HTTPS: providing a safer and more secure publishing experience

Hindawi HTTPS secure

We’re pleased to announce that the Hindawi website, submission, and peer review platforms now use HTTPS by default. This change protects the privacy and security of our readers, authors, editors, and reviewers. You’re probably used to seeing the little green padlock on websites that process sensitive data, like passwords and credit card forms, but there’s really no reason why it shouldn’t be used everywhere. About.hindawi.com is now Hindawi’s only customer-facing system using HTTP, and this site should be migrated to HTTPS very shortly. We thought we’d share why we think it’s important for all publishers to make the switch to HTTPS.

What is HTTPS?

If you use the Chrome browser, in January you will start to see a notification like this popping up more frequently.

Hindawi HTTPS secure

This alert is Chrome warning you that the site you’re trying to visit uses a traditional HTTP connection, which is unsecured.

HTTPS forces your browser to follow a series of steps that encrypt the traffic between your browser and that website. Without encryption, the pages you visit or the forms you fill out could be monitored or even altered by someone else on your network. When a website uses HTTPS, a snooper can see that you requested an initial web address, but any subpages you visit, actions you take, or information you provide is hidden from prying eyes.

A simple analogy is the postcard versus the sealed letter. In both cases, the intended recipient is visible to the postal worker, but with the letter, the contents of the message are safely hidden within the envelope.

HTTPS provides three benefits: security, authenticity, and privacy.

Security

This is perhaps the most basic use case. When you browse the web using a traditional HTTP connection, any form data you fill out is sent in plain text across the network. This means your personal details, your password, or your credit card information could be intercepted by someone on your network.

Who could be listening? You never know. The risk of being snooped might be small on a well-secured private network, but that security might not always be available at a conference, in a coffee shop, or at the library.

Authenticity

HTTPS ensures that the contents of the website you’re browsing can’t be modified. Internet Service Providers have been caught injecting advertisements into web pages. These ads might appear to come from a publisher you trust, but could link to viruses and malware.

Sometimes an entire website might be a scam. Journal hijacking and publisher spoofing are major problems in scholarly publishing. Predatory, knock-off publishers have forced real journals like Wulfenia to post warnings on their website about sites that use similar names and designs to trick researchers into submitting papers.

Websites using HTTPS must acquire a “certificate” from a list of trusted certificate authorities. The authorities require the website to verify their identities and then make sure no other websites can use the same certificate. On any browser, you can click the little green padlock in the address bar of an HTTPS site to make sure that the  site is legitimate.

Privacy

Privacy isn’t always the first issue that comes to mind when talking about publishing websites. But the stakes are higher than you might expect. In the past few years, government agencies from Turkey to Canada to the United States have monitored or interfered with the research behavior of academics.

HTTPS can’t protect you from malware installed on your machine or the subpoena of publisher logs, but it does provide some defense against the monitoring of network traffic. Without it, someone sharing your network might be able to see the manuscripts you read, the peer review reports you write, or the editorial decisions you make. Someone browsing articles on a sensitive medical condition should be able to do so confidentially.

Privacy is a foundational right: it creates the necessary conditions for rights like academic freedom and freedom of expression to exist. To be most effective, researchers must feel that they can operate without fear of censure or oversight. While HTTPS isn’t a panacea, it’s an important part of a healthy scientific discourse.

What took us so long?

Switching to HTTPS used to be a lot more expensive, slower, and riskier than it is today. The spread of free or low-cost certificate providers and the development of new web technologies have greatly simplified the process.

Since 2014, Let’s Encrypt has offered free certificates and automated tools to manage them. Amazon now also offers free certificates to anyone using their other backend tools.

When you visit an HTTPS website, your browser spends a fraction of a second negotiating the encryption. These fractions can add up if a website has lots of external resources to load, like images and ad units. But HTTP/2, an emerging web standard, promises to massively speed up by making more requests in parallel. HTTP/2 will only be available over HTTPS, so switching to HTTPS could ultimately make your website faster than it is today.

Switching to HTTPS can temporarily depress your search rankings. This can be mitigated by setting up redirects properly and using tools provided by search engines to notify them of the change. Google promises to provide a search boost to HTTPS websites that will help minimise this issue. If you’re looking to get started, Google provides a number of resources, including a step-by-step guide.

Conclusion

We aren’t the first publisher to make the switch to HTTPS, but we’re proud to be joining the ranks of the publishers that promote a safer and more secure experience for readers, authors, editors, and reviewers. We’d like to see all academic publishers make the switch to HTTPS in 2017, and we’d encourage anyone who wants to discuss the challenges involved to get in touch.

The text of this blog post is by Hindawi and is distributed under the Creative Commons Attribution License (CC-BY). Feature image copyright Supercaps/Shutterstock.