Successfully reported this slideshow.

HTTPS The Road To A More Secure Web / SEOCamp Paris

14

Share

1 of 58
1 of 58

More Related Content

Related Books

Free with a 14 day trial from Scribd

See all

HTTPS The Road To A More Secure Web / SEOCamp Paris

  1. 1. @aysunakarsu @searchdatalogy #seocamp The Road To A More Secure Web Aysun Akarsu 10 March 2017 #SEOCamp Paris @
  2. 2. @aysunakarsu @searchdatalogy #seocamp Aysun Akarsu / Search Data Strategist Digital data strategist specialized in technical and architectural SEO wanting to help companies in making data driven decisions to generate more search traffic. 12 Years in Search Data Analysis Founder & Blogger of SearchDatalogy https://www.searchdatalogy.com/blog/
  3. 3. @aysunakarsu @searchdatalogy #seocamp https://www.theguardian.com/info/developer-blog/2016/nov/29/the-guardian-has-moved-to-https
  4. 4. @aysunakarsu @searchdatalogy #seocamp HTTPS
  5. 5. @aysunakarsu @searchdatalogy #seocamp TLS
  6. 6. @aysunakarsu @searchdatalogy #seocamp Transport Layer Security (TLS) ■ Secure Sockets Layer (SSL) ■ Transport Layer Security (TLS) ■ TLS replaced SSL
  7. 7. @aysunakarsu @searchdatalogy #seocamp TLS Protocol / Authentication Bob Alice
  8. 8. @aysunakarsu @searchdatalogy #seocamp TLS Protocol / Encryption Bob Alice
  9. 9. @aysunakarsu @searchdatalogy #seocamp TLS Protocol / Integrity Bob Alice
  10. 10. @aysunakarsu @searchdatalogy #seocamp Good For What?
  11. 11. @aysunakarsu @searchdatalogy #seocamp HTTPS HyperText Transfer Protocol Secure 1/2 Protects ■ Integrity of the website ■ Privacy and security of the user
  12. 12. @aysunakarsu @searchdatalogy #seocamp HTTPS HyperText Transfer Protocol Secure 2/2 Requirement For ■ HTTP2 Protocol ■ Explicit user opt-in ■ Amp-ad, amp-embed, amp-video, amp-form, amp-iframe Enables Powerful Features ■ Accessing user’s geolocation, taking pictures, recording video ■ Offline app experiences and notifications (Service Workers) Enables Referrer Data (from HTTPS sites)
  13. 13. @aysunakarsu @searchdatalogy #seocamp HTTPS As Google’s Mission
  14. 14. @aysunakarsu @searchdatalogy #seocamp Google Explains "Security is a top priority at Google. We are investing and working to make sure that our sites and services provide modern HTTPS by default. We're committed to making the web a safer place not only for Google users, but for all users. HTTPS makes it difficult for Internet Service Providers, governments and others to watch what you're doing online."
  15. 15. @aysunakarsu @searchdatalogy #seocamp How Google Motivates HTTPS Migration 1/2 By SEO
  16. 16. @aysunakarsu @searchdatalogy #seocamp How Google Motivates HTTPS Migration 2/2 By Chrome ■ Supporting HTTP2 on Chrome only if encrypted ■ Marking HTTP sites as Non Secure on Chrome
  17. 17. @aysunakarsu @searchdatalogy #seocamp Top Sites HTTPS migration dates
  18. 18. @aysunakarsu @searchdatalogy #seocamp Among Top Sites Google was one of the ■ First in moving on HTTPS ■ Last bringing HTTP Strict Transport Security(HSTS) to Google. (HSTS is brought only to www.google.com on 27/07/2016)
  19. 19. @aysunakarsu @searchdatalogy #seocamp HTTPS Across Google According to Google's statistics, 86 percent of requests sent from around the world to Google's servers used encrypted connections by mid February 2017. That was 47 percent at the end of 2013.Google has done a good job in terms of HTTPS at its own side.
  20. 20. @aysunakarsu @searchdatalogy #seocamp HTTPS In Google Index SMX Advanced on 23/06/2016 http://searchengineland.com/key-takeaways-google-ama-rankbrain-panda-pengui n-bots-252506
  21. 21. @aysunakarsu @searchdatalogy #seocamp HTTPS Usage On Chrome Percentage of pages loaded over HTTPS Percentage of browsing time spent on HTTPS websites Desktop users load more than half of the pages they view over HTTPS and spend two-thirds of their time on HTTPS pages.
  22. 22. @aysunakarsu @searchdatalogy #seocamp HTTPS On Top 100 Non Google Sites Google shared the data concerning a list of top 100 non Google sites on the Internet and their HTTPS states in February 2016. According to Google the sites in this list accounts for approximately 25% of all website traffic worldwide.
  23. 23. @aysunakarsu @searchdatalogy #seocamp HTTPS On 1M Top Sites
  24. 24. @aysunakarsu @searchdatalogy #seocamp TLS Certificates
  25. 25. @aysunakarsu @searchdatalogy #seocamp Type Of TLS Certificates 1/2 TLS Certificates by Validation Level ■ Domain Validation TLS Certificates ■ Organization Validation TLS Certificates ■ Extended Validation TLS Certificates
  26. 26. @aysunakarsu @searchdatalogy #seocamp Type Of TLS Certificates 2/2 TLS Certificates by Secured Domains ■ Single-name TLS Certificates ■ Wildcard TLS Certificates ■ Multi-Domain TLS Certificates
  27. 27. @aysunakarsu @searchdatalogy #seocamp Free Certificates / Let’s Encrypt Pros ■ Free (Accepts donations) ■ Sponsored by leading companies Cons ■ TLS Configuration ■ Don’t provide wildcard certificates ■ Provide only domain-validated certificates. No future plans to provide Organization Validation or Extended Validation Certificates. ■ Renewals
  28. 28. @aysunakarsu @searchdatalogy #seocamp Free Certificates / Caddy Server Pros ■ Free (Asks for donations) ■ Automatic Renewals ■ No TLS configuration Cons ■ Don't provide wildcard certificates ■ Don't provide Organization Validation or Extended Validation Certificates. ■ It is the new kid in town.
  29. 29. @aysunakarsu @searchdatalogy #seocamp HSTS
  30. 30. @aysunakarsu @searchdatalogy #seocamp HSTS Strict-Transport-Security: max-age=31536000; includeSubDomains; preload In seconds Optional (Recommended) Optional HSTS lets a website tell web browsers that it should only be communicated with using HTTPS instead of using HTTP. HSTS eliminates HTTP → HTTPS redirects
  31. 31. @aysunakarsu @searchdatalogy #seocamp chrome://net-internals/#hsts
  32. 32. @aysunakarsu @searchdatalogy #seocamp Chrome HSTS Preload List https://chromium.googlesource.com/chromium/src/+/master/net/http/transport_sec urity_state_static.json { "name": "wikipedia.org", "include_subdomains": true, "mode": "force-https" }, { "name": "www.facebook.com", "include_subdomains": true, "mode": "force-https", "pins": "facebook" }, { "name": "facebook.com", "mode": "force-https", "pins": "facebook" }, { "name": "twitter.com", "mode": "force-https", "pins": "twitterCom" }, { "name": "www.twitter.com", "include_subdomains": true, "mode": "force-https", "pins": "twitterCom" },
  33. 33. @aysunakarsu @searchdatalogy #seocamp Before Moving
  34. 34. @aysunakarsu @searchdatalogy #seocamp Choose Well Your IT Infrastructure
  35. 35. @aysunakarsu @searchdatalogy #seocamp https://istlsfastyet.com/
  36. 36. @aysunakarsu @searchdatalogy #seocamp https://istlsfastyet.com/
  37. 37. @aysunakarsu @searchdatalogy #seocamp If Using SNI Check Web Servers & Browsers Support http://caniuse.com/#search=sni
  38. 38. @aysunakarsu @searchdatalogy #seocamp Consider HTTP2 https://www.nginx.com/blog/supporting-http2-google-chrome-users/
  39. 39. @aysunakarsu @searchdatalogy #seocamp Plan Only HTTPS Migration https://www.seroundtable.com/google-url-structures-https-23084.html
  40. 40. @aysunakarsu @searchdatalogy #seocamp No Access To Users & Bots
  41. 41. @aysunakarsu @searchdatalogy #seocamp Get & Configure TLS Certificate On Staging Server ■ Certificate from a reliable CA offering technical support. ■ Choose a 2048-bit key.
  42. 42. @aysunakarsu @searchdatalogy #seocamp Collect Data ■ Production Site’s Crawl ■ Staging Site’s Crawl ■ Analytics Tools e.g. Google Analytics ■ Google Search Console ■ Web Server Logs ■ External Links e.g. Majestic
  43. 43. @aysunakarsu @searchdatalogy #seocamp Analyze Data (Production) ■ Error Pages ■ Crawl Waste ■ Low Quality Content Pages ■ Orphan Pages
  44. 44. @aysunakarsu @searchdatalogy #seocamp Analyze Data (Staging) On each page check ■ Status Code ■ Scheme(Protocol) on the URL of the page ■ Scheme(Protocol) on the URLs of the links, web assets (images, tracking, ads, js etc) ■ Canonical tag ■ Hreflang tag ■ Meta tags (e.g. noindex, nofollow) ■ HTTP Headers ■ Content
  45. 45. @aysunakarsu @searchdatalogy #seocamp Prepare ■ Migration Section Planning (If moving in sections) ■ URL Mapping List ■ URL Monitoring List ■ Sitemaps (HTTP, HTTPS)
  46. 46. @aysunakarsu @searchdatalogy #seocamp Check The TLS Certificate https://www.sslshopper.com/ssl-checker.html#hostname=www.searchdatalogy.com
  47. 47. @aysunakarsu @searchdatalogy #seocamp Check Common Configuration & Security Flaws https://www.ssllabs.com/ssltest/analyze.html?d=www.searchdatalogy.com
  48. 48. @aysunakarsu @searchdatalogy #seocamp Register Google Search Console https://example.com https://www.example.com https://m.example.com (If mobile on the origin) https://en.example.com (If subdomains on the origin) https://www.example.com/en/ (If directories on the origin)
  49. 49. @aysunakarsu @searchdatalogy #seocamp Configure (On The Destination Site) Google Search Console Replicate Origin’s Configuration ■ URLs Parameters ■ Geotargeting ■ Disavow ■ Preferred domain Submit Sitemaps Analytics Tools e.g. Google Analytics Configuration
  50. 50. @aysunakarsu @searchdatalogy #seocamp Ready?
  51. 51. @aysunakarsu @searchdatalogy #seocamp Access To Users & Bots
  52. 52. @aysunakarsu @searchdatalogy #seocamp Implement Redirects HTTP → HTTPS
  53. 53. @aysunakarsu @searchdatalogy #seocamp Data Collect & Analyze ■ Production Site’s Crawl ■ Web Server Logs ■ Analytics Tools e.g. Google Analytics
  54. 54. @aysunakarsu @searchdatalogy #seocamp Update URLS ■ Profile Links (e.g. Facebook, Twitter,LinkedIn) ■ Owned Media ■ Partner Sites ■ Ad Campaigns
  55. 55. @aysunakarsu @searchdatalogy #seocamp After
  56. 56. @aysunakarsu @searchdatalogy #seocamp Data ■ Production Site’s Crawl ■ Sitemaps Crawl ■ Web Server Logs ■ Analytics Tools e.g. Google Analytics ■ Google Search Console ■ External Links COLLECT MONITOR ANALYZE
  57. 57. @aysunakarsu @searchdatalogy #seocamp Implement HSTS ■ Send HSTS headers with a short max-age. Strict-Transport-Security: max-age=300; includeSubDomains ■ Increase slowly the HSTS max-age. Strict-Transport-Security: max-age=86400; includeSubDomains ■ If no impact on audience and search engines consider being added to the Chrome HSTS preload list. Strict-Transport-Security: max-age=31536000; includeSubDomains; preload
  58. 58. @aysunakarsu @searchdatalogy #seocamp “Protecting less sensitive sites strengthens the protections of more sensitive sites.” https://https.cio.gov/ “The good we secure for ourselves is precarious and uncertain until it is secured for all of us and incorporated into our common life.” Jane Addams

×