Two weeks ago, WIRED.com tackled a huge security upgrade by starting a HTTPS transition across our site. (What’s HTTPS, and why is it such a big deal? Read all about it here.) The original plan was to launch HTTPS on our Security vertical and then roll it out across all of WIRED.com by May 12. However, only our Transportation vertical is making the switch today. We set ambitious goals for our HTTPS transition, so our revised timeline isn’t a total surprise—but we promised we'd be transparent about the process with our readers. So here are the unique challenges that are making our HTTPS launch take a little longer than we’d hoped.
Temporary SEO changes on your site are a possible consequence of transitioning to HTTPS. Although we’ve been working hard to manage SEO for HTTPS migrations according to industry best practices, our initial results for the Security section have left us uncomfortable with turning on sitewide HTTPS so soon.
At the same time, we see warning signs that could indicate a drop in search result clicks and search engine referrals since we turned on HTTPS.
This type of SEO change is not without precedent. We expect that our site will rebound, so we are giving it more time to recover before committing to HTTPS everywhere.
As we previously explained, one of the biggest challenges of moving to HTTPS is preparing all of our content to be delivered over secure connections. If a page is loaded over HTTPS, all other assets (like images and Javascript files) must also be loaded over HTTPS. We are seeing a high volume of reports of these “mixed content” issues, or events in which an insecure, HTTP asset is loaded in the context of a secure, HTTPS page. To do our rollout right, we need to ensure that we have fewer mixed content issues—that we are delivering as much of WIRED.com's content as securely possible.
We’ve learned a lot by monitoring mixed content issues in the past two weeks. We've caught several issues that we previously missed, learned that our manual review for mixed content issues on mobile was lacking, and improved our ad testing process to look for harder-to-detect mixed content issues.
And as for the numbers, we’ve seen a grand total of 485,000 of these issues just between April 29 and May 10. When people ask why transitioning to HTTPS is so difficult, this is exactly the reason: Sites like WIRED.com have a massive amount of data to process and understand.
If we break down these reports by browser, we find that the main culprit is Webkit (both mobile and desktop), which is the browser engine used by Safari and all in-app browsers on iOS. Webkit is responsible for 77 percent of the mixed content issues we've seen so far. That's because it does not yet support the "upgrade-insecure-requests" Content Security Policy directive, which is perhaps the most important browser feature for easing the transition from HTTP to HTTPS. It allows the browser to treat any insecure, HTTP asset as though it were actually a request to a secure, HTTPS asset. This would automatically fix mixed content issues, but Safari doesn’t have this feature yet.
We’ve been trying to find a suitable metric for gauging progress on handling mixed content issues. So far, we’ve found the ratio of mixed content issues to page views to be helpful. This metric is not affected by spikes in traffic and is thus a good metric to compare day-to-day progress towards our goals of minimizing mixed content issues. Here is what our progress has looked like for our Security HTTPS trial so far:
We are trending in the right direction, but there are still too many mixed content issues for us to be comfortable enabling HTTPS across the site.
As you probably guessed, many of these issues are from ad assets. We’ve found that some content in ads is hard to QA (such as invisible ad impression pixels). To address this, we’ve reworked our ad QA process to help catch the harder-to-detect mixed content issues.
We promised we would be transparent about the struggles and triumphs of our HTTPS rollout. Today we're acknowledging a delay—but we've got good news too. If you read this article about our editor Alex Davies blacking out in a jet, you’ll see that you are reading it over HTTPS. We are still moving forward with HTTPS, and we just switched it on for WIRED’s Transportation vertical. That’s not as much progress as we’d wanted, but we’re still pushing ahead. Our new planned date for sitewide HTTPS is May 24th. Think happy thoughts for us!
