Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Better Safe Than Sorry with HTTPS - SMX East 2016 - Patrick Stox

Better Safe Than Sorry with HTTPS - SMX East 2016 - Patrick Stox

Related Books

Free with a 30 day trial from Scribd

See all
  • Be the first to comment

  • Be the first to like this

Better Safe Than Sorry with HTTPS - SMX East 2016 - Patrick Stox

  1. 1. #SMX #24A3 @patrickstox The Good, the Bad, and the Terrifying Better Safe Than Sorry With HTTPS
  2. 2. #SMX #24A3 @patrickstox You Know You Should Have Switched Right?
  3. 3. #SMX #24A3 @patrickstox THE INFORMATION
  4. 4. #SMX #24A3 @patrickstox HTTPS Everywhere HTTPS as a Ranking Signal HTTPS by Default
  5. 5. #SMX #24A3 @patrickstox Then There’s This Guy
  6. 6. #SMX #24A3 @patrickstox Securing Your Website With HTTPS Google Wrote A Guide To Help
  7. 7. #SMX #24A3 @patrickstox HTTP to HTTPS: An SEO’s guide to securing a website I Also Wrote A Guide To Help
  8. 8. #SMX #24A3 @patrickstox John Mueller Wrote An FAQ
  9. 9. #SMX #24A3 @patrickstox John Mueller Liked My Guide
  10. 10. #SMX #24A3 @patrickstox Why Aren’t People Adopting?
  11. 11. #SMX #24A3 @patrickstox Top Ranking Sites Are Adopting @methode is Google Webmaster Trends Analyst Gary Illyes Dr. Pete Meyers of Moz ran a test and showed over 30% of first page results were secure in June 2016.
  12. 12. #SMX #24A3 @patrickstox THE GOOD
  13. 13. #SMX #24A3 @patrickstox Authentication This is who I’m supposed to be talking to Data Integrity Who is messing with my stuff Encryption Who is listening What Does TLS Offer?
  14. 14. #SMX #24A3 @patrickstox When going from HTTPS > HTTP, referral data is dropped. HTTPS > HTTPS, HTTP > HTTP, and HTTP > HTTPS DO pass the value. This accounts for a lot of what people call “Dark Traffic” and “Dark Social”. Switching to HTTPS fixes some of these attribution errors. Without this referral data, the traffic looks like it’s direct traffic. Referral Data HTTP HTTPS HTTP Yes Yes HTTPS No Yes
  15. 15. #SMX #24A3 @patrickstox Read any of the guides out there. They make it sound so easy because it can be. Moving To HTTPS Is A Website Migration
  16. 16. #SMX #24A3 @patrickstox Let’s Encrypt Hosts are offering them CDNs are offering them Free Certificates
  17. 17. #SMX #24A3 @patrickstox What’s the one thing everyone knows about AMP? It’s FAST right, but why? AMP
  18. 18. #SMX #24A3 @patrickstox Single Connection. Only one connection to the server is used to load a website, and that connection remains open as long as the website is open. This reduces the number of round trips needed to set up multiple TCP connections. Multiplexing. Multiple requests are allowed at the same time, on the same connection. Previously, with HTTP/1.1, each transfer would have to wait for other transfers to complete. Server Push. Additional resources can be sent to a client for future use. HTTP/2 – So Much Goodness
  19. 19. #SMX #24A3 @patrickstox Prioritization. Requests are assigned dependency levels that the server can use to deliver higher priority resources faster. Binary. Makes HTTP/2 easier for a server to parse, more compact and less error-prone. No additional time is wasted translating information from text to binary, which is the computer’s native language. Header Compression. HTTP/2 uses HPACK compressions, which reduces overhead. Many headers were sent with the same values in every request in HTTP/1.1. CloudFlare saw a 30% reduction in size. HTTP/2 – Even More Goodness
  20. 20. #SMX #24A3 @patrickstox HTTP/2 – Read About It
  21. 21. #SMX #24A3 @patrickstox • For every 100ms decrease in homepage load speed, Mobify's customer base saw a 1.11% lift in session based conversion, amounting to an average annual revenue increase of $376,789 • For every 100ms decrease in checkout page load speed, Mobify's customers saw a 1.55% life in session based conversion, amounting to an average annual revenue increase of $526,147 • Shoppers browse more on faster mobile websites • An increase of one pageview per user results in a 5.17% lift in user based conversion, i.e. for each additional page viewed per user, Mobify saw their average customer's annual revenue increase by: $398,484 Mobify’s Mobile Test
  22. 22. #SMX #24A3 @patrickstox THE BAD
  23. 23. #SMX #24A3 @patrickstox What if you’re a website who makes money by sending people from your website to another website? Affiliates, Directories, Niche Magazines. You need that referral data to prove your value! Referral Data – Didn’t We Say This Was Good?
  24. 24. #SMX #24A3 @patrickstox Hard Mode Load balancers, CDNs, legacy infrastructure, legacy software, multiple CMS systems, routing, APIs Moving to HTTPS, a new CMS, bringing in outside domains, new taxonomy, new content, killing old content, redirects, redirects, and more redirects Moving To HTTPS Is A Website Migration
  25. 25. #SMX #24A3 @patrickstox There’s a difference between getting it done and getting it done correctly. There’s some hard choices that people aren’t willing to make like changing providers, upgrading systems, or just killing off things. Is It Harder For Bigger Companies?
  26. 26. #SMX #24A3 @patrickstox Making The Switch To HTTPS Can Go Wrong, Ask Buffer
  27. 27. #SMX #24A3 @patrickstox big-https-rollout-snag progress/ Wired’s Transition To HTTPS
  28. 28. #SMX #24A3 @patrickstox Chrome
  29. 29. #SMX #24A3 @patrickstox They looked at accessibility via HTTP and HTTPS, redirects, and status codes. • 1 in 10 websites had what they considered a flawless HTTPS setup. • 60% of the websites tested have no HTTPS whatsoever (increasing to over 65% when taking into account websites with errors in SSL setup). • Almost 1 in 4 domains were missing a canonical HTTPS version. • Almost 1 in 4 domains were using 302 (temporary) redirects instead of 301 (permanent) redirects. • Even Google can’t be bothered to use permanent redirects and uses temporary redirects (HTTP status code 302) instead. LinksSpy Analyzed 10,000 Top Domains
  30. 30. #SMX #24A3 @patrickstox THE TERRIFYING
  31. 31. #SMX #24A3 @patrickstox Do you want to be de-indexed by Bing and Baidu? TLS SNI
  32. 32. #SMX #24A3 @patrickstox Injection Happens all the time with hotel chains, airlines and ISPs. AT&T Injecting Ads advertising-injection/ Comcast blocking VPN Traffic Comcast again Injecting Ads ------------
  33. 33. #SMX #24A3 @patrickstox Headline
  34. 34. #SMX #24A3 @patrickstox Think what could happen when a country controls the data. i.e. The Great Firewall Injection Is Scary Enough, Censorship Is Terrifying
  35. 35. #SMX #24A3 @patrickstox Did you know GitHub was DDoS attacked. The attackers hijacked HTTP connections and rewrote the Baidu tracking code with malicious JS that attacked two GitHub projects that focused on Chinese anti-censorship. ddos-attacks.html Or How About Attacks?
  36. 36. #SMX #24A3 @patrickstox Many Apps Send Data Over HTTP They ask for so many permissions and then they do something like this. It’s one of the most terrifying things I’ve seen in my life.
  37. 37. #SMX #24A3 @patrickstox But more than likely your data was already stolen in one of the many data breaches: Sending Your Data Openly is Scary
  38. 38. #SMX #24A3 @patrickstox Router Modem ISP What else is between the person and the server or CDN? Just Because Your Site Shows Secure, Not Everything Is
  39. 39. #SMX #24A3 @patrickstox The guy takes a Wifi Pineapple with him and shows how websites not using HSTS, i.e. the first request is still HTTP, can be hijacked if they’re connected to your wifi. Troy Hunt Is My Hero
  40. 40. #SMX #24A3 @patrickstox THE IMPROVEMENTS
  41. 41. #SMX #24A3 @patrickstox TLS Improvements By Server
  42. 42. #SMX #24A3 @patrickstox TLS Improvements By CDN
  43. 43. #SMX #24A3 @patrickstox High Performance Browser Networking by Ilya Grigorik OpenSSL Cookbook & Bulletproof SSL and TLS by Ivan Ristic Performance Resources
  44. 44. #SMX #24A3 @patrickstox They also have a best practice guide: Test Your Server