0
Answered

Embracing HTTPS - NYTimes.com

Kevin M. Cox 5 years ago in BLOX CMS • updated by Christine Masters (Director of Product Management) 3 years ago 9
http://open.blogs.nytimes.com/2014/11/13/embracing-https/

Interesting article from the NYT. I'm curious to hear what everyone thinks.

We're already moving this direction with our non-Town News sites and wonder what challenges we'd encounter trying to go all HTTPS on Town News?

Answer

PINNED
Under review
Hi Kevin!

Thanks for the post.

This is definitely something that has been on our radar and is something we've been working towards for a long time. We've made many upgrades to make sure our sites are as HTTPS-friendly as possible, such as changes to our Content Delivery Network, our Ad Manager systems, our template front-end markup, etc. - to have better support for secure environments. These changes ensure than when a BLOX page is served in a secure environment, all links, scripts and images are also secure.

One of the last big steps is to move to the "Server Name Indication" (SNI) protocol.

http://en.wikipedia.org/wiki/Server_Name_Indication

This would allow customers to purchase and upload their own secure certificate for their domain, and serve all of their pages securely. There would be a cost involved to purchase the certificate, and likely a cost from TownNews.com to support it.

Unfortunately, SNI is not supported by older versions of Internet Explorer - specifically Internet Explorer 6 and Internet Explorer 7. But we hope that relatively soon the stats on those browsers will fall enough to where this becomes more viable.

I hope this helps!

Christine
PINNED
Under review
Hi Kevin!

Thanks for the post.

This is definitely something that has been on our radar and is something we've been working towards for a long time. We've made many upgrades to make sure our sites are as HTTPS-friendly as possible, such as changes to our Content Delivery Network, our Ad Manager systems, our template front-end markup, etc. - to have better support for secure environments. These changes ensure than when a BLOX page is served in a secure environment, all links, scripts and images are also secure.

One of the last big steps is to move to the "Server Name Indication" (SNI) protocol.

http://en.wikipedia.org/wiki/Server_Name_Indication

This would allow customers to purchase and upload their own secure certificate for their domain, and serve all of their pages securely. There would be a cost involved to purchase the certificate, and likely a cost from TownNews.com to support it.

Unfortunately, SNI is not supported by older versions of Internet Explorer - specifically Internet Explorer 6 and Internet Explorer 7. But we hope that relatively soon the stats on those browsers will fall enough to where this becomes more viable.

I hope this helps!

Christine
Thanks Christine.

Of course a cost for individual papers to purchase a certificate would be required, but I would honestly find it disappointing if TownNews charged very much for implementing it.

I've got no problem dropping support for IE 6 and 7. Only 0.3% of our traffic for the past month was on those two browsers and frankly anything we can do to make people upgrade to something more secure is fine by me!

Over a year later I want to bump this one back and ask about the status of SNI implementation at Town News.


This recent article made me realize we haven't seen an update.


Shoptalk: Why Journalists Need to Stand Up for Reader Privacy

Just saw this in the release notes email:


The secure URL for sites will now change to a domain-based URL (https://example.com), instead of the bloxcms.com-based URL (https://example-dot-com.bloxcms.com). For customers who have custom code, please review to ensure that there are no dependencies on the old bloxcms.com-based URL.

+1

Hi Kevin!


This is one of our first steps in order to move toward this capability (full https site). We still have more to do, but if this is something you're interested in, it may be good to review your third-party vendors for https-compliance. We've seen a lot of third-party vendors and ad networks are not https compatible.


But yes, we have a lot of work going on with this, and more to announce in the future. =)

Can you elaborate on what the change noted above means in the short term? For example what URL would our site have now for redirect HTTPS links like forms?

Nevermind, I see now. I really like that y'all are taking advantage of the Let's Encrypt service to give every site a free SSL certificate.

I don't personally know the service being used, but yes, each site has a cert for its own domain name now. :)