Google and others have called for all websites encrypt traffic to and from browsers, but the task for publishers is a tricky one, largely because of online advertising.
Last year Google said it would use website encryption as a signal in its search rankings. The general idea was that it would give priority to web admins that implemented HTTP over Transport Layer Security, which is represented in a browser address bar as a URL with the “HTTPS” prefix — with S denoting “secure”. It was meant to provide an incentive for webmasters to go through the rigmarole of buying and managing digital certificates.
While Silicon Valley companies, in response to government surveillance, have made efforts to encrypt email, social networks and other services, there are still relatively few publishers that support HTTPS, either by default or at all. Even online publishers that do support HTTPS may include resources on their news page that don’t.
The Interactive Advertising Bureau (IAB) — whose members include online publishers, advertisers, as well as Google, Twitter and Facebook — has now called for the online advertising industry to step up to the plate and “finish catching up” on the push for all websites to use encryption.
According to the IAB, the weak link in the chain is not advertisers but publishers. A recent survey of its membership indicated that 80 percent of member ad delivery systems already supported HTTPS.
That’s a good foundation but the IAB points out that in an ecosystem where publishers are connected to ad networks, analytics suppliers and other organisations, implementing HTTPS isn’t easy. The group uses publishers to highlight the point.
“A publisher moving to HTTPS delivery needs every tag on page, whether included directly or indirectly, to support HTTPS. That means that in addition to their ad server, the agency ad server, beacons from any data partners, scripts from verification and brand safety tools, and any other system required by the supply chain also needs to support HTTPS,” Brendan Riordan-Butterworth is the Director of Technical Standards at IAB, pointed out.
“That’s a lot of dependencies - and when one fails to support HTTPS, the website visitor’s experience is impacted, initiating a costly search for the failure point by the publisher,” he added.
Cost is a major factor in the decision to support HTTPS. Researchers from Carnegie Mellon University highlighted in a paper late last year that adding the S to HTTP introduces overheads on infrastructure costs, communication latency, data usage, and energy consumption. In a world where one additional second to load a page could cost $1.6bn in sales, minute latency matters.
So, as Riordan-Butterworth points out, supporting HTTPS isn’t as simple as “flipping a switch”. Overheads include the cost of acquiring certificates that are used to validate the origin of a website, and managing their eventual expiry, as well as additional resources required to support encryption on servers.
Image sharing site Pinterest, which recently enabled HTTPS, had serious concerns over higher costs from its content distribution network (CDN) providers due to the price of distributing the site’s image over HTTPS.
Some of those costs may however be alleviated by new initiatives such as Lets Encrypt, headed up by Mozilla, the maker of the Firefox browser, Akamai, Cisco, the Electronic Frontiers Foundation, and others such as IdenTrust, a certificate provider. Launched last year, the group is aiming to deliver free digital certificates this year, and lower the cost of buying and managing certificates.
Despite the higher costs to each individual organisation, the payoff is that the internet overall benefits by raising the cost of running a malicious hacking operation.
“Each server delivering encrypted content has to acquire a certificate that’s signed by a trusted authority and issued to their specific domain. This results in a larger set of consistent identifiers for servers, which has beneficial implications in the fight against malware - it’s more expensive for malware peddlers to set up shop on an HTTPS server, and easier to identify the same peddler across occurrences,” said Riordan-Butterworth.