When users use our sites, they put their faith in us. They trust we will keep their information from reaching others, believe we provided the information they see, and allow us to run (web) code on their devices. Using HTTPS to secure our conversations is a key part of maintaining this trust.
If that’s not motivation enough, the web’s giants are actively promoting HTTPS, requiring it for features such as HTTP2 & ServiceWorker, using it for search engine ranking and more. To make the most of the web, you need to use HTTPS.
This deck reviews what HTTPS is, discusses why you should prioritize using it, and cover some of the easiest (and most cost effective) steps to get started using HTTPS
4. Intro about me
• Guy Podjarny (@guypod)
• Founder & CEO of Snyk.io (@snyksec)
• Previously CTO at Akamai
• Author (“Responsive & Fast”, “High Perf Images”)
• 13 Years in Web Security, 6 Years in Web Performance
67. ‘… people do not generally
perceive the absence of a
warning sign…’
Marking HTTP As Insecure
‘… Mozilla is committing to focus
new development efforts on the
secure web, and start removing
capabilities from the non-secure
web…’
Deprecating Non-Secure HTTP
101. ‘… we’re starting to use HTTPS as a ranking signal…’
‘… For now it's only a very lightweight signal …
But over time, we may decide to strengthen it, because
we’d like to encourage all website owners to switch from
HTTP to HTTPS to keep everyone safe on the web…’
113. No SNI - Single Host
DNS Resolve foo.com
foo.com=1.2.3.4
Client
DNS
Server
114. No SNI - Single Host
DNS Resolve foo.com
foo.com=1.2.3.4
Client
DNS
Server
TLS Client Hello
foo.com Certificate
Client
1.2.3.4
(foo.com)
115. No SNI - Shared Host
DNS Resolve foo.com
CNAME cdn.net
Client
DNS
Server
DNS Resolve cdn.net
cdn.net=5.6.7.8
116. No SNI - Shared Host
DNS Resolve foo.com
CNAME cdn.net
Client
DNS
Server
TLS Client Hello
Client
5.6.7.8
(CDN)
No Host Name!
Which Certificate
To Return?
DNS Resolve cdn.net
cdn.net=5.6.7.8
117. SNI -Server Name Identifer
DNS Resolve foo.com
CNAME cdn.net
Client
DNS
Server
TLS Client Hello (foo.com)
foo.com Certificate
Client
5.6.7.8
(CDN)
DNS Resolve cdn.net
cdn.net=5.6.7.8
Includes Host
Not Supported on:
- Windows XP (and older)
- Android 2.3 (and older)
- IE 7 (and older)