February 24, 2017 By David Strom 2 min read

Many website operators have wrestled with the decision to move all their web infrastructure to support HTTPS protocols. The upside is obvious: better protection and a more secure pathway between browser and server.

Having a secure connection also makes it harder for cybercriminals to insert man-in-the-middle (MitM) or man-in-the-browser (MitB) attacks, and it prevents users from getting malware through this channel. It also prevents fraudsters from injecting unwelcome ads into the browsing session.

There are other benefits as well. Internet providers can’t easily track what pages users are seeing when this traffic traverses their networks, since the traffic is encrypted. Plus, Google offers benefits to sites that make use of HTTPS in its search rankings.

Making the Switch

But it isn’t as easy as just swapping out one protocol for another. The Guardian released an interesting case study about the publication’s own experience in this matter, which should be required reading for any IT department that is considering a switch from HTTP to HTTPS.

One issue is that many of the publication’s partners, such as advertising agencies and networks, didn’t support HTTPS. This is, perhaps, the biggest limiting factor in making the move to encryption. Before these entities began supporting HTTPS, the publication was not able to adopt the more secure protocols.

Second, the editorial team had to migrate older content, particularly interactive content, over to HTTPS and ensure that nothing broke in the transfer. The team decided to tackle it piecemeal, with one audience and one project at a time, to gain experience and resolve problems for each project before moving on to the next one.

Completing the HTTPS Transition

The IT staff made use of three important techniques: monitoring, stack changes and using early adopters. Monitoring is key — did overall readership drop as a result of the implementation? What about page error rates or other warnings? Keeping a close eye on these metrics is a great early warning system.

Next, they made changes to their web stack and migrated their back-end systems first before making any changes to their front ends. This made problems easier to identify and fix. Part of the stack changes required them to work with their content network provider to add redirection rules, log all mixed mode warnings and employ various automated scripts to update their old URLs to take advantage of HTTPS. They also got rid of their URL-shortening service, since Twitter no longer counts characters in its message URL links.

Finally, the team asked for users’ help, partly to get additional early warnings of any errors in the migration. This included having The Guardian’s own journalists participate in the process so that they would view the secure version of the site early in the process.

All told, the publication’s editorial, sales and IT staffs collaborated over the three-year transition, and now it is completely running over HTTPS. The teamwork provides a great model for other organizations looking to make the switch.

More from Endpoint

Unified endpoint management for purpose-based devices

4 min read - As purpose-built devices become increasingly common, the challenges associated with their unique management and security needs are becoming clear. What are purpose-built devices? Most fall under the category of rugged IoT devices typically used outside of an office environment and which often run on a different operating system than typical office devices. Examples include ruggedized tablets and smartphones, handheld scanners and kiosks. Many different industries are utilizing purpose-built devices, including travel and transportation, retail, warehouse and distribution, manufacturing (including automotive)…

Virtual credit card fraud: An old scam reinvented

3 min read - In today's rapidly evolving financial landscape, as banks continue to broaden their range of services and embrace innovative technologies, they find themselves at the forefront of a dual-edged sword. While these advancements promise greater convenience and accessibility for customers, they also inadvertently expose the financial industry to an ever-shifting spectrum of emerging fraud trends. This delicate balance between new offerings and security controls is a key part of the modern banking challenges. In this blog, we explore such an example.…

Endpoint security in the cloud: What you need to know

9 min read - Cloud security is a buzzword in the world of technology these days — but not without good reason. Endpoint security is now one of the major concerns for businesses across the world. With ever-increasing incidents of data thefts and security breaches, it has become essential for companies to use efficient endpoint security for all their endpoints to prevent any loss of data. Security breaches can lead to billions of dollars worth of loss, not to mention the negative press in…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today