Making Pinterest HTTPS

Pinterest Engineering
4 min readintermediate
--
View Original

Overview

The article discusses Pinterest's migration to HTTPS, highlighting the security benefits and the engineering challenges faced during the transition. It details both expected and unexpected challenges, solutions implemented, and the positive impact on user safety and engagement.

What You'll Learn

1

How to identify and mitigate technical challenges when migrating to HTTPS

2

Why using multiple CDN providers can enhance performance and security

3

How to implement a paid bug bounty program post-HTTPS migration

Key Questions Answered

What challenges did Pinterest face during its migration to HTTPS?
Pinterest encountered several challenges during its HTTPS migration, including working with CDN providers, surfacing hard-coded HTTP URLs, performance impacts, and mixed content warnings. Unexpected issues arose, such as a broken 'Pin It' button and an unknown Safari issue, which were addressed through swift actions.
What were the results of migrating Pinterest to HTTPS?
The migration to HTTPS enhanced user privacy and security, preventing exploitation through man-in-the-middle attacks and session hijacking. Additionally, it resulted in a maximum 10 percent increase in daily signups by eliminating the redirect flow from HTTP to HTTPS signup pages.
How did Pinterest tackle unexpected challenges during the HTTPS migration?
Pinterest tackled unexpected challenges by quickly changing DNS to a new CDN provider for the broken 'Pin It' button, using a meta referrer header to address referral header issues, and investigating login problems specific to Safari users. This agile response helped maintain user experience.
What security enhancements followed Pinterest's migration to HTTPS?
Following the migration, Pinterest plans to implement HTTP Strict Transport Security (HSTS) to prevent SSL stripping and collaborate with Chromium to preload its domain. These steps aim to further enhance security and user trust.

Key Statistics & Figures

Increase in daily signups
10 percent
This increase was attributed to the removal of the redirect flow from HTTP to HTTPS signup pages.
Increase in bug reports
10x
This increase occurred after launching the paid bug bounty program following the HTTPS migration.

Technologies & Tools

Protocol
HTTPS
Used to secure user data and enhance privacy during Pinterest's migration.
Infrastructure
CDN
Content Delivery Networks were utilized to support HTTPS and improve content distribution.

Key Actionable Insights

1
Implementing HTTPS is crucial for enhancing user trust and security on your platform.
Migrating to HTTPS not only secures user data but also improves overall site performance and user engagement, as evidenced by Pinterest's 10 percent increase in daily signups.
2
Utilize multiple CDN providers to ensure redundancy and performance optimization.
Having multiple CDN options allows for better handling of traffic and potential issues, as seen when Pinterest quickly resolved a broken feature by switching providers.
3
Establish a paid bug bounty program to enhance security post-migration.
Pinterest's upgrade to a paid bug bounty program led to a 10x increase in reports, demonstrating the value of community involvement in identifying vulnerabilities.

Common Pitfalls

1
Failing to update all sitemap files to point to HTTPS domains can lead to broken links and SEO issues.
This oversight can cause significant disruptions in user navigation and negatively impact search engine rankings, as seen during Pinterest's migration.
2
Not addressing mixed content warnings can lead to user distrust and security vulnerabilities.
Mixed content warnings occur when a site served over HTTPS includes resources loaded over HTTP, which can compromise the security of the entire page.

Related Concepts

Web Security
Content Delivery Networks
Bug Bounty Programs
HTTP Strict Transport Security (hsts)