Better Safe Than Sorry with HTTPS - SMX East 2016 - Patrick Stox

#SMX #24A3 @patrickstox
The Good, the Bad, and the Terrifying
Better Safe Than Sorry With HTTPS

You Know You Should Have Switched Right?

THE INFORMATION

HTTPS Everywhere
https://www.youtube.com/watch?v=cBhZ6S0PFCY
HTTPS as a Ranking Signal
https://webmasters.googleblog.com/2014/08/https-as-ranking-signal.html
HTTPS by Default
https://webmasters.googleblog.com/2015/12/indexing-https-pages-by-default.html

Then There’s This Guy

Securing Your Website With HTTPS
https://support.google.com/webmasters/answer/6073543
Google Wrote A Guide To Help

HTTP to HTTPS: An SEO’s guide to securing a website
http://searchengineland.com/http-https-seos-guide-securing-website-246940
I Also Wrote A Guide To Help

https://plus.google.com/+JohnMueller/posts/PY1xCWbeDVC
John Mueller Wrote An FAQ

John Mueller Liked My Guide

Why Aren’t People Adopting?

Top Ranking Sites Are Adopting
@methode is Google Webmaster Trends Analyst Gary Illyes
Dr. Pete Meyers of Moz ran a test and showed over 30% of first
page results were secure in June 2016.
https://moz.com/blog/https-tops-30-how-google-is-winning-the-long-war

THE GOOD

Authentication
This is who I’m supposed to be talking to
Data Integrity
Who is messing with my stuff
Encryption
Who is listening
What Does TLS Offer?

When going from HTTPS > HTTP, referral data is dropped. HTTPS
> HTTPS, HTTP > HTTP, and HTTP > HTTPS DO pass the value.
This accounts for a lot of what people call “Dark Traffic” and “Dark
Social”. Switching to HTTPS fixes some of these attribution errors.
Without this referral data, the traffic looks like it’s direct traffic.
Referral Data
HTTP HTTPS
HTTP Yes Yes
HTTPS No Yes

Read any of the guides out there. They make it sound so easy
because it can be.
Moving To HTTPS Is A Website Migration

Let’s Encrypt
https://letsencrypt.org/
Hosts are offering them
CDNs are offering them
Free Certificates

What’s the one thing everyone knows about AMP?
It’s FAST right, but why?
AMP

Single Connection. Only one connection to the server is used to
load a website, and that connection remains open as long as the
website is open. This reduces the number of round trips needed to
set up multiple TCP connections.
Multiplexing. Multiple requests are allowed at the same time, on
the same connection. Previously, with HTTP/1.1, each transfer
would have to wait for other transfers to complete.
Server Push. Additional resources can be sent to a client for future
use.
HTTP/2 – So Much Goodness

Prioritization. Requests are assigned dependency levels that the
server can use to deliver higher priority resources faster.
Binary. Makes HTTP/2 easier for a server to parse, more compact
and less error-prone. No additional time is wasted translating
information from text to binary, which is the computer’s native
language.
Header Compression. HTTP/2 uses HPACK compressions, which
reduces overhead. Many headers were sent with the same values in
every request in HTTP/1.1. CloudFlare saw a 30% reduction in size.
HTTP/2 – Even More Goodness

http://searchengineland.com/everyone-moving-http2-236716
HTTP/2 – Read About It

• For every 100ms decrease in homepage load speed, Mobify's customer base saw a
1.11% lift in session based conversion, amounting to an average annual revenue
increase of $376,789
• For every 100ms decrease in checkout page load speed, Mobify's customers saw a
1.55% life in session based conversion, amounting to an average annual revenue
increase of $526,147
• Shoppers browse more on faster mobile websites
• An increase of one pageview per user results in a 5.17% lift in user based conversion, i.e.
for each additional page viewed per user, Mobify saw their average customer's annual
revenue increase by: $398,484
Mobify’s Mobile Test

THE BAD

What if you’re a website who makes money by sending people from
your website to another website? Affiliates, Directories, Niche
Magazines.
You need that referral data to prove your value!
Referral Data – Didn’t We Say This Was Good?

Hard Mode
Load balancers, CDNs, legacy infrastructure, legacy software,
multiple CMS systems, routing, APIs
Moving to HTTPS, a new CMS, bringing in outside domains, new
taxonomy, new content, killing old content, redirects, redirects,
and more redirects
Moving To HTTPS Is A Website Migration

There’s a difference between getting it done and getting it done
correctly.
There’s some hard choices that people aren’t willing to make like
changing providers, upgrading systems, or just killing off things.
Is It Harder For Bigger Companies?

Making The Switch To HTTPS Can Go Wrong, Ask Buffer

https://www.wired.com/2016/05/wired-first-
big-https-rollout-snag
https://www.wired.com/2016/08/wired-https-
progress/
Wired’s Transition To HTTPS

https://security.googleblog.com/2016/09/moving-towards-more-secure-web.html
Chrome

They looked at accessibility via HTTP and HTTPS, redirects, and
status codes.
• 1 in 10 websites had what they considered a flawless HTTPS setup.
• 60% of the websites tested have no HTTPS whatsoever (increasing to over 65% when
taking into account websites with errors in SSL setup).
• Almost 1 in 4 domains were missing a canonical HTTPS version.
• Almost 1 in 4 domains were using 302 (temporary) redirects instead of 301
(permanent) redirects.
• Even Google can’t be bothered to use permanent redirects and uses temporary
redirects (HTTP status code 302) instead.
LinksSpy Analyzed 10,000 Top Domains

THE TERRIFYING

Do you want to be de-indexed by Bing and Baidu?
TLS SNI

Injection
Happens all the time with hotel chains, airlines
and ISPs.
AT&T Injecting Ads
http://webpolicy.org/2015/08/25/att-hotspots-now-with-
advertising-injection/
Comcast blocking VPN Traffic
https://blog.wjd.io/comcast-blocks-vpn-traffic
Comcast again Injecting Ads ------------

Headline

Think what could happen when a country controls the data.
i.e. The Great Firewall
Injection Is Scary Enough, Censorship Is Terrifying

Did you know GitHub was DDoS attacked. The attackers hijacked
HTTP connections and rewrote the Baidu tracking code with
malicious JS that attacked two GitHub projects that focused on
Chinese anti-censorship.
http://www.infoworld.com/article/2903533/security/github-still-recovering-from-massive-
ddos-attacks.html
Or How About Attacks?

Many Apps Send Data Over HTTP
They ask for so many permissions and then they do something like
this. It’s one of the most terrifying things I’ve seen in my life.

But more than likely your data was already stolen in one of the
many data breaches:
https://haveibeenpwned.com/
Sending Your Data Openly is Scary

Router
Modem
ISP
What else is between the person and the server or CDN?
Just Because Your Site Shows Secure, Not Everything Is

https://www.troyhunt.com/understanding-http-strict-transport/
The guy takes a Wifi Pineapple with him and shows how websites not
using HSTS, i.e. the first request is still HTTP, can be hijacked if
they’re connected to your wifi.
Troy Hunt Is My Hero

THE IMPROVEMENTS

https://istlsfastyet.com/
TLS Improvements By Server

https://istlsfastyet.com/
TLS Improvements By CDN

High Performance Browser Networking by Ilya Grigorik
http://chimera.labs.oreilly.com/books/1230000000545
OpenSSL Cookbook & Bulletproof SSL and TLS by Ivan Ristic
https://www.feistyduck.com/books/openssl-cookbook/
https://www.feistyduck.com/books/bulletproof-ssl-and-tls/
https://wiki.mozilla.org/Security/Server_Side_TLS
Performance Resources

https://www.ssllabs.com/ssltest/
They also have a best practice guide:
https://github.com/ssllabs/research/wiki/SSL-and-TLS-Deployment-Best-Practices
Test Your Server

LEARN MORE: UPCOMING @SMX EVENTS
THANK YOU!
SEE YOU AT THE NEXT #SMX

Better Safe Than Sorry with HTTPS - SMX East 2016 - Patrick Stox

Recommended

Recommended

More Related Content

What's hot

What's hot (20)

Similar to Better Safe Than Sorry with HTTPS - SMX East 2016 - Patrick Stox

Similar to Better Safe Than Sorry with HTTPS - SMX East 2016 - Patrick Stox (20)

More from patrickstox

More from patrickstox (8)

Recently uploaded

Recently uploaded (20)

Better Safe Than Sorry with HTTPS - SMX East 2016 - Patrick Stox