HTTPS on Stack Overflow
Nick Craver (via Joel Spolsky, Hacker News):
We began thinking about deploying HTTPS on Stack Overflow back in 2013. So the obvious question: It’s 2017. What the hell took 4 years? The same 2 reasons that delay almost any IT project: dependencies and priorities. Let’s be honest, the information on Stack Overflow isn’t as valuable (to secure) as most other data. We’re not a bank, we’re not a hospital, we don’t handle credit card payments, and we even publish most of our database both by HTTP and via torrent once a quarter. That means from a security standpoint, it’s just not as high of a priority as it is in other situations. We also had far more dependencies than most, a rather unique combination of some huge problem areas when deploying HTTPS. As you’ll see later, some of the domain problems are also permanent.
The biggest areas that caused us problems were:
- User content (users can upload images or specify URLs)
- Ad networks (contracts and support)
- Hosting from a single data center (latency)
- Hundreds of domains, at multiple levels (certificates)