Secure HTTP for BBC Online: A 2017 Update

Back in July 2016, I published a blog post called “Enabling Secure HTTP for BBC Online”, about our plans to roll out HTTPS across our online products, and the particular challenges we were facing. Over a year has elapsed since then, and we’d planned to be more or less complete by now, so how are we doing?

Overall, what we said still holds true — retrofitting HTTPS onto an existing, ever-changing estate of web services at scale is the exact opposite of a straightforward task in practice. However, we’ve made some really good progress. All the enabling work at the traffic management layer is complete, and now products can roll out HTTPS in such a way as to avoid impact on their existing roadmaps.

(For a great read on how BBC Online is composed of multiple products and technology bases, and some of the complexity that brings, read Neil Craig’s post here)

We had a tentative 12 month timeframe back in 2016, and in that time the UK Homepage, TV, Music, Children’s (CBBC and CBeebies), iPlayer, Education, and many World Service sites such as World Service Radio, Pidgin, Amharic and Korean are now all HTTPS-only.

A really important achievement has been the roll-out of HTTPS to our AV streaming services across desktop, mobile and connected devices. We have adopted a slow & steady approach quite deliberately here as there is a huge variance in HTTPS support across all the devices that iPlayer is supported on (some don’t work at all, or perform sufficiently poorly that HTTPS gives a bad playback experience), but we are well on our way and the chances are that when you next stream iPlayer content to your device, you’re doing so over a completely secure stream. Lloyd Wallis has written a detailed post about all the achievements and challenges here.

Also, our mobile applications teams have been working hard to secure all backend service calls from our native BBC mobile applications like iPlayer Radio, in line with emerging mobile security standards such as Apple’s App Transport Security.

TLS, the security standard that underpins HTTPS, is also an important enabler for the HTTP/2 protocol, another important future-looking standard for us which Neil has posted about here from a BBC perspective.

So, despite the enormity of the task, we’ve made great progress, and we’ll continue to work to make HTTPS the default wherever possible across BBC Online. Within Design & Engineering we believe that we owe our audiences the confidence that when they access BBC Online, they’re doing so in the safest and most trusted manner possible, wherever they are.