Back in July 2016, I published a blog post called , about our plans to roll out HTTPS across our online products, and the particular challenges we were facing. Over a year has elapsed since then, and we’d planned to be more or less complete by now, so how are we doing?
Overall, what we said still holds trueβ—βretrofitting HTTPS onto an existing, ever-changing estate of web services at scale is the exact opposite of a straightforward task in practice. However, we’ve made some really good progress. All the enabling work at the traffic management layer is complete, and now products can roll out HTTPS in such a way as to avoid impact on their existing roadmaps.
(For a great read on how ΒιΆΉΤΌΕΔ Online is composed of multiple products and technology bases, and some of the complexity that brings, read ).
We had a tentative 12 month timeframe back in 2016, and in that time the UK ΒιΆΉΤΌΕΔpage, TV, Music, Children’s (CΒιΆΉΤΌΕΔ and CBeebies), iPlayer, Education, and many World Service sites such as World Service Radio, , and are now all HTTPS-only.
A really important achievement has been the roll-out of HTTPS to our AV streaming services across desktop, mobile and connected devices. We have adopted a slow & steady approach quite deliberately here as there is a huge variance in HTTPS support across all the devices that iPlayer is supported on (some don’t work at all, or perform sufficiently poorly that HTTPS gives a bad playback experience), but we are well on our way and the chances are that when you next stream iPlayer content to your device, you’re doing so over a completely secure stream. Lloyd Wallis has written a detailed post about all the achievements and challenges .
Also, our mobile applications teams have been working hard to secure all backend service calls from our native ΒιΆΉΤΌΕΔ mobile applications like iPlayer Radio, in line with emerging mobile security standards such as Apple’s App Transport Security.
, the security standard that underpins HTTPS, is also an important enabler for the HTTP/2 protocol, another important future-looking standard for us which from a ΒιΆΉΤΌΕΔ perspective.
So, despite the enormity of the task, we’ve made great progress, and we’ll continue to work to make HTTPS the default wherever possible across ΒιΆΉΤΌΕΔ Online. Within Design & Engineering we believe that we owe our audiences the confidence that when they access ΒιΆΉΤΌΕΔ Online, they’re doing so in the safest and most trusted manner possible, wherever they are.