loading

HTTPS implementation: cpj.org

Category

Web Server Management

Date

March 2, 2015

Client

Committee to Protect Journalists

Link

Website

Challenge

CPJ’s website, with over 20,000 pages, was available only via HTTP (i.e. an unencrypted connection). This was problematic in a number of ways, including but not limited to:

  1. Repressive regimes can make changes to a website’s content as it’s displayed to their citizens or simply censor individual pages
  2. Malicious actors can obtain data about the website’s visitors
  3. Hackers can use the website as a vehicle to infect visitors’ devices with malware; and that malware that would appear to come from a respectable organization’s website

For an organization working in the intersection of human rights and journalism, this was unacceptable.

Solution

Working with CPJ’s Technology Advocacy Staff, Kamal Singh Masuta developed and made a case to management, recommending that cpj.org be offered as an HTTPS-only website. He implemented the plan, working through issues like mixed-content errors, putting cpj.org ahead of many news media companies and NGO’s. This not only helped protect the at-risk journalists CPJ serves; it also helped solidify CPJ’s moral authority and technical expertise when it began calling on other organizations to do the same.

Lessons

Offering a website in HTTPS is not technically difficult. The first challenge you’ll run into is convincing website owners that this is an essential project and is has a favorable ROI.

Similarly, there is no real purchase required to make a website available in HTTPS. Services such as Let’s Encrypt and Cloudflare offer free options. The cost will be in time spent by in-house or freelance technical staff to implement.