When the Canadian Journalists for Free Expression (CJFE) decided it was time to encrypt their website with HTTPS, they came up against a barrier: a $12,000/year price tag from their hosting provider.
Like many NGOs and political parties, Toronto-based CJFE uses the popular Nation Builder hosting platform, which offers site-wide “Custom domain SSL” only to their Enterprise level customers, at a cost of $999 per month—just shy of $12,000 per year.
HTTPS prevents third parties from snooping on web traffic—for instance, to steal credit card details—but also anonymizes which pages on a particular website a user is reading, a necessary feature for a news site, or an organization of journalists who promote free expression.
Encrypting a website with HTTPS also makes it more difficult for third parties, like the NSA, to intercept web traffic and inject malware. The NSA’s QUANTUM program can mass hack millions of computers by exploiting unencrypted HTTP connections.
“Whether it’s people worried about the NSA under Trump or journalists circumventing repression abroad, we need to provide secure access to our content,” Kevin Metcalf, the CJFE’s communications coordinator, told the Daily Dot. “Nation Builder asking $12,000 a year is far too much for that very basic feature.”
In the more than three years since NSA whistleblower Edward Snowden came forward, encryption has ceased to be a luxury and become a necessity. In 2014, Google announced that websites that failed to deploy HTTPS would be punished with lower page ranks in the search engine’s algorithm. Even the U.S. government, not known for its encryption-savvy, announced in 2015 that all .gov websites were moving to HTTPS by the end of that year.
Installing an SSL certificate, more correctly termed a TLS certificate, on a web server enables HTTPS for a given website.
The cost of purchasing a TLS certificate has dropped to zero. Let’s Encrypt, a new certificate authority, began issuing fully-automated free Domain Validated (DV) TLS certificates in 2015, and so far has issued nearly 16 million certificates.
WordPress.com, another content management platform, deployed Let’s Encrypt TLS certificates for all their clients with custom domains in April, 2016.
In a brief email statement, Nation Builder passed the buck.
“We want to provide SSL to all customers,” Jim Gilliam wrote. “Because of the political nature of the work that our customers do, we use Akamai extensively to prevent distributed denial-of-service attacks. They have stated public support for Let’s Encrypt, but have yet to roll out any offerings.”
However, Akamai told the Daily Dot that they have offered Let’s Encrypt certificates in production since December, 2015. “We have numerous customers using Akamai-managed DV certificates issued by Let’s Encrypt on our platform,” Rajiv Aaron Manglani, Senior Product Line Manager at Akamai, wrote in an email.
“Akamai is a proud supporter of Let’s Encrypt,” Rob Morton, director of public relations at Akamai, wrote in an email. “We support a range of cost effective certificate options, including DV certs for those customers that require it. By policy, Akamai does not comment on other companies’ businesses or business practices.”
Nation Builder declined to provide additional technical details regarding what they mean by “Custom domain SSL.” However, many of their customers deploy Extended Validation (EV) certificates, which turn on a web browser’s “green bar” in the address field. Nation Builder may also offer Organization Validated (OV) certificates.
“Getting and managing DV certificates can be fully automated, whereas that’s not the case for OV and EV certificates,” Josh Aas, executive director of the Internet Security Research Group, which manages Let’s Encrypt, told the Daily Dot. “Whatever their value, and that probably varies from person to person or org to org, OV and EV won’t scale to secure every website on the web.”
“We think every site on the web should be encrypted,” he added. “It would be great if SSL was standard across [Nation Builder’s] offerings.”