Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.
@aysunakarsu @searchdatalogy #seocamp
The Road To A More Secure Web
Aysun Akarsu 10 March 2017 #SEOCamp Paris
@
@aysunakarsu @searchdatalogy #seocamp
Aysun Akarsu / Search Data Strategist
Digital data strategist specialized in technic...
@aysunakarsu @searchdatalogy #seocamp
https://www.theguardian.com/info/developer-blog/2016/nov/29/the-guardian-has-moved-t...
@aysunakarsu @searchdatalogy #seocamp
HTTPS
@aysunakarsu @searchdatalogy #seocamp
TLS
@aysunakarsu @searchdatalogy #seocamp
Transport Layer Security (TLS)
■ Secure Sockets Layer (SSL)
■ Transport Layer Securi...
@aysunakarsu @searchdatalogy #seocamp
TLS Protocol / Authentication
Bob Alice
@aysunakarsu @searchdatalogy #seocamp
TLS Protocol / Encryption
Bob Alice
@aysunakarsu @searchdatalogy #seocamp
TLS Protocol / Integrity
Bob Alice
@aysunakarsu @searchdatalogy #seocamp
Good For What?
@aysunakarsu @searchdatalogy #seocamp
HTTPS HyperText Transfer Protocol Secure 1/2
Protects
■ Integrity of the website
■ P...
@aysunakarsu @searchdatalogy #seocamp
HTTPS HyperText Transfer Protocol Secure 2/2
Requirement For
■ HTTP2 Protocol
■ Expl...
@aysunakarsu @searchdatalogy #seocamp
HTTPS As Google’s Mission
@aysunakarsu @searchdatalogy #seocamp
Google Explains
"Security is a top priority at Google. We are investing and working ...
@aysunakarsu @searchdatalogy #seocamp
How Google Motivates HTTPS Migration 1/2
By SEO
@aysunakarsu @searchdatalogy #seocamp
How Google Motivates HTTPS Migration 2/2
By Chrome
■ Supporting HTTP2 on Chrome only...
@aysunakarsu @searchdatalogy #seocamp
Top Sites
HTTPS migration dates
@aysunakarsu @searchdatalogy #seocamp
Among Top Sites
Google was one of the
■ First in moving on HTTPS
■ Last bringing HTT...
@aysunakarsu @searchdatalogy #seocamp
HTTPS Across Google
According to Google's statistics, 86 percent of requests sent fr...
@aysunakarsu @searchdatalogy #seocamp
HTTPS In Google Index
SMX Advanced on 23/06/2016
http://searchengineland.com/key-tak...
@aysunakarsu @searchdatalogy #seocamp
HTTPS Usage On Chrome
Percentage of pages loaded over HTTPS
Percentage of browsing t...
@aysunakarsu @searchdatalogy #seocamp
HTTPS On Top 100 Non Google Sites
Google shared the data concerning a list
of top 10...
@aysunakarsu @searchdatalogy #seocamp
HTTPS On 1M Top Sites
@aysunakarsu @searchdatalogy #seocamp
TLS Certificates
@aysunakarsu @searchdatalogy #seocamp
Type Of TLS Certificates 1/2
TLS Certificates by Validation Level
■ Domain Validatio...
@aysunakarsu @searchdatalogy #seocamp
Type Of TLS Certificates 2/2
TLS Certificates by Secured Domains
■ Single-name TLS C...
@aysunakarsu @searchdatalogy #seocamp
Free Certificates / Let’s Encrypt
Pros
■ Free (Accepts donations)
■ Sponsored by lea...
@aysunakarsu @searchdatalogy #seocamp
Free Certificates / Caddy Server
Pros
■ Free (Asks for donations)
■ Automatic Renewa...
@aysunakarsu @searchdatalogy #seocamp
HSTS
@aysunakarsu @searchdatalogy #seocamp
HSTS
Strict-Transport-Security: max-age=31536000; includeSubDomains; preload
In seco...
@aysunakarsu @searchdatalogy #seocamp
chrome://net-internals/#hsts
@aysunakarsu @searchdatalogy #seocamp
Chrome HSTS Preload List
https://chromium.googlesource.com/chromium/src/+/master/net...
@aysunakarsu @searchdatalogy #seocamp
Before Moving
@aysunakarsu @searchdatalogy #seocamp
Choose Well Your IT Infrastructure
@aysunakarsu @searchdatalogy #seocamp https://istlsfastyet.com/
@aysunakarsu @searchdatalogy #seocamp https://istlsfastyet.com/
@aysunakarsu @searchdatalogy #seocamp
If Using SNI
Check Web Servers & Browsers Support
http://caniuse.com/#search=sni
@aysunakarsu @searchdatalogy #seocamp
Consider HTTP2
https://www.nginx.com/blog/supporting-http2-google-chrome-users/
@aysunakarsu @searchdatalogy #seocamp
Plan Only HTTPS Migration
https://www.seroundtable.com/google-url-structures-https-2...
@aysunakarsu @searchdatalogy #seocamp
No Access To Users & Bots
@aysunakarsu @searchdatalogy #seocamp
Get & Configure TLS Certificate On Staging Server
■ Certificate from a reliable CA o...
@aysunakarsu @searchdatalogy #seocamp
Collect Data
■ Production Site’s Crawl
■ Staging Site’s Crawl
■ Analytics Tools e.g....
@aysunakarsu @searchdatalogy #seocamp
Analyze Data (Production)
■ Error Pages
■ Crawl Waste
■ Low Quality Content Pages
■ ...
@aysunakarsu @searchdatalogy #seocamp
Analyze Data (Staging)
On each page check
■ Status Code
■ Scheme(Protocol) on the UR...
@aysunakarsu @searchdatalogy #seocamp
Prepare
■ Migration Section Planning (If moving in sections)
■ URL Mapping List
■ UR...
@aysunakarsu @searchdatalogy #seocamp
Check The TLS Certificate
https://www.sslshopper.com/ssl-checker.html#hostname=www.s...
@aysunakarsu @searchdatalogy #seocamp
Check Common Configuration & Security Flaws
https://www.ssllabs.com/ssltest/analyze....
@aysunakarsu @searchdatalogy #seocamp
Register
Google Search Console
https://example.com
https://www.example.com
https://m...
@aysunakarsu @searchdatalogy #seocamp
Configure (On The Destination Site)
Google Search Console
Replicate Origin’s Configu...
@aysunakarsu @searchdatalogy #seocamp
Ready?
@aysunakarsu @searchdatalogy #seocamp
Access To Users & Bots
@aysunakarsu @searchdatalogy #seocamp
Implement Redirects
HTTP → HTTPS
@aysunakarsu @searchdatalogy #seocamp
Data
Collect & Analyze
■ Production Site’s Crawl
■ Web Server Logs
■ Analytics Tools...
@aysunakarsu @searchdatalogy #seocamp
Update URLS
■ Profile Links (e.g. Facebook, Twitter,LinkedIn)
■ Owned Media
■ Partne...
@aysunakarsu @searchdatalogy #seocamp
After
@aysunakarsu @searchdatalogy #seocamp
Data
■ Production Site’s Crawl
■ Sitemaps Crawl
■ Web Server Logs
■ Analytics Tools ...
@aysunakarsu @searchdatalogy #seocamp
Implement HSTS
■ Send HSTS headers with a short max-age.
Strict-Transport-Security: ...
@aysunakarsu @searchdatalogy #seocamp
“Protecting less sensitive sites strengthens the protections of more sensitive sites...
Upcoming SlideShare
Loading in …5
×

HTTPS The Road To A More Secure Web / SEOCamp Paris

12,404 views

Published on

SeoCamp'us 2017 / HTTPS, TLS, HSTS, Migration / Aysun Akarsu

Published in: Technology

HTTPS The Road To A More Secure Web / SEOCamp Paris

  1. 1. @aysunakarsu @searchdatalogy #seocamp The Road To A More Secure Web Aysun Akarsu 10 March 2017 #SEOCamp Paris @
  2. 2. @aysunakarsu @searchdatalogy #seocamp Aysun Akarsu / Search Data Strategist Digital data strategist specialized in technical and architectural SEO wanting to help companies in making data driven decisions to generate more search traffic. 12 Years in Search Data Analysis Founder & Blogger of SearchDatalogy https://www.searchdatalogy.com/blog/
  3. 3. @aysunakarsu @searchdatalogy #seocamp https://www.theguardian.com/info/developer-blog/2016/nov/29/the-guardian-has-moved-to-https
  4. 4. @aysunakarsu @searchdatalogy #seocamp HTTPS
  5. 5. @aysunakarsu @searchdatalogy #seocamp TLS
  6. 6. @aysunakarsu @searchdatalogy #seocamp Transport Layer Security (TLS) ■ Secure Sockets Layer (SSL) ■ Transport Layer Security (TLS) ■ TLS replaced SSL
  7. 7. @aysunakarsu @searchdatalogy #seocamp TLS Protocol / Authentication Bob Alice
  8. 8. @aysunakarsu @searchdatalogy #seocamp TLS Protocol / Encryption Bob Alice
  9. 9. @aysunakarsu @searchdatalogy #seocamp TLS Protocol / Integrity Bob Alice
  10. 10. @aysunakarsu @searchdatalogy #seocamp Good For What?
  11. 11. @aysunakarsu @searchdatalogy #seocamp HTTPS HyperText Transfer Protocol Secure 1/2 Protects ■ Integrity of the website ■ Privacy and security of the user
  12. 12. @aysunakarsu @searchdatalogy #seocamp HTTPS HyperText Transfer Protocol Secure 2/2 Requirement For ■ HTTP2 Protocol ■ Explicit user opt-in ■ Amp-ad, amp-embed, amp-video, amp-form, amp-iframe Enables Powerful Features ■ Accessing user’s geolocation, taking pictures, recording video ■ Offline app experiences and notifications (Service Workers) Enables Referrer Data (from HTTPS sites)
  13. 13. @aysunakarsu @searchdatalogy #seocamp HTTPS As Google’s Mission
  14. 14. @aysunakarsu @searchdatalogy #seocamp Google Explains "Security is a top priority at Google. We are investing and working to make sure that our sites and services provide modern HTTPS by default. We're committed to making the web a safer place not only for Google users, but for all users. HTTPS makes it difficult for Internet Service Providers, governments and others to watch what you're doing online."
  15. 15. @aysunakarsu @searchdatalogy #seocamp How Google Motivates HTTPS Migration 1/2 By SEO
  16. 16. @aysunakarsu @searchdatalogy #seocamp How Google Motivates HTTPS Migration 2/2 By Chrome ■ Supporting HTTP2 on Chrome only if encrypted ■ Marking HTTP sites as Non Secure on Chrome
  17. 17. @aysunakarsu @searchdatalogy #seocamp Top Sites HTTPS migration dates
  18. 18. @aysunakarsu @searchdatalogy #seocamp Among Top Sites Google was one of the ■ First in moving on HTTPS ■ Last bringing HTTP Strict Transport Security(HSTS) to Google. (HSTS is brought only to www.google.com on 27/07/2016)
  19. 19. @aysunakarsu @searchdatalogy #seocamp HTTPS Across Google According to Google's statistics, 86 percent of requests sent from around the world to Google's servers used encrypted connections by mid February 2017. That was 47 percent at the end of 2013.Google has done a good job in terms of HTTPS at its own side.
  20. 20. @aysunakarsu @searchdatalogy #seocamp HTTPS In Google Index SMX Advanced on 23/06/2016 http://searchengineland.com/key-takeaways-google-ama-rankbrain-panda-pengui n-bots-252506
  21. 21. @aysunakarsu @searchdatalogy #seocamp HTTPS Usage On Chrome Percentage of pages loaded over HTTPS Percentage of browsing time spent on HTTPS websites Desktop users load more than half of the pages they view over HTTPS and spend two-thirds of their time on HTTPS pages.
  22. 22. @aysunakarsu @searchdatalogy #seocamp HTTPS On Top 100 Non Google Sites Google shared the data concerning a list of top 100 non Google sites on the Internet and their HTTPS states in February 2016. According to Google the sites in this list accounts for approximately 25% of all website traffic worldwide.
  23. 23. @aysunakarsu @searchdatalogy #seocamp HTTPS On 1M Top Sites
  24. 24. @aysunakarsu @searchdatalogy #seocamp TLS Certificates
  25. 25. @aysunakarsu @searchdatalogy #seocamp Type Of TLS Certificates 1/2 TLS Certificates by Validation Level ■ Domain Validation TLS Certificates ■ Organization Validation TLS Certificates ■ Extended Validation TLS Certificates
  26. 26. @aysunakarsu @searchdatalogy #seocamp Type Of TLS Certificates 2/2 TLS Certificates by Secured Domains ■ Single-name TLS Certificates ■ Wildcard TLS Certificates ■ Multi-Domain TLS Certificates
  27. 27. @aysunakarsu @searchdatalogy #seocamp Free Certificates / Let’s Encrypt Pros ■ Free (Accepts donations) ■ Sponsored by leading companies Cons ■ TLS Configuration ■ Don’t provide wildcard certificates ■ Provide only domain-validated certificates. No future plans to provide Organization Validation or Extended Validation Certificates. ■ Renewals
  28. 28. @aysunakarsu @searchdatalogy #seocamp Free Certificates / Caddy Server Pros ■ Free (Asks for donations) ■ Automatic Renewals ■ No TLS configuration Cons ■ Don't provide wildcard certificates ■ Don't provide Organization Validation or Extended Validation Certificates. ■ It is the new kid in town.
  29. 29. @aysunakarsu @searchdatalogy #seocamp HSTS
  30. 30. @aysunakarsu @searchdatalogy #seocamp HSTS Strict-Transport-Security: max-age=31536000; includeSubDomains; preload In seconds Optional (Recommended) Optional HSTS lets a website tell web browsers that it should only be communicated with using HTTPS instead of using HTTP. HSTS eliminates HTTP → HTTPS redirects
  31. 31. @aysunakarsu @searchdatalogy #seocamp chrome://net-internals/#hsts
  32. 32. @aysunakarsu @searchdatalogy #seocamp Chrome HSTS Preload List https://chromium.googlesource.com/chromium/src/+/master/net/http/transport_sec urity_state_static.json { "name": "wikipedia.org", "include_subdomains": true, "mode": "force-https" }, { "name": "www.facebook.com", "include_subdomains": true, "mode": "force-https", "pins": "facebook" }, { "name": "facebook.com", "mode": "force-https", "pins": "facebook" }, { "name": "twitter.com", "mode": "force-https", "pins": "twitterCom" }, { "name": "www.twitter.com", "include_subdomains": true, "mode": "force-https", "pins": "twitterCom" },
  33. 33. @aysunakarsu @searchdatalogy #seocamp Before Moving
  34. 34. @aysunakarsu @searchdatalogy #seocamp Choose Well Your IT Infrastructure
  35. 35. @aysunakarsu @searchdatalogy #seocamp https://istlsfastyet.com/
  36. 36. @aysunakarsu @searchdatalogy #seocamp https://istlsfastyet.com/
  37. 37. @aysunakarsu @searchdatalogy #seocamp If Using SNI Check Web Servers & Browsers Support http://caniuse.com/#search=sni
  38. 38. @aysunakarsu @searchdatalogy #seocamp Consider HTTP2 https://www.nginx.com/blog/supporting-http2-google-chrome-users/
  39. 39. @aysunakarsu @searchdatalogy #seocamp Plan Only HTTPS Migration https://www.seroundtable.com/google-url-structures-https-23084.html
  40. 40. @aysunakarsu @searchdatalogy #seocamp No Access To Users & Bots
  41. 41. @aysunakarsu @searchdatalogy #seocamp Get & Configure TLS Certificate On Staging Server ■ Certificate from a reliable CA offering technical support. ■ Choose a 2048-bit key.
  42. 42. @aysunakarsu @searchdatalogy #seocamp Collect Data ■ Production Site’s Crawl ■ Staging Site’s Crawl ■ Analytics Tools e.g. Google Analytics ■ Google Search Console ■ Web Server Logs ■ External Links e.g. Majestic
  43. 43. @aysunakarsu @searchdatalogy #seocamp Analyze Data (Production) ■ Error Pages ■ Crawl Waste ■ Low Quality Content Pages ■ Orphan Pages
  44. 44. @aysunakarsu @searchdatalogy #seocamp Analyze Data (Staging) On each page check ■ Status Code ■ Scheme(Protocol) on the URL of the page ■ Scheme(Protocol) on the URLs of the links, web assets (images, tracking, ads, js etc) ■ Canonical tag ■ Hreflang tag ■ Meta tags (e.g. noindex, nofollow) ■ HTTP Headers ■ Content
  45. 45. @aysunakarsu @searchdatalogy #seocamp Prepare ■ Migration Section Planning (If moving in sections) ■ URL Mapping List ■ URL Monitoring List ■ Sitemaps (HTTP, HTTPS)
  46. 46. @aysunakarsu @searchdatalogy #seocamp Check The TLS Certificate https://www.sslshopper.com/ssl-checker.html#hostname=www.searchdatalogy.com
  47. 47. @aysunakarsu @searchdatalogy #seocamp Check Common Configuration & Security Flaws https://www.ssllabs.com/ssltest/analyze.html?d=www.searchdatalogy.com
  48. 48. @aysunakarsu @searchdatalogy #seocamp Register Google Search Console https://example.com https://www.example.com https://m.example.com (If mobile on the origin) https://en.example.com (If subdomains on the origin) https://www.example.com/en/ (If directories on the origin)
  49. 49. @aysunakarsu @searchdatalogy #seocamp Configure (On The Destination Site) Google Search Console Replicate Origin’s Configuration ■ URLs Parameters ■ Geotargeting ■ Disavow ■ Preferred domain Submit Sitemaps Analytics Tools e.g. Google Analytics Configuration
  50. 50. @aysunakarsu @searchdatalogy #seocamp Ready?
  51. 51. @aysunakarsu @searchdatalogy #seocamp Access To Users & Bots
  52. 52. @aysunakarsu @searchdatalogy #seocamp Implement Redirects HTTP → HTTPS
  53. 53. @aysunakarsu @searchdatalogy #seocamp Data Collect & Analyze ■ Production Site’s Crawl ■ Web Server Logs ■ Analytics Tools e.g. Google Analytics
  54. 54. @aysunakarsu @searchdatalogy #seocamp Update URLS ■ Profile Links (e.g. Facebook, Twitter,LinkedIn) ■ Owned Media ■ Partner Sites ■ Ad Campaigns
  55. 55. @aysunakarsu @searchdatalogy #seocamp After
  56. 56. @aysunakarsu @searchdatalogy #seocamp Data ■ Production Site’s Crawl ■ Sitemaps Crawl ■ Web Server Logs ■ Analytics Tools e.g. Google Analytics ■ Google Search Console ■ External Links COLLECT MONITOR ANALYZE
  57. 57. @aysunakarsu @searchdatalogy #seocamp Implement HSTS ■ Send HSTS headers with a short max-age. Strict-Transport-Security: max-age=300; includeSubDomains ■ Increase slowly the HSTS max-age. Strict-Transport-Security: max-age=86400; includeSubDomains ■ If no impact on audience and search engines consider being added to the Chrome HSTS preload list. Strict-Transport-Security: max-age=31536000; includeSubDomains; preload
  58. 58. @aysunakarsu @searchdatalogy #seocamp “Protecting less sensitive sites strengthens the protections of more sensitive sites.” https://https.cio.gov/ “The good we secure for ourselves is precarious and uncertain until it is secured for all of us and incorporated into our common life.” Jane Addams

×