolve problems for each project before moving on to the next one.

Completing the HTTPS Transition

The IT staff made use of three important techniques: monitoring, stack changes and using early adopters. Monitoring is key — did overall readership drop as a result of the implementation? What about page error rates or other warnings? Keeping a close eye on these metrics is a great early warning system.

Next, they made changes to their web stack and migrated their back-end systems first before making any changes to their front ends. This made problems easier to identify and fix. Part of the stack changes required them to work with their content network provider to add redirection rules, log all mixed mode warnings and employ various automated scripts to update their old URLs to take advantage of HTTPS. They also got rid of their URL-shortening service, since Twitter no longer counts characters in its message URL links.

Finally, the team asked for users’ help, partly to get additional early warnings of any errors in the migration. This included having The Guardian’s own journalists participate in the process so that they would view the secure version of the site early in the process.

All told, the publication’s editorial, sales and IT staffs collaborated over the three-year transition, and now it is completely running over HTTPS. The teamwork provides a great model for other organizations looking to make the switch.

More from Endpoint

Patch Tuesday -> Exploit Wednesday: Pwning Windows Ancillary Function Driver for WinSock (afd.sys) in 24 Hours

‘Patch Tuesday, Exploit Wednesday’ is an old hacker adage that refers to the weaponization of vulnerabilities the day after monthly security patches become publicly available. As security improves and exploit mitigations become more sophisticated, the amount of research and development required to craft a weaponized exploit has increased. This is especially relevant for memory corruption vulnerabilities.Figure 1 — Exploitation timelineHowever, with the addition of new features (and memory-unsafe C code) in the Windows 11 kernel, ripe new attack surfaces can…

When the Absence of Noise Becomes Signal: Defensive Considerations for Lazarus FudModule

In February 2023, X-Force posted a blog entitled “Direct Kernel Object Manipulation (DKOM) Attacks on ETW Providers” that details the capabilities of a sample attributed to the Lazarus group leveraged to impair visibility of the malware’s operations. This blog will not rehash analysis of the Lazarus malware sample or Event Tracing for Windows (ETW) as that has been previously covered in the X-Force blog post. This blog will focus on highlighting the opportunities for detection of the FudModule within the…

Cybersecurity in the Next-Generation Space Age, Pt. 3: Securing the New Space

View Part 1, Introduction to New Space, and Part 2, Cybersecurity Threats in New Space, in this series. As we see in the previous article of this series discussing the cybersecurity threats in the New Space, space technology is advancing at an unprecedented rate — with new technologies being launched into orbit at an increasingly rapid pace. The need to ensure the security and safety of these technologies has never been more pressing. So, let’s discover a range of measures…

Backdoor Deployment and Ransomware: Top Threats Identified in X-Force Threat Intelligence Index 2023

Deployment of backdoors was the number one action on objective taken by threat actors last year, according to the 2023 IBM Security X-Force Threat Intelligence Index — a comprehensive analysis of our research data collected throughout the year. Backdoor access is now among the hottest commodities on the dark web and can sell for thousands of dollars, compared to credit card data — which can go for as low as $10. On the dark web — a veritable eBay for…