This article was published on September 8, 2014

Reddit launches full-site HTTPS via CloudFlare, but only for logged-in users and it’s off by default


Reddit launches full-site HTTPS via CloudFlare, but only for logged-in users and it’s off by default

Reddit today launched support for HTTPS via CloudFlare, a popular CDN and DNS provider. The move means users can encrypt their connections while browsing the site, although the option is off by default.

For those who don’t know, Hypertext Transfer Protocol Secure (HTTPS) is a secure communications protocol. Despite the name though, it’s not technically a protocol in itself as it consists of the SSL/TLS protocol with an HTTP layer on top.

Turning on the feature means anyone snooping on your connection will be unable to see the plain-text contents of what your browser is communicating with Reddit, since it is being sent through an HSTS policy. All your communications, including your authentication credentials and cookies, will not be viewable through man-in-the-middle attacks.

This is because the policy causes Reddit to redirect any non-HTTPS requests containing your credentials to HTTPS. The company does note that this won’t work for everyone because it “cannot force API clients, such as mobile apps or bots, or certain older browsers, to respect this setting, and as such they may still connect to Reddit through non-encrypted HTTP.”

The 💜 of EU tech

The latest rumblings from the EU tech scene, a story from our wise ol' founder Boris, and some questionable AI art. It's free, every week, in your inbox. Sign up now!

Here is what you need to know before enabling the feature, which can be done from the new security tab:

  • It ensures your browser communicates with Reddit over a secure channel when logged in.
  • It disables the “display links with a reddit toolbar” preference.
  • Some third-party apps may not support it.
  • Changing it will log you out of reddit on other devices, and will invalidate your old private RSS feeds.

If Reddit can solve points two and three, and sees positive results with the optional rollout, the company should enable it for all logged-in users by default. The next step after that will be HTTPS by default for everyone. Nowadays, optional HTTPS just doesn’t cut it.

See alsoReddit’s 2013 stats: 56 billion page views, 731 million unique visitors, and over 40 million posts and Reddit recommends that journalists ask for permission before covering stories from the site

Image credit: Shutterstock

Get the TNW newsletter

Get the most important tech news in your inbox each week.

Also tagged with


Published
Back to top