AnandTech Goes HTTPS: All Encryption, All the Time
by John Campion & Ryan Smith on September 18, 2017 2:25 PM EST- Posted in
- Site Updates
If you’re reading this, then congratulations! You have successfully accessed AnandTech over HTTPS.
I’m pleased to announce that as of this afternoon, all AnandTech pages and websites are now being served over HTTPS, allowing us to offer end-to-end transport encryption throughout the site. This is part of a larger project for us which started with moving the AnandTech Forums over to the XenForo software package and HTTPS last year; now it’s AnandTech main site to receive a security treatment of its own.
This update is being rolled out both to improve the security of the site, and as part of a broader trend in site hosting & delivery. From a site operations point of view, we’ve needed to improve the security of the user login system for some time so that usernames and passwords are better protected, as the two of those items are obviously important. Meanwhile, although AnandTech itself is not sensitive content, the broader trends in website hosting is for all sites regardless of content to move to HTTPS, as end-to-end encryption still enhances user privacy, and that’s always a good thing.
With today’s update, we’re now serving all pages, images, and other local content exclusively over HTTPS. This also includes redirecting any HTTP requests to HTTPS to ensure a secure connection. Overall, the hosting change should be transparent to everyone – depending on your browser, this even eliminates any security warnings – and site performance is virtually identical to before, both on the server side for us and on the client side for you. In other words, a true upgrade in every sense of the word.
However in the unlikely event that you do encounter any issues, please let me know. Leave a note here in the comments, email me, send a tweet, etc. If something is amiss, we want to fix it as quickly as possible.
Finally, I want to quickly thank our long-time developer John Campion, DB guru Ross Whitehead, hosting master Alec Ginsberg, and the rest of the AnandTech/Purch development team for working on this project. While today’s update is transparent at the user level, a lot of work was necessary on the backend to make this as seamless as possible and to make it work with third-party content (ads, JS libraries, etc). So none of this would be possible without their outstanding efforts.
86 Comments
View All Comments
osteopathic1 - Monday, September 18, 2017 - link
Great news.Also I earned $3,000 just by clicking on banners.....
Just kidding, I guess even HTTPS cannot get rid of those people.
StormyParis - Monday, September 18, 2017 - link
Hey ! I *want* my employer to know I'm reading AT, jigs up my tech cred !DanNeely - Monday, September 18, 2017 - link
They still do. The DNS lookup and Anandtech's IP are still done in the clear. They just can't see the contents of the page themselves unless their Big Brotherware setup includes installing a MITM certificate on your computer so they can scan all HTTPS traffic before it reaches your computer.prophet001 - Monday, September 18, 2017 - link
Your employer is already breaking the encryption at the firewall.schizoide - Monday, September 18, 2017 - link
That isn't possible, unless they installed a cert on his desktop of course.DigitalFreak - Monday, September 18, 2017 - link
It's called a proxyBilly Tallis - Monday, September 18, 2017 - link
A corporate proxy doesn't have the private keys necessary to third-party outside websites. They can only intercept if the client devices within the corporate network are configured to unconditionally trust the corporate proxy, which is accomplished by installing a certificate on those desktops. If you connect your personal machine through such a corporate network, the proxy's attempts to interfere will trigger scary warnings from your browser about the server preventing an invalid or untrusted certificate.bcronce - Tuesday, September 19, 2017 - link
You can't transparently proxy without installing a cert on the client otherwise your ISP/Government/whatever could trivially intercept HTTPS via a proxy.jordanclock - Tuesday, September 19, 2017 - link
As someone who manages firewalls with web filtering, I can tell you that unless you have a matching cert on both the proxy and the host, any attempts at deep packet inspection will result in every page giving a cert warning and breaking apps that use HTTPS.prophet001 - Tuesday, September 19, 2017 - link
Why would you think an employer wouldn't install a certificate on their own machines?Also, why would you expect an employer to allow unfettered access from anyone's random personal "questionable subject material consumption" machine?