The impossibility of refuting fake news in Mainstream Media

TL;dr: many mainstream media websites are served over insecure connections which may be easily counterfeit or altered in transit.

In 2017 there are still banks and storefronts with flawed implementations of security technologies. Savvy technology companies understand how implementation of secure protocols like HTTPS increase trust among consumers, and it’s become a requirement of conducting sales transactions online via PCI compliance.

Why is it then that our supposed bastions of truth, mainstream media outlets owned by multibillion dollar conglomerates, have done so little to adopt cryptographic security measures in their online digital presences? We should expect innovation from the journalism sector around identity, provenance and trust but most have missed the boat. HTTPS should be table stakes.

Which sites constitute mainstream media? Wikipedia provides a starting definition under The Big Six. Let’s take a look at how they shape up in their HTTPS offerings.

HTTPS vs HTTP Analysis

Comcast

• nbc.com is secure! Hosted by Akamai.
• msnbc.com is hosted by Akamai, a CDN provider. It redirects with a valid (!) certificate for msnbc.com to https://www.msnbc.com which provides a valid (!) wildcard cert for *.msnbc.com and then redirects to HTTP.
• cnbc.com privately hosted, redirects with a valid wildcard certificate like msnbc.com

Disney Company

• abc.com — doesn’t listen on HTTPS/443, insecure

News Corp

• fox.com is hosted by Akamai and serves up a certificate for secure.fox.com and redirects to HTTP. secure.fox.com serves a 403 to curl but 301s to insecure for other user agents (even custom).
• wsj.com is secure! Interesting DNS setup — looks multi-homed.
• nypost.com is secure! Hosted by Automattic / wordpress.com
• barrons.com is insecure, apex host doesn’t respond but IPs resolve to wsj.com infrastructure, https://www.barrons.com returns a certificate for Akamai.

Time Warner

• cnn.com is hosted by Fastly, a CDN provider. It’s serving back a 301 http://cnn.com but the SSL Certificate served back does not include cnn.com in its SAN list so Chrome won’t follow the redirect.

Viacom

• No major news outlets? mtv.com (a Verisign redirection service?) doesn’t even listen on HTTPS/443, www.mtv.com redirects to HTTP.

CBS Corp

• Both cbs.com and www.cbs.com redirect to HTTP.

How did I even notice?

Lately Google searches from my mobile devices include AMP links, especially for news articles. I noticed that Google is very transparent about indicating that it’s effectively framing the destination by displaying the direct link to the content in the AMP frame. Frequently for articles on CNN.com, the url read http:// instead of https:// which I thought had to be a mistake. After a brief exchange on Twitter, turns out it’s likely intentional rather than malicious. The question becomes:

How do we trust the veracity of articles on a site that refuses to serve their traffic over a secure connection?

What should we do next?

The tech community has a lot of work to do. It should be easier to explain why HTTPS matters, and we should eliminate our usage of HTTP. It should be easier to use things like keybase.io or PGP signatures or proof-of-work blockchains to follow journalists across their employment in their career and have proof of identity when reading their work.

It’s worth noting that in my view, a CDN provider shouldn’t provide SSL certificates when serving HTTPS traffic for hosts they are not canonical for. It’s not the CDN provider’s fault for their customers lack of HTTPS adoption but they don’t need to muddy the waters.

Browser vendors could certainly refuse to follow redirects from secure sites to non-secure sites. I’ve opened https://bugs.chromium.org/p/chromium/issues/detail?id=703033 to see what the response is from the Chromium team.

The security conscious and brand-aware have already identified SSL as a critical source of consumer trust and go so far as to question the use of vendor-provided SSL offload, from CDN providers like Akamai and Fastly, or virtual appliances like AWS ELBs.

How can an organization provide accurate assurances of proper shepherding of user data when they can’t ascertain whether it’s being exfiltrated or manipulated through vendor systems? Is it overly paranoid to worry about CDN edge locations being hacked?