The Internet Archive Switches To HTTPS Connections By Default

An anonymous reader writes "The Internet Archive today announced it has enabled HTTPS connections by default on archive.org and openlibrary.org. The organization today also revealed it now sees over 3 million users per day. Both sites are still accessible over HTTP connections. Since the Wayback Machine is hosted on archive.org, it also follows the same rules: the secure version is used by default, but you can use the http version which will help load certain complicated webpages."

Internet Archive leaves /. behind

[tepples]

If Facebook and Twitter and Gmail as well as the not-for-profit Internet Archive and Wikipedia can use HTTPS by default, why doesn't everyone? Why, for instance, does Slashdot require a paid subscription in order not to redirect HTTPS hits to HTTP, revealing the logged-in user's session ID to anyone with a Firesheep-like tool?

Re:Internet Archive leaves /. behind

[cffrost]

When your government regards YOU as their biggest enemy,

Yes...

and YOU should thus consider them in reverse,

Uh huh...

https is a false sense of security.

No, it's partially broken, vulnerable-to-attack security, whereas HTTP is completely vulnerable, bare-naked plaintext — nothing to break, no certs to MITM, no bribing CAs for keys — zero security.

As bad as HTTPS may be, comparing it to HTTP in terms of security is idiotic.

Advertisements

[pavon]

The main thing holding back HTTPS is advertisements. Browsers (especially IE) complain if your encrypted page includes unencrypted content (like iframes served from a a third party ad server) and rightly so. Google can get away with it because they serve their own ads, and Wikipedia doesn't have any ads. Arstechnica ran an article a few years back describing the reasons why they couldn't switch to HTTPS by default, but most of it boils down the fact that they can't get rid of the third party content in their pages.

Re:Advertisements

[claar]

So get the ad companies to serve the ads over HTTPS... I don't see the big deal.

SSLv3...

[gQuigs]

I browse with SSLv3 disabled... and https://archive.org/ only supports SSLv3... why? Most webservers have supported TLS 1.1/1.2 for ages now.. right?

Re:SSLv3...

I refreshed the page like 5 times and got a different block cipher and key exchange protocol each time, from crappy rsa-rc4 to a mighty ecdhe-aes128-gcm. Also some dhe-Camellia256 and and rsa-aes-cbc in the meantime.

There seem to be a whole farm of servers with heterogeneous configurations back there, someone should look into it.

While i could understand this is some "bright" new idea to mitigate the impact of one protocol being broken (not putting all eggs in the same basket), i say with confidence that AES-CBC prior to TLS1.1 and all variants of RC4 are irremediably broken. Broken like in "you can recover the plain-text in a handful of minutes using python on a 300$ netbook with only half a brain".

Re:hotstpots

[Elbereth]

It's always 1993 here. In fact, when I come to Slashdot, Heart-Shaped Box is always playing on the radio, everyone is playing that new game Doom, and I have a life. Ah, it's grand to come to Slashdot!

Re:AdSense supports HTTPS

[tlhIngan]

Then use the ads that Google serves. A month ago, Google announced HTTPS support for AdSense.

And yet, Google doesn't roll out HTTPS support for the rest of the ad companies they own? You'd think if they can do AdSense, they can do AdMob and DoubleClick and their many other ad platforms they host...

Given Google serves like 98% of the ads on the internet (through AdSense, DoubleClick and other companies), it seems Google's the one holding HTTPS everywhere...