More than fifteen months after the NSA revelations laid bare the overwhelming scope of online surveillance and fueled the demand for privacy, virtually none of the top news websites—including all those who have reported on the Snowden documents—have adopted the most basic of security measures to protect the integrity of their content and the privacy of their readers: deploying HTTPS.

An HTTPS connection is easily recognized by the most novice of Internet users for the lock icon it displays in your web browser’s address bar. It signifies that the connection between you and the website you are reading is encrypted, so a malicious actor—whether a criminal trying to eavesdrop on you through public WiFi or a government that has access to raw Internet traffic—cannot see the information that you are transmitting or requesting from a particular website.

A regular HTTP connection means that such attackers can potentially spy on your username and password, and search terms or articles you are reading. Unencrypted traffic, or plaintext, is also easy to filter, allowing for selective censorship of articles, subjects, specific reporters or outlets by authoritarian governments. You also can’t be sure if you’re visiting the right website, rather than an impostor (which could happen if you’re a victim of simple DNS hijacking).

For a sense of how risky an unencrypted connection might be for users, consider the following scenario: a private company sells a device that takes advantage of unencrypted YouTube streams. It will target a user, wait for them to watch some cat videos, intercept that traffic and replace it with malicious code that gives the operator total control over the target’s computer without his or her knowledge. This is exactly what was discovered by Morgan Marquis-Boire, a researcher at Citizen Lab, First Look Media’s director of security and a member of our technical advisory board.

Websites that don’t encrypt traffic by default can potentially be used to compromise users in the same manner. Eavesdropping on people reading the news is a real danger that has already happened, as demonstrated by the NSA and GCHQ spying on visitors to WikiLeaks.org. And last year we learned how GCHQ employees used a “QUANTUM insert” technique against readers of Slashdot.org, a popular technology news website.