en

The VICE Channels

    Image: galex/Flickr

    Porn Sites Should Be Using This Basic Security Feature

    Written by

    Yael Grauer

    Contributor

    A huge swath of internet users like to look at porn in the privacy of their own home, but many probably don’t spend a lot of time thinking about potential consequences of doing so over an insecure connection (that is, HTTP rather than HTTPS). Many adult sites are not only unencrypted by default, but don’t even offer the option. In fact, only three of the top 10 adult sites—based on Alexa rankings—use SSL. Those three sites are LiveJasmin, Chaturbate, and Adult Friend Finder. YouPorn (#3), XNXX (#4), Flirt4free (#5), NudeVista (#6), Cam4 (#7), Liveleak (#8), and G-e-hentai (#9) still have a ways to go.

    Google recently started naming and shaming the top 100 most popular non-Google sites that aren’t encrypted, aren’t encrypted by default, or don’t use modern cryptography. Five out of the eight adult sites they listed—YouPorn, RedTube, Pornhub, xvideos, and xnxx—have implemented none of the above. Only Bongacams, Chaturbate, and XHamster were ready to roll.

    Unlike its outdated sibling HTTP, the secure communication protocol HTTPS offers some protection from malware, maximizes user privacy, and maintains the integrity of information exchanged with a website.

    HTTPS is particularly important for people who are, for example, visiting more mainstream porn sites and simply don't want third parties (like their internet provider or employer or the government) to know which pages on said sites they are viewing—if only so they don’t advertise their sexual orientation or the flavor of porn they enjoy to the public.

    “Your network traffic may actually implicate you in activity in that regime that is considered outright illegal.”

    Since top-level domains are not encrypted, HTTPS will not protect users if the mere fact that they're visiting a specific site is embarrassing. But users of large sites that cater to many different niches could really benefit from HTTPS to avoid being outed by network traffic since anything past the top level domain is hidden in the encrypted envelope. For example, if you visit the encrypted site kink.com, it’s no secret that you’re on the site—but since it uses HTTPS, only you and the site know whether you’re hanging out on the “water bondage” section, or “gay fetish,” or “everything butt.”

    “It’s illegal to be gay in places like Indonesia and Singapore,” said Joseph Lorenzo Hall, chief technologist at the non-profit advocacy organization Center for Democracy & Technology (CDT). “Your network traffic may actually implicate you in activity in that regime that is considered outright illegal.”

    Kink.com spokesman Michael Stabile believes that adult companies have an even greater obligation to their users than generic retailers do. “Not only are we dealing with people’s credit card information and other identifying information, we’re dealing with stuff that’s very particular to them. We live in a society where sexuality is stigmatized. These are often very private desires and sexualities, and people may not be out to their family, their friends, and their community. What we have seen in the adult industry over the past several years is that there have been hacks, and when there are hacks, there are greater consequences for adult fans than others. What the industry’s been trying to do, over the past few years in particular, is really institute a greater awareness of https for adult sites.”

    Earlier this year, CDT reached out to the adult industry trade organization Free Speech Coalition (FSC) to discuss the issue. The two organizations “really did a push to encourage adult sites to do this, because it wasn’t necessarily something that had been on a lot of sites’ radars,” said Stabile, who also works as a communication coordinator for FSC.

    Hall said that CDT decided to focus on adult sites because of the massive amount of traffic they deal in, the sensitive nature of that traffic, and what could be done with access to that kind of sensitive information in wrong hands.

    “The things we’ve seen governments and other kinds of large network surveilors use run of the mill traffic for, you can easily see someone’s porn consumption habits become some element of a blackmail or discreditation campaign. To some extent we’ve already seen the NSA, for example, collect cookie values that they could get on the wire from unencrypted web interactions and use those to track people. The ad industry does that, too, but it’s more than the ad industry.”

    In short, people are surveilling at the network level, and encrypting sites ensures that only the sender and receiver have access to that information. Anyone who would want to shame someone for their viewing habits would have a much harder time with an encrypted site.

    Beyond the privacy issue, though, there's also the chance that hackers could exploit the lack of encryption and hijack visits to these sites, just as governments did on YouTube, leading the platform to switch to HTTPS.

    But the tide does seem to be shifting. YouPorn VP Brad Burns said in a statement that the site’s goal is to move to HTTPS by default, and that it will launch an HTTPS version in the coming months. Burns cites the costs of certificates, additional streaming costs, and getting advertisers and advertising networks as well as providers on board for the switch as the biggest challenges. That said, he thinks it’s worth the price. “YouPorn is a very strong advocate for HTTPS, as well as most means for a more secure and private internet. We have well established brands that customers should trust, and this effort is definitely a step in the right direction towards a safe and secure online experience.”

    The Cyprus-based adult entertainment site xHamster moved to SSL just this month. “xHamster offers the best free adult content for our fans, and there is no excuse in 2016 for anyone to be using HTTP without the proper protection upgrades necessary for full HTTPS compliance” spokesperson Alex Hawkins said in a press release.

    How quickly other sites will follow suit remains to be seen—but we think it’d be a pretty good New Years resolution.