1. @aysunakarsu @searchdatalogy #seocamp
The Road To A More Secure Web
Aysun Akarsu 10 March 2017 #SEOCamp Paris
@

2. @aysunakarsu @searchdatalogy #seocamp
Aysun Akarsu / Search Data Strategist
Digital data strategist specialized in technical and architectural SEO wanting to
help companies in making data driven decisions to generate more search traffic.
12 Years in Search Data Analysis
Founder & Blogger of SearchDatalogy
https://www.searchdatalogy.com/blog/

3. @aysunakarsu @searchdatalogy #seocamp
https://www.theguardian.com/info/developer-blog/2016/nov/29/the-guardian-has-moved-to-https

4. @aysunakarsu @searchdatalogy #seocamp
HTTPS

5. @aysunakarsu @searchdatalogy #seocamp
TLS

6. @aysunakarsu @searchdatalogy #seocamp
Transport Layer Security (TLS)
■ Secure Sockets Layer (SSL)
■ Transport Layer Security (TLS)
■ TLS replaced SSL

7. @aysunakarsu @searchdatalogy #seocamp
TLS Protocol / Authentication
Bob Alice

8. @aysunakarsu @searchdatalogy #seocamp
TLS Protocol / Encryption
Bob Alice

9. @aysunakarsu @searchdatalogy #seocamp
TLS Protocol / Integrity
Bob Alice

10. @aysunakarsu @searchdatalogy #seocamp
Good For What?

11. @aysunakarsu @searchdatalogy #seocamp
HTTPS HyperText Transfer Protocol Secure 1/2
Protects
■ Integrity of the website
■ Privacy and security of the user

12. @aysunakarsu @searchdatalogy #seocamp
HTTPS HyperText Transfer Protocol Secure 2/2
Requirement For
■ HTTP2 Protocol
■ Explicit user opt-in
■ Amp-ad, amp-embed, amp-video, amp-form, amp-iframe
Enables Powerful Features
■ Accessing user’s geolocation, taking pictures, recording video
■ Offline app experiences and notifications (Service Workers)
Enables Referrer Data (from HTTPS sites)

13. @aysunakarsu @searchdatalogy #seocamp
HTTPS As Google’s Mission

14. @aysunakarsu @searchdatalogy #seocamp
Google Explains
"Security is a top priority at Google. We are investing and working to make sure
that our sites and services provide modern HTTPS by default. We're committed to
making the web a safer place not only for Google users, but for all users. HTTPS
makes it difficult for Internet Service Providers, governments and others to
watch what you're doing online."

15. @aysunakarsu @searchdatalogy #seocamp
How Google Motivates HTTPS Migration 1/2
By SEO

16. @aysunakarsu @searchdatalogy #seocamp
How Google Motivates HTTPS Migration 2/2
By Chrome
■ Supporting HTTP2 on Chrome only if encrypted
■ Marking HTTP sites as Non Secure on Chrome

17. @aysunakarsu @searchdatalogy #seocamp
Top Sites
HTTPS migration dates

18. @aysunakarsu @searchdatalogy #seocamp
Among Top Sites
Google was one of the
■ First in moving on HTTPS
■ Last bringing HTTP Strict Transport Security(HSTS) to Google. (HSTS is
brought only to www.google.com on 27/07/2016)

19. @aysunakarsu @searchdatalogy #seocamp
HTTPS Across Google
According to Google's statistics, 86 percent of requests sent from around the world to
Google's servers used encrypted connections by mid February 2017. That was 47
percent at the end of 2013.Google has done a good job in terms of HTTPS at its own
side.

20. @aysunakarsu @searchdatalogy #seocamp
HTTPS In Google Index
SMX Advanced on 23/06/2016
http://searchengineland.com/key-takeaways-google-ama-rankbrain-panda-pengui
n-bots-252506

21. @aysunakarsu @searchdatalogy #seocamp
HTTPS Usage On Chrome
Percentage of pages loaded over HTTPS
Percentage of browsing time spent on HTTPS websites
Desktop users load more than
half of the pages they view
over HTTPS and spend
two-thirds of their time on
HTTPS pages.

22. @aysunakarsu @searchdatalogy #seocamp
HTTPS On Top 100 Non Google Sites
Google shared the data concerning a list
of top 100 non Google sites on the
Internet and their HTTPS states in
February 2016.
According to Google the sites in this list
accounts for approximately 25% of all
website traffic worldwide.

23. @aysunakarsu @searchdatalogy #seocamp
HTTPS On 1M Top Sites

24. @aysunakarsu @searchdatalogy #seocamp
TLS Certificates

25. @aysunakarsu @searchdatalogy #seocamp
Type Of TLS Certificates 1/2
TLS Certificates by Validation Level
■ Domain Validation TLS Certificates
■ Organization Validation TLS Certificates
■ Extended Validation TLS Certificates

26. @aysunakarsu @searchdatalogy #seocamp
Type Of TLS Certificates 2/2
TLS Certificates by Secured Domains
■ Single-name TLS Certificates
■ Wildcard TLS Certificates
■ Multi-Domain TLS Certificates

27. @aysunakarsu @searchdatalogy #seocamp
Free Certificates / Let’s Encrypt
Pros
■ Free (Accepts donations)
■ Sponsored by leading companies
Cons
■ TLS Configuration
■ Don’t provide wildcard certificates
■ Provide only domain-validated certificates. No future plans to provide
Organization Validation or Extended Validation Certificates.
■ Renewals

28. @aysunakarsu @searchdatalogy #seocamp
Free Certificates / Caddy Server
Pros
■ Free (Asks for donations)
■ Automatic Renewals
■ No TLS configuration
Cons
■ Don't provide wildcard certificates
■ Don't provide Organization Validation or Extended Validation Certificates.
■ It is the new kid in town.

29. @aysunakarsu @searchdatalogy #seocamp
HSTS

30. @aysunakarsu @searchdatalogy #seocamp
HSTS
Strict-Transport-Security: max-age=31536000; includeSubDomains; preload
In seconds
Optional
(Recommended)
Optional
HSTS lets a website tell web browsers that it should only be communicated with
using HTTPS instead of using HTTP.
HSTS eliminates HTTP → HTTPS redirects

31. @aysunakarsu @searchdatalogy #seocamp
chrome://net-internals/#hsts

32. @aysunakarsu @searchdatalogy #seocamp
Chrome HSTS Preload List
https://chromium.googlesource.com/chromium/src/+/master/net/http/transport_sec
urity_state_static.json
{ "name": "wikipedia.org", "include_subdomains": true, "mode": "force-https" },
{ "name": "www.facebook.com", "include_subdomains": true, "mode": "force-https", "pins": "facebook" },
{ "name": "facebook.com", "mode": "force-https", "pins": "facebook" },
{ "name": "twitter.com", "mode": "force-https", "pins": "twitterCom" },
{ "name": "www.twitter.com", "include_subdomains": true, "mode": "force-https", "pins": "twitterCom" },

33. @aysunakarsu @searchdatalogy #seocamp
Before Moving

34. @aysunakarsu @searchdatalogy #seocamp
Choose Well Your IT Infrastructure

35. @aysunakarsu @searchdatalogy #seocamp https://istlsfastyet.com/

36. @aysunakarsu @searchdatalogy #seocamp https://istlsfastyet.com/

37. @aysunakarsu @searchdatalogy #seocamp
If Using SNI
Check Web Servers & Browsers Support
http://caniuse.com/#search=sni

38. @aysunakarsu @searchdatalogy #seocamp
Consider HTTP2
https://www.nginx.com/blog/supporting-http2-google-chrome-users/

39. @aysunakarsu @searchdatalogy #seocamp
Plan Only HTTPS Migration
https://www.seroundtable.com/google-url-structures-https-23084.html

40. @aysunakarsu @searchdatalogy #seocamp
No Access To Users & Bots

41. @aysunakarsu @searchdatalogy #seocamp
Get & Configure TLS Certificate On Staging Server
■ Certificate from a reliable CA offering technical support.
■ Choose a 2048-bit key.

42. @aysunakarsu @searchdatalogy #seocamp
Collect Data
■ Production Site’s Crawl
■ Staging Site’s Crawl
■ Analytics Tools e.g. Google Analytics
■ Google Search Console
■ Web Server Logs
■ External Links e.g. Majestic

43. @aysunakarsu @searchdatalogy #seocamp
Analyze Data (Production)
■ Error Pages
■ Crawl Waste
■ Low Quality Content Pages
■ Orphan Pages

44. @aysunakarsu @searchdatalogy #seocamp
Analyze Data (Staging)
On each page check
■ Status Code
■ Scheme(Protocol) on the URL of the page
■ Scheme(Protocol) on the URLs of the links, web assets (images, tracking,
ads, js etc)
■ Canonical tag
■ Hreflang tag
■ Meta tags (e.g. noindex, nofollow)
■ HTTP Headers
■ Content

45. @aysunakarsu @searchdatalogy #seocamp
Prepare
■ Migration Section Planning (If moving in sections)
■ URL Mapping List
■ URL Monitoring List
■ Sitemaps (HTTP, HTTPS)

46. @aysunakarsu @searchdatalogy #seocamp
Check The TLS Certificate
https://www.sslshopper.com/ssl-checker.html#hostname=www.searchdatalogy.com

47. @aysunakarsu @searchdatalogy #seocamp
Check Common Configuration & Security Flaws
https://www.ssllabs.com/ssltest/analyze.html?d=www.searchdatalogy.com

48. @aysunakarsu @searchdatalogy #seocamp
Register
Google Search Console
https://example.com
https://www.example.com
https://m.example.com (If mobile on the origin)
https://en.example.com (If subdomains on the origin)
https://www.example.com/en/ (If directories on the origin)

49. @aysunakarsu @searchdatalogy #seocamp
Configure (On The Destination Site)
Google Search Console
Replicate Origin’s Configuration
■ URLs Parameters
■ Geotargeting
■ Disavow
■ Preferred domain
Submit Sitemaps
Analytics Tools e.g. Google Analytics Configuration

50. @aysunakarsu @searchdatalogy #seocamp
Ready?

51. @aysunakarsu @searchdatalogy #seocamp
Access To Users & Bots

52. @aysunakarsu @searchdatalogy #seocamp
Implement Redirects
HTTP → HTTPS

53. @aysunakarsu @searchdatalogy #seocamp
Data
Collect & Analyze
■ Production Site’s Crawl
■ Web Server Logs
■ Analytics Tools e.g. Google Analytics

54. @aysunakarsu @searchdatalogy #seocamp
Update URLS
■ Profile Links (e.g. Facebook, Twitter,LinkedIn)
■ Owned Media
■ Partner Sites
■ Ad Campaigns

55. @aysunakarsu @searchdatalogy #seocamp
After

56. @aysunakarsu @searchdatalogy #seocamp
Data
■ Production Site’s Crawl
■ Sitemaps Crawl
■ Web Server Logs
■ Analytics Tools e.g. Google Analytics
■ Google Search Console
■ External Links
COLLECT
MONITOR
ANALYZE

57. @aysunakarsu @searchdatalogy #seocamp
Implement HSTS
■ Send HSTS headers with a short max-age.
Strict-Transport-Security: max-age=300; includeSubDomains
■ Increase slowly the HSTS max-age.
Strict-Transport-Security: max-age=86400; includeSubDomains
■ If no impact on audience and search engines consider being added to the
Chrome HSTS preload list.
Strict-Transport-Security: max-age=31536000; includeSubDomains; preload

58. @aysunakarsu @searchdatalogy #seocamp
“Protecting less sensitive sites strengthens the protections of more sensitive sites.”
https://https.cio.gov/
“The good we secure for ourselves is precarious and uncertain until it is secured for
all of us and incorporated into our common life.”
Jane Addams