Delivering the news over HTTPS

1,358 views

Published on

Last November, The New York Times challenged news sites to fully support HTTPS in 2015. What does it mean to meet that challenge? This session will discuss the problems we encountered moving to HTTPS (and how we solved them). We'll then give you hands-on help with anything you need: server configuration, certificates, mixed-content warnings, CDNs — even ads, analytics and A/B tests.

Handout: https://docs.google.com/document/d/1EJKAoa4Hxc4AyH0znuA_AAplcNeNejEhATFptFX-OME/edit#

Published in: Software, News & Politics
0 Comments
13 Likes
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total views
1,358
On SlideShare
0
From Embeds
0
Number of Embeds
9
Actions
Shares
0
Downloads
9
Comments
0
Likes
13
Embeds 0
No embeds

No notes for slide

Delivering the news over HTTPS

  1. 1. Delivering the news over HTTPS
  2. 2. A Call to Action If you run a news site, or any site at all, we’d like to issue a friendly challenge to you. Make a commitment to have your site fully on HTTPS by the end of 2015 and pledge your support with the hashtag #https2015. —Eitan Konigsburg, Rajiv Pant and Elena Kvochko “Embracing HTTPS” November 13, 2014
  3. 3. Paul Schreiber @paulschreiber Mike Tigas @mtigas
  4. 4. quick look
  5. 5. HTTP
  6. 6. HTTPS
  7. 7. why?
  8. 8. config
  9. 9. “regular”
  10. 10. SAN
  11. 11. wildcard
  12. 12. SNI
  13. 13. sha1 vs sha2
  14. 14. Extended Validation (EV)
  15. 15. $  sslmate  mkconfig
  16. 16. https://mozilla.github.io/   server-­‐side-­‐tls/   ssl-­‐config-­‐generator/
  17. 17. HTTPS enabled HTTPS default HSTS HSTS preload
  18. 18. content
  19. 19. content
  20. 20. content 😕
  21. 21. comments
  22. 22. ads
  23. 23. social
  24. 24. analytics
  25. 25. CDNs
  26. 26. fonts
  27. 27. cost
  28. 28. performance
  29. 29. 2008 HTTPS is slow
  30. 30. 2008 HTTPS is slow 2015 HTTPS is fast
  31. 31. problems
  32. 32. problems
  33. 33. solved problems
  34. 34. NoHTTPS? ask nicely.
  35. 35. NoHTTPS? SoundCite placehold.it
  36. 36. mixedcontent
  37. 37. mixedcontent $  mixed-­‐content-­‐scan
  38. 38. mixedcontent Content-­‐Security-­‐Policy:      upgrade-­‐insecure-­‐requests
  39. 39. mixedcontent Content-­‐Security-­‐Policy-­‐ Report-­‐Only:  default-­‐src   https:  data:  'self'   'unsafe-­‐inline'  'unsafe-­‐ eval';  report-­‐uri:   https://myserver.com/log-­‐ tool/
  40. 40. mixedcontent
  41. 41. mixedcontent Akamai http://hostname.com  →   https://a248.e.akamai.net/f/ 12/621/60d/hostname.com
  42. 42. Many graphics from The Noun Project Calendar by Mani Amini. Money by Nick Levesque. Shielf by Wayne Thayer. SEO by Azis. Gauge by Dalpat Prajapati. Scribble by Michael Chanover. Lock with keyhole by Brennan Novak. Warning by Icomatic. Error by Anas Ramadan. Network by Stephen Boak. Server by Yazmin Alanis. Hat based on work by Blake Kimmel.

×