Modern crypto is applied to the connection

Jun 30, 2015 15:42 GMT  ·  By

Washington Post has announced today that it started encrypting the connection to some parts of the website and the process will expand to all pages over the coming months.

Encrypted connections are common to login screens but users have become accustomed to seeing the HTTPS green padlock when browsing content on Facebook, Twitter, Google, LinkedIn and other social media networks.

The protection is also available on security-aware sites and for services with sensitive information (banking, web-based email).

Thwarting traffic interception

Recently, more and more organizations have expanded the security measure to larger portions of their websites to protect their clients against unlawful sniffing of the content they access.

This is also the reason behind Washington Post’s move, to make it “more difficult for hackers, government agencies and others to track the reading habits of people who visit the site.”

At the moment, only the homepage, the national security page, and the technology policy blog The Switch benefit from encryption.

Although intercepting traffic to check the stories someone is reading can be used to paint a profile for someone for use in a targeted attack, the echoes of this decision go past this.

Governments restricting its citizens access to certain parts of the website will no longer be able to do it because encrypted traffic reveals only the domain name. The alternative, however, would be to block the entire website.

Modern standards adopted

The TLS certificate used by The Washington Post was issued by Entrust Certification Authority on March 18 and it is valid for two years, until June 19, 2017.

The traffic is encrypted using AES-128 bit algorithm with GCM (Galois/Counter Mode) and uses ECDHE (Elliptic curve Diffie–Hellman) RSA mechanism for authentication and negotiation of the symmetric session key.

Strong, modern cryptography (RSA 2048-bit) is used for protecting the session key. Everything is passed through TLS 1.2.