×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

The Internet Archive Switches To HTTPS Connections By Default

timothy posted about 6 months ago | from the rewriting-history dept.

Security 40

An anonymous reader writes "The Internet Archive today announced it has enabled HTTPS connections by default on archive.org and openlibrary.org. The organization today also revealed it now sees over 3 million users per day. Both sites are still accessible over HTTP connections. Since the Wayback Machine is hosted on archive.org, it also follows the same rules: the secure version is used by default, but you can use the http version which will help load certain complicated webpages."

cancel ×
This is a preview of your comment

No Comment Title Entered

Anonymous Coward 1 minute ago

No Comment Entered

40 comments

Internet Archive leaves /. behind (4, Interesting)

tepples (727027) | about 6 months ago | (#45241481)

If Facebook [slashdot.org] and Twitter [slashdot.org] and Gmail [slashdot.org] as well as the not-for-profit Internet Archive and Wikipedia [wikimedia.org] can use HTTPS by default, why doesn't everyone [slashdot.org]? Why, for instance, does Slashdot require a paid subscription in order not to redirect HTTPS hits to HTTP, revealing the logged-in user's session ID to anyone with a Firesheep-like tool?

Advertisements (5, Informative)

pavon (30274) | about 6 months ago | (#45241611)

The main thing holding back HTTPS is advertisements. Browsers (especially IE) complain if your encrypted page includes unencrypted content (like iframes served from a a third party ad server) and rightly so. Google can get away with it because they serve their own ads, and Wikipedia doesn't have any ads. Arstechnica ran an article [arstechnica.com] a few years back describing the reasons why they couldn't switch to HTTPS by default, but most of it boils down the fact that they can't get rid of the third party content in their pages.

AdSense supports HTTPS (2)

tepples (727027) | about 6 months ago | (#45241681)

Browsers (especially IE) complain if your encrypted page includes unencrypted content (like iframes served from a a third party ad server) and rightly so. Google can get away with it because they serve their own ads

Then use the ads that Google serves. A month ago, Google announced HTTPS support for AdSense [blogspot.com].

Re:AdSense supports HTTPS (3, Insightful)

tlhIngan (30335) | about 6 months ago | (#45242967)

Then use the ads that Google serves. A month ago, Google announced HTTPS support for AdSense.

And yet, Google doesn't roll out HTTPS support for the rest of the ad companies they own? You'd think if they can do AdSense, they can do AdMob and DoubleClick and their many other ad platforms they host...

Given Google serves like 98% of the ads on the internet (through AdSense, DoubleClick and other companies), it seems Google's the one holding HTTPS everywhere...

Re:Advertisements (3, Insightful)

claar (126368) | about 6 months ago | (#45241843)

So get the ad companies to serve the ads over HTTPS... I don't see the big deal.

Re:Advertisements (2)

davester666 (731373) | about 6 months ago | (#45242695)

It raises costs, while providing them with no value [at least until sites like ars switches to https and tells them to fuck off unless they do as well]. And with online ads decreasing in value [and decreasing even faster for mobile ads], they really don't want to increase costs.

And it's not just a one-time certificate purchase, it's a bunch more powerful servers to do this encryption and electricity to run the servers and more people to keep their cobbled together solution working with these new servers.

Re:Advertisements (1)

AHuxley (892839) | about 6 months ago | (#45242811)

Yes even with all the new easy low cost (price and power usage) cpu's for https, cheap bandwidth and less time per encrypted page its still not totally 'free in cost' for a host.

Trust has a value (1)

tepples (727027) | about 6 months ago | (#45244145)

while providing them with no value

The value is more visits from viewers who trust a site more because their sessions won't get hijacked.

And it's not just a one-time certificate purchase, it's a bunch more powerful servers to do this encryption

You mean 1% more powerful [imperialviolet.org]? On a site that isn't just a bunch of static pages, the server power needed by the web application usually outweighs the server power needed by HTTPS on the front end servers. The question becomes whether trust from users is worth this 1%.

Re:Trust has a value (1)

davester666 (731373) | about 6 months ago | (#45247911)

Well, for ads, the percentages change. It is unlikely to be 1%, as the article refers to generating full, non-static web pages, which in general are NOT what ad services are pushing.

They are just a small portion of the whole page, and they are generally static, so again, the cost for pushing the ad becomes significantly more than the cost for pushing the ad without SSL.

And with ad rates going down, even for Google, adding to the cost of pushing each ad won't thrill the boss.

Re:Internet Archive leaves /. behind (1)

Mister Liberty (769145) | about 6 months ago | (#45241793)

When your government regards YOU as their biggest enemy,
and YOU should thus consider them in reverse, https is a false
sense of security.
Oh and btw, INTEL inside.

Re:Internet Archive leaves /. behind (3, Insightful)

cffrost (885375) | about 6 months ago | (#45242381)

When your government regards YOU as their biggest enemy,

Yes...

and YOU should thus consider them in reverse,

Uh huh...

https is a false sense of security.

No, it's partially broken, vulnerable-to-attack security, whereas HTTP is completely vulnerable, bare-naked plaintext — nothing to break, no certs to MITM, no bribing CAs for keys — zero security.

As bad as HTTPS may be, comparing it to HTTP in terms of security is idiotic.

Re:Internet Archive leaves /. behind (1)

Impy the Impiuos Imp (442658) | about 6 months ago | (#45244923)

It also does little to protect against NSA letters at the destination sites. Everybody except the government can't see what you're doing.

For the wayback machine, this could actually be an NSA goldmine to find terrorists...or people digging up dirt on other politicians...or businesses looking things up.

Re:Internet Archive leaves /. behind (0)

Anonymous Coward | about 6 months ago | (#45242833)

And now you know why there are so many of us who are AC.

Who Cares? (0, Troll)

sexconker (1179573) | about 6 months ago | (#45241545)

Why is this news?
All the sites I work on rewrite any http url request to https because there's absolutely no reason not to.

NSA concerns (0)

Anonymous Coward | about 6 months ago | (#45241673)

Wouldn't it be beneficial to various sites to switch to HTTPS-only as we know today that NSA might be doing MiTM wiretapping even though we supposedly are communicating over "trusted" big-telco networks?

Just a speed bump for the NSA (1)

Spamalope (91802) | about 6 months ago | (#45241711)

This is nice to, say, stop Comcast from spying on the details of what you view for resale to behavioral trackers and marketers. Given the compromise of the SSL cert authorities, governmental entities can transparently man-in-the-middle the SSL session anyway so we only get part of what we'd like to achieve.

hotstpots (2)

manu0601 (2221348) | about 6 months ago | (#45241715)

HTTPS by default is nice, except for WiFi hotspots, where the authentication system intercept your first HTTP request. This cannot be done with HTTPS, which means that people with an always HTTPS home page will never auto-connect. I wonder if there will ever be a solution to that.

Re:hotstpots (1)

Anonymous Coward | about 6 months ago | (#45241859)

I just go to Slashdot first, which will never use HTTPS!

Re:hotstpots (0)

Anonymous Coward | about 6 months ago | (#45241937)

Indeed, Come on Slashdot, this is 2013 not 1993!

Re:hotstpots (3, Funny)

Elbereth (58257) | about 6 months ago | (#45242429)

It's always 1993 here. In fact, when I come to Slashdot, Heart-Shaped Box is always playing on the radio, everyone is playing that new game Doom, and I have a life. Ah, it's grand to come to Slashdot!

Re:hotstpots (0)

Anonymous Coward | about 6 months ago | (#45251817)

If only, I wish I was stuck in (the very beginning of) 1993 rather than StuckIn2003&Expired

BTW and in case you don't get told often enough: your nick is the best!

Re:hotstpots (0)

Anonymous Coward | about 6 months ago | (#45243407)

Getting rid of the authentication system would be a great way to do it. It doesn't accomplish anything useful - it just wastes a minute of my time, and messes up HTTPS.

always https & sftp (0)

Anonymous Coward | about 6 months ago | (#45241785)

This makes loads of sense. On a related note, my web host recently disabled https connections to the control panel & webmail. They also just last month removed support for SFTP (without notice). When I contacted support to ask why this had been done, their response was "for security reasons". It's pretty clear whose "security" they have in mind.

Can anyone recommend a secure, non-US web host?

Re:always https & sftp (0)

Anonymous Coward | about 6 months ago | (#45242313)

Just use a real internet hosting provider like OVH or Leaseweb.

SSL irrelevent. (1)

koan (80826) | about 6 months ago | (#45241975)

SSL strip (Moxie Marlinspike) or some suped up variant is being used for sure, the NSA has the ultimate MITM so of course they strip.

Re:SSL irrelevent. (0)

Anonymous Coward | about 6 months ago | (#45242271)

You are dangerously clueless.

ie: client site

Re:SSL irrelevent. (1)

Anonymous Coward | about 6 months ago | (#45242471)

Maybe you're lucky, but some people have more than one enemy in the world, not just the NSA.

Re:SSL irrelevent. (1)

Anonymous Coward | about 6 months ago | (#45242585)

SSL strip (Moxie Marlinspike) or some suped up variant is being used for sure, the NSA has the ultimate MITM so of course they strip.

Only if they have the CA. Can't strip if you can't generate new certs, and even then that is detectable.

SSLv3... (3)

gQuigs (913879) | about 6 months ago | (#45242149)

I browse with SSLv3 disabled... and https://archive.org/ [archive.org] only supports SSLv3... why? Most webservers have supported TLS 1.1/1.2 for ages now.. right?

Re:SSLv3... (4, Informative)

Anonymous Coward | about 6 months ago | (#45242361)

I refreshed the page like 5 times and got a different block cipher and key exchange protocol each time, from crappy rsa-rc4 to a mighty ecdhe-aes128-gcm. Also some dhe-Camellia256 and and rsa-aes-cbc in the meantime.

There seem to be a whole farm of servers with heterogeneous configurations back there, someone should look into it.

While i could understand this is some "bright" new idea to mitigate the impact of one protocol being broken (not putting all eggs in the same basket), i say with confidence that AES-CBC prior to TLS1.1 and all variants of RC4 are irremediably broken. Broken like in "you can recover the plain-text in a handful of minutes using python on a 300$ netbook with only half a brain".

Re:SSLv3... (1)

Anonymous Coward | about 6 months ago | (#45244531)

all variants of RC4 are irremediably broken

[citation needed]

Just because RC4 _as used in WEP_ (or some other badly-designed protocol based on RC4) is insecure doesn't mean "all variants of RC4" are "irremediably broken" (whatever you mean by that).

In fact, if you bother to look up the latest academic attacks on RC4 (published in 2013), you'll notice that they are outside the range of "a 300$ netbook", even with a "handful of minutes", since it requires the attacker to obtain 2^24 (that's more than 16 million) connections. I don't know about you, but I don't use HTTPS _that_ much for this to be a trivial attack.

Sure, maybe (i.e. hypothetically) the NSA or some other state-level attacker can decrypt RC4, perhaps, BUT you have yet to produce any evidence of that (and I doubt you can, really), which makes you comment not that "informative", in fact.

Have a nice day and don't forget to wrap another layer of tinfoil around your head.

Here's hoping Yahoo Mail will catch up. (0)

Anonymous Coward | about 6 months ago | (#45242719)

n/t

The Internet (0)

Anonymous Coward | about 6 months ago | (#45243247)

I accidentally read the title of this article as "The Internet switches to HTTPS connections by default". That would have been nice.

Re:The Internet (1)

Geeky (90998) | about 6 months ago | (#45244649)

Devil's advocate:

Why?

Most of the sites I visit don't require logins and so I can't see a reason to use https. Why would I need it in Wikipedia unless I'm editing it? Why would I need it on the internet archive unless I log in? Why would, say, the BBC News website need it at all?

Yes, for anything where you actually log on and do anything under a user account, https is important. I can't see any real reason for static content served to users who aren't logged on to be encrypted if it's just a news website, personal blog or whatever.

Encryption brings its own headaches to shared servers - name based virtual hosts being the obvious one. It's an overhead that isn't really required in most cases.

Re:The Internet (0)

Anonymous Coward | about 6 months ago | (#45245785)

What I would be concerned about is whether older browsers being able to access the site still. It's not just requiring SSL or whatever. It's also about websites blocking older browsers.

Not every machine is powerful enough (or has the specs) to run the latest Firefox.

It's fine if they want to default to HTTPS. It's not fine to block people who won't/can't use HTTPS.

Re:The Internet (1)

Hentes (2461350) | about 6 months ago | (#45254117)

Why would I need it in Wikipedia unless I'm editing it?

Because you may not want others to know what exactly have you been looking for on Wikipedia.

Re:The Internet (0)

Anonymous Coward | about 6 months ago | (#45266391)

Name based virtual hosts over SSL work just fine and have for many years. Look up SNI on Wikipedia.

Caching Proxies (0)

Anonymous Coward | about 6 months ago | (#45247701)

HTTPS for everything is/would be a total pain for companies that currently use caching proxies. Of course its needed for personal or financial data etc but for truly public things (news websites, public text content e.g Slashdot ) proxy usage can save loads of bandwidth for companies. We save 10 - 20% of bandwidth using this. Not to mention faster load times for popular sites. HTTPS is just a waste for public content.

Check for New Comments
Slashdot Account

Need an Account?

Forgot your password?

Don't worry, we never post anything without your permission.

Submission Text Formatting Tips

We support a small subset of HTML, namely these tags:

  • b
  • i
  • p
  • br
  • a
  • ol
  • ul
  • li
  • dl
  • dt
  • dd
  • em
  • strong
  • tt
  • blockquote
  • div
  • quote
  • ecode

"ecode" can be used for code snippets, for example:

<ecode>    while(1) { do_something(); } </ecode>
Sign up for Slashdot Newsletters
Create a Slashdot Account

Loading...