Share
Like
Save
How to Safeguard Your Site from Chrome's New Security Updates Slide 1
How to Safeguard Your Site from Chrome's New Security Updates Slide 1 How to Safeguard Your Site from Chrome's New Security Updates Slide 2 How to Safeguard Your Site from Chrome's New Security Updates Slide 3 How to Safeguard Your Site from Chrome's New Security Updates Slide 4 How to Safeguard Your Site from Chrome's New Security Updates Slide 5 How to Safeguard Your Site from Chrome's New Security Updates Slide 6 How to Safeguard Your Site from Chrome's New Security Updates Slide 7 How to Safeguard Your Site from Chrome's New Security Updates Slide 8 How to Safeguard Your Site from Chrome's New Security Updates Slide 9 How to Safeguard Your Site from Chrome's New Security Updates Slide 10 How to Safeguard Your Site from Chrome's New Security Updates Slide 11 How to Safeguard Your Site from Chrome's New Security Updates Slide 12 How to Safeguard Your Site from Chrome's New Security Updates Slide 13 How to Safeguard Your Site from Chrome's New Security Updates Slide 14 How to Safeguard Your Site from Chrome's New Security Updates Slide 15 How to Safeguard Your Site from Chrome's New Security Updates Slide 16 How to Safeguard Your Site from Chrome's New Security Updates Slide 17 How to Safeguard Your Site from Chrome's New Security Updates Slide 18 How to Safeguard Your Site from Chrome's New Security Updates Slide 19 How to Safeguard Your Site from Chrome's New Security Updates Slide 20 How to Safeguard Your Site from Chrome's New Security Updates Slide 21 How to Safeguard Your Site from Chrome's New Security Updates Slide 22 How to Safeguard Your Site from Chrome's New Security Updates Slide 23 How to Safeguard Your Site from Chrome's New Security Updates Slide 24 How to Safeguard Your Site from Chrome's New Security Updates Slide 25 How to Safeguard Your Site from Chrome's New Security Updates Slide 26 How to Safeguard Your Site from Chrome's New Security Updates Slide 27 How to Safeguard Your Site from Chrome's New Security Updates Slide 28 How to Safeguard Your Site from Chrome's New Security Updates Slide 29 How to Safeguard Your Site from Chrome's New Security Updates Slide 30 How to Safeguard Your Site from Chrome's New Security Updates Slide 31 How to Safeguard Your Site from Chrome's New Security Updates Slide 32 How to Safeguard Your Site from Chrome's New Security Updates Slide 33 How to Safeguard Your Site from Chrome's New Security Updates Slide 34 How to Safeguard Your Site from Chrome's New Security Updates Slide 35 How to Safeguard Your Site from Chrome's New Security Updates Slide 36 How to Safeguard Your Site from Chrome's New Security Updates Slide 37 How to Safeguard Your Site from Chrome's New Security Updates Slide 38 How to Safeguard Your Site from Chrome's New Security Updates Slide 39 How to Safeguard Your Site from Chrome's New Security Updates Slide 40 How to Safeguard Your Site from Chrome's New Security Updates Slide 41 How to Safeguard Your Site from Chrome's New Security Updates Slide 42
Share
Like
Save
1 / 42

How to Safeguard Your Site from Chrome's New Security Updates

1,264
views

Patrick Hathaway

3 uploads
In early 2020 Google;s Chrome browser is releasing a number of updates that focus on improving security for website visitors.
The imminent updates don't just have user experience implications; in some cases users could be completely blocked from visiting your website.

Find out what is changing, why it's changing, and what you can do about it - in order to protect your website from potentially catastrophic issues.
Published in: Marketing
Recommended

How to Safeguard Your Site from Chrome's New Security Updates

  1. 1. How to Safeguard Your Site from Chrome's New Security Updates 22nd January 2020 Patrick Hathaway @HathawayP
  2. 2. @HathawayP What this presentation covers 1. What is changing in Chrome and why. 2. Mixed content - what does it mean? 3. Insecure TLS - what does it mean? 4. How to audit security issues.
  3. 3. @HathawayP Google care about security 1. In 2011 they adopted HTTPS. 2. In 2014 HTTPS became a ranking factor in search. 3. In 2018 Chrome began marking HTTP sites as ‘not secure’. 4. In 2020….plenty more to come.
  4. 4. Why do they care so much??? @HathawayP
  5. 5. Because Google need their users (searchers) to TRUST them @HathawayP
  6. 6. @HathawayP Why you should also care about security • Visitors might start seeing warnings when they arrive at your site. • Your pages might have missing elements. • Worst case scenario is that browsers might start blocking your content from displaying at all.
  7. 7. @HathawayP Chrome security updates Q1 2020 1. Chrome will gradually start blocking mixed content by default. 2. Chrome (and the other major browsers) will stop supporting depreciated TLS protocols.
  8. 8. @HathawayP #1 Mixed Content – what is it? When a web page is loaded over HTTPS and some of the page resources load over HTTP. So there is a mix of HTTPS and HTTP, picked up at the URL level.
  9. 9. @HathawayP Example – image loaded over HTTP This page loads over https:// but contains an image that loads over http://
  10. 10. @HathawayP This could be any page resource URL • Image • Video • Audio • JavaScript • CSS • IFrame • Etc…
  11. 11. @HathawayP Current mixed content warning
  12. 12. @HathawayP Chrome ‘mixed content timeline’ 1. Chrome 80 (February 4th 2020) - mixed audio and video resources will be autoupgraded or blocked if they don’t load over https://. 2. Chrome 81 (March 17th 2020) - mixed images will be autoupgraded or blocked if they don’t load over https://.
  13. 13. @HathawayP What does ‘autoupgrade’ mean? If they find a resource URL on http://, behind the scenes they will just try to load it over https:// instead. The issue is if these resources are not accessible over https://, in which case they simply will not be loaded.
  14. 14. @HathawayP Not loaded = not actually on the page If product images can’t be loaded over https:// they will not be displayed.
  15. 15. @HathawayP You’ll still get the padlock Chrome will show the padlock to say the page is secure, even if some of the content is being blocked. -> You need to audit this stuff
  16. 16. @HathawayP How to audit mixed content In Sitebulb, navigate to the Security report:
  17. 17. @HathawayP List of URLs with mixed content issues Click Hint Details to dig into each one:
  18. 18. @HathawayP HTML highlighter picks out http:// Scroll through HTML to find issues:
  19. 19. @HathawayP Or list the insecure resources Hit the ‘Insecure Resources’ tab for list:
  20. 20. @HathawayP How to fix mixed content issues You must only use https:// URLs when loading resources on your page. For each URL that loads HTTP resources, update the link references to point to the HTTPS counterparts. Much more important to do for resource types that Chrome will not autoupgrade.
  21. 21. @HathawayP If resources are not available on https:// • Include the resource from a different host, if possible(over HTTPS, obvs). • Download and host the content on your site directly, if you are legally allowed to do so. • Exclude the resource from your site altogether (which may mean you need to find an alternative solution).
  22. 22. @HathawayP #2 TLS – what is it? TLS is the encryption used in order to make HTTPS secure. Any website that uses HTTPS is employing TLS encryption. If the encryption is weak, it is more vulnerable to attack, and this exists at the domain/website level.
  23. 23. @HathawayP HTTP is the protocol for data transfer HTTP request from browser to server HTTP response from server to browser
  24. 24. @HathawayP HTTPS = (HTTP + an encryption layer) Password = sandwich1 Password = $665fdvzs_/$^*rt5 HTTP – data is not encrypted HTTPS – data is encrypted, using TLS
  25. 25. @HathawayP TLS = Transport Layer Security TLS is the encryption layer that makes the HTTP data transfer secure. However, some versions of TLS are very OLD, and no longer as secure as we need them to be.
  26. 26. @HathawayP TLS release timeline • TLS 1.0 – released 1999 • TLS 1.1 – released 2006 • TLS 1.2 – released 2008 • TLS 1.3 – released 2018
  27. 27. @HathawayP TLS release timeline • TLS 1.0 – released 1999 • TLS 1.1 – released 2006 • TLS 1.2 – released 2008 • TLS 1.3 – released 2018 RED = DEPRECIATED = SECURITY RISK
  28. 28. @HathawayP Chrome ‘TLS timeline’ 1. Chrome 79 (out now!) - Chrome will give sites a "not secure" label if TLS 1.2 is not enabled. 2. Chrome 81 (March 17th 2020) - Chrome will show a full page warning if TLS 1.2 is not enabled.
  29. 29. @HathawayP Full page warning = no content
  30. 30. @HathawayP Full page warning -> Implications • Users will most likely bounce. • Organic and paid channels will suffer. • Googlebot may not be able to access your content.
  31. 31. @HathawayP GSC already sending warning emails
  32. 32. @HathawayP All the major browsers are united All dropping TLS 1.0 & 1.1 in March: • Google • Microsoft • Apple • Mozilla
  33. 33. @HathawayP Auditing TLS -> Sitebulb Security report
  34. 34. @HathawayP Ok but not perfect example TLS 1.2 enabled, so no full page Chrome warning, BUT site is still accessible over TLS 1.0 and TLS 1.1, and therefore not secure:
  35. 35. @HathawayP Particularly important for certain sites • Ecommerce sites that handles transaction data (the above site would not pass PCI compliance) • Websites that handle sensitive data (e.g. medical data) • Websites that store personal data (e.g. names and addresses)
  36. 36. @HathawayP Perfect example TLS 1.2 enabled AND TLS 1.1, TLS 1.0 and SSL all DISABLED. This is what you want.
  37. 37. @HathawayP How to fix TLS issues In order to ensure your site has no issues with TLS, you need the following setup: • Disable: SSL, TLS 1.0, TLS 1.1. • TLS 1.2 should be enabled. • TL3 1.3 can optionally also be enabled.
  38. 38. @HathawayP This is a job for the ‘server guy’ This is a task for whoever runs your website server: • In house developer/SysAdmin • 3rd party website hosting company • Ecommerce software provider
  39. 39. @HathawayP Bonus tip Hit the ‘Printable PDF’ button in the Sitebulb Security report, to get a PDF report you can forward on.
  40. 40. @HathawayP Takeaways -> Take security seriously! If you don’t you could be subject to: • Users and search engines unable to access content. • Users seeing warnings and losing trust in your site. • Important content not being displayed on your web pages.
  41. 41. @HathawayP Takeaways -> Action points • Regularly audit your website and pay attention to security warnings. • Check Google Search Console for existing messages. • Make sure you are signed up to GSC email notifications. • Start to practice ‘secure as standard.’
  42. 42. Sitebulb free 14 day trial: -> sitebulb.com/download/ Blog post contains full, up to date explanation of these issues -> bit.ly/security-2020 Patrick Hathaway @HathawayP

×