Tyee News

The Tyee Is Upping Its Security Game

In preparation for a Trump-led NSA, we’re making our tiny contribution to online security.

By Bryan Carney 28 Nov 2016 | TheTyee.ca

Bryan Carney is senior web producer at The Tyee.

Tyee readers will soon observe some shiny new bling next to our web address in their browsers. Consider it an early holiday gift.

In the near future, a little closed lock icon will appear to the left of our URL — https://thetyee.ca — signalling new security measures that make it more difficult for a third party to observe or tamper with your browsing. (In case you’re wondering, the new “s” in HTTPS denotes “secure.”)

You can visit the secure site manually now, and soon we will redirect all traffic to it.

This badge gives us digital street cred with the web’s security community — web technology producers, security experts, academics and activists who have important reasons to want us to encrypt our communications whenever possible.

It’s called HTTPS, and it secures a website by encrypting the communications between server and visitor, encoding the information they exchange using a secret key.

Essentially, when you visit The Tyee on our HTTPS site, your browser hands our web server a locked box to place any information that we send to you. Nobody but you can open and read the box. Our web server does the same for any information you send back so only we can read it.

(To get even geekier, the basis of the security is the mathematical difficulty and thus time required for even the most modern computers to calculate prime numbers on which these keys are based — although this may be rendered ineffective by quantum computers in the future. Anyway...)

The result of encryption is that any onlooker who lacks our secret keys would see us carrying on an undecipherable conversation. Kind of like a secret Pig Latin. They wouldn’t know what articles you clicked on or comments you made.

Normal web traffic — that is, web traffic that isn’t secure — passes in a plain and easy-to-read fashion through various intermediaries. This could include, say, any nosy people using the same public Wi-Fi connection as you, the manager of that Wi-Fi hub, an Internet Service Provider and any other connections your traffic passes through (which very likely includes major exchanges in the heavily surveilled United States, even if both you and the website you’re visiting are based in Canada.)

So you can see why we’re implementing these stronger digital locks.

Is every website doing this?

We may be a little late to this postmodern-sounding cocktail party of Internet Pig Latin, but we’ll be just in time to avoid public shaming from Google’s Chrome browser. Starting at some point in the new year, Google Chrome will start to more explicitly alert users visiting regular HTTP sites that those sites are insecure.

Thanks to Chrome’s ever-increasing share of the web browser market, this move by Chrome developers will likely help accelerate widespread adoption of secure browsing.

Why encrypt an independent news site in Canada?

The short answer is that online information automatically goes beyond the time, place and current legal and political realities of sender and receiver, and must be considered in aggregate.

Let’s try an example. It may not matter in isolation that you repeatedly looked at Tyee columnist Mitchell Anderson’s rally call to ditch your Facebook feed last week.

But if you looked at it, and then read an unencrypted article about the Luddites’ war on technology, and then wrote an angry unencrypted email to Bell… and then a neighbourhood router switch next to your house blew up, you may find yourself in an awkward spot with the authorities. A number of no-longer-very secret law enforcement agencies have yet-to-be limited powers of digital spying, and you could look very much like a suspect in the router blast.

Okay, this example is a bit silly and unlikely, but the ability to put together predictive and rich profiles about individuals by combining disparate pieces of data — and the ability to snoop on or even change the contents of their communication when unencrypted — are neither.

When you visit the encrypted version of thetyee.ca, barring more sophisticated tricks and attacks, an outside observer can only see that your computer connected to the hosting company that stores The Tyee, at which point we exchange secure locks and the Pig Latin stuff kicks in.

The same is true of other secure sites you visit, resulting in a far murkier profile about you for would-be data miners.

Doesn’t all of this seem a little paranoid?

Some Canadians may not be worried, because they trust that handsome devil presently living in 24 Sussex.

But what if the next Trump-hosted television series of “Global Government Apprentice” or traditional election inspires Facebook founder Mark Zuckerberg to throw his hat/hoodie in the ring and win by a landslide due to favourable algorithms?

His first order of business (after declaring all but four emotions illegal) may be to dig into U.S. National Security Agency data to find out who, in that long ago fall of 2016, dared to sow dissent against the global-media-dominant, election-determining, hot-or-not website he first made as a college geek.

By not encrypting all of our communication whenever possible, we’d make his job that much easier.

Sadly, there is little need to consider this hypothetical and absurd scenario when we have a U.S. president-elect who’s vowed to expand the reach of the NSA and its programs, which have already been shown to massively spy on the world, undermine net neutrality and “close off” parts of the Internet.

“If Donald Trump stands by even half of the statements he’s made, he poses one of the greatest threats we have ever seen to the open Internet,” says Laura Tribe of Internet rights group OpenMedia.

So why take any chances?

It’s not all about us

It’s worth noting there are countries where simply browsing any website that dares to hide its contents via encryption like HTTPS will draw a lot of unwanted attention to both the site and the visitor from government agents.

The Chinese government, for example, began to block Wikipedia altogether from its citizens when it switched to HTTPS in 2015. This must be the important stuff, says the government or spy or identity thief looking at the outlying encrypted traffic — until all sites use HTTPS.

But when both your child’s Snapchat about his new shoes and a critical piece of information about government appear the same to an outside observer, it becomes harder for anyone — government, corporation or hacker — to spy on any one person.

So, please enjoy The Tyee’s now HTTPS secured site and our mutual tiny contribution to online security, and let us know if you encounter any issues or warnings.

And if you want to go further, you may also consider the browser extension HTTPS Everywhere developed by the Electronic Frontier Foundation. (Though it’s not working well on Chrome currently — couple it with KB SSL Enforcer.) Some websites still offer HTTP and HTTPS options; HTTPS Everywhere automatically selects HTTPS whenever it is an option, as well as catches the small unsecure packets of information that still may get sent on your behalf when you visit an ostensibly secure site.  [Tyee]

Share this article

The Tyee is supported by readers like you

Join us and grow independent media in Canada

Get The Tyee in your inbox

LATEST STORIES

The Barometer

Which topic matters most to you?

Take this week's poll