Closed eloquence closed 5 years ago
As of today, this impacts nearly half the landing pages in the directory, 18 of 40. Of those 18, 11 are clearly problematic (subdomains like securedrop
, contact
or newstips
). Significant outreach required prior to activating this warning.
Fortunately, with the Chrome HTTP insecure warning updates, we've seen great adoption of HTTPS site-wide for most news orgs—so the historical blockers for hosting landing pages on primary domain routes may be largely resolved for many orgs. Check out the latest STN data:
Completely agree that meticulous outreach is required before we go public with the warning.
This is done in current master
(behind flag), further tweaks will be tracked through separate issues.
Per epic #488, we should show a warning of type "moderate" for instances hosted on a subdomain.
It may be necessary to support whitelisting of instances, in cases where this doesn't really apply because the domain name is a dead giveaway (
leaknow.leakleakleak.org
), or where folks have found reasonable workarounds to protect privacy (neutral naming of subdomain and use for other purposes).Proposed warning text (see #514 for boilerplate):