HTTPS implementation: cpj.org
Web Server Management
March 2, 2015
Committee to Protect Journalists
CPJ’s website, with over 20,000 pages, was available only via HTTP (i.e. an unencrypted connection). This was problematic in a number of ways, including but not limited to:
- Repressive regimes can make changes to a website’s content as it’s displayed to their citizens or simply censor individual pages
- Malicious actors can obtain data about the website’s visitors
- Hackers can use the website as a vehicle to infect visitors’ devices with malware; and that malware that would appear to come from a respectable organization’s website
For an organization working in the intersection of human rights and journalism, this was unacceptable.
Working with CPJ’s Technology Advocacy Staff, Kamal Singh Masuta developed and made a case to management, recommending that cpj.org be offered as an HTTPS-only website. He implemented the plan, working through issues like mixed-content errors, putting cpj.org ahead of many news media companies and NGO’s. This not only helped protect the at-risk journalists CPJ serves; it also helped solidify CPJ’s moral authority and technical expertise when it began calling on other organizations to do the same.
Offering a website in HTTPS is not technically difficult. The first challenge you’ll run into is convincing website owners that this is an essential project and is has a favorable ROI.
Similarly, there is no real purchase required to make a website available in HTTPS. Services such as Let’s Encrypt and Cloudflare offer free options. The cost will be in time spent by in-house or freelance technical staff to implement.