Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.
Delivering the news
over HTTPS
A Call to Action
If you run a news site, or any site at all, we’d like
to issue a friendly challenge to you. Make a
commit...
Paul Schreiber
@paulschreiber
Mike Tigas
@mtigas
quick look
HTTP
HTTPS
why?
config
“regular”
SAN
wildcard
SNI
sha1 vs sha2
Extended Validation (EV)
$	
  sslmate	
  mkconfig
https://mozilla.github.io/	
  
server-­‐side-­‐tls/	
  
ssl-­‐config-­‐generator/
HTTPS enabled
HTTPS default
HSTS
HSTS preload
content
content
content
😕
comments
ads
social
analytics
CDNs
fonts
cost
performance
2008 HTTPS is slow
2008 HTTPS is slow
2015 HTTPS is fast
problems
problems
solved
problems
NoHTTPS?
ask
nicely.
NoHTTPS?
SoundCite
placehold.it
mixedcontent
mixedcontent
$	
  mixed-­‐content-­‐scan
mixedcontent
Content-­‐Security-­‐Policy:	
  
	
  	
  upgrade-­‐insecure-­‐requests
mixedcontent Content-­‐Security-­‐Policy-­‐
Report-­‐Only:	
  default-­‐src	
  
https:	
  data:	
  'self'	
  
'unsafe-­‐in...
mixedcontent
mixedcontent
Akamai
http://hostname.com	
  →	
  
https://a248.e.akamai.net/f/
12/621/60d/hostname.com
Many graphics from The Noun Project

Calendar by Mani Amini. Money by Nick Levesque.

Shielf by Wayne Thayer. SEO by Azis....
Delivering the news over HTTPS
Delivering the news over HTTPS
Delivering the news over HTTPS
Delivering the news over HTTPS
Delivering the news over HTTPS
Delivering the news over HTTPS
Delivering the news over HTTPS
Delivering the news over HTTPS
Delivering the news over HTTPS
Delivering the news over HTTPS
Delivering the news over HTTPS
Delivering the news over HTTPS
Delivering the news over HTTPS
Delivering the news over HTTPS
Delivering the news over HTTPS
Delivering the news over HTTPS
Delivering the news over HTTPS
Delivering the news over HTTPS
Delivering the news over HTTPS
Upcoming SlideShare
Loading in …5
×

Delivering the news over HTTPS

1,770 views

Published on

Last November, The New York Times challenged news sites to fully support HTTPS in 2015. What does it mean to meet that challenge? This session will discuss the problems we encountered moving to HTTPS (and how we solved them). We'll then give you hands-on help with anything you need: server configuration, certificates, mixed-content warnings, CDNs — even ads, analytics and A/B tests.

Handout: https://docs.google.com/document/d/1EJKAoa4Hxc4AyH0znuA_AAplcNeNejEhATFptFX-OME/edit#

Published in: Software, News & Politics
  • Hey guys! Who wants to chat with me? More photos with me here 👉 http://www.bit.ly/katekoxx
       Reply 
    Are you sure you want to  Yes  No
    Your message goes here
  • Nice !! Download 100 % Free Ebooks, PPts, Study Notes, Novels, etc @ https://www.ThesisScientist.com
       Reply 
    Are you sure you want to  Yes  No
    Your message goes here
  • Hello! Get Your Professional Job-Winning Resume Here - Check our website! https://vk.cc/818RFv
       Reply 
    Are you sure you want to  Yes  No
    Your message goes here

Delivering the news over HTTPS

  1. 1. Delivering the news over HTTPS
  2. 2. A Call to Action If you run a news site, or any site at all, we’d like to issue a friendly challenge to you. Make a commitment to have your site fully on HTTPS by the end of 2015 and pledge your support with the hashtag #https2015. —Eitan Konigsburg, Rajiv Pant and Elena Kvochko “Embracing HTTPS” November 13, 2014
  3. 3. Paul Schreiber @paulschreiber Mike Tigas @mtigas
  4. 4. quick look
  5. 5. HTTP
  6. 6. HTTPS
  7. 7. why?
  8. 8. config
  9. 9. “regular”
  10. 10. SAN
  11. 11. wildcard
  12. 12. SNI
  13. 13. sha1 vs sha2
  14. 14. Extended Validation (EV)
  15. 15. $  sslmate  mkconfig
  16. 16. https://mozilla.github.io/   server-­‐side-­‐tls/   ssl-­‐config-­‐generator/
  17. 17. HTTPS enabled HTTPS default HSTS HSTS preload
  18. 18. content
  19. 19. content
  20. 20. content 😕
  21. 21. comments
  22. 22. ads
  23. 23. social
  24. 24. analytics
  25. 25. CDNs
  26. 26. fonts
  27. 27. cost
  28. 28. performance
  29. 29. 2008 HTTPS is slow
  30. 30. 2008 HTTPS is slow 2015 HTTPS is fast
  31. 31. problems
  32. 32. problems
  33. 33. solved problems
  34. 34. NoHTTPS? ask nicely.
  35. 35. NoHTTPS? SoundCite placehold.it
  36. 36. mixedcontent
  37. 37. mixedcontent $  mixed-­‐content-­‐scan
  38. 38. mixedcontent Content-­‐Security-­‐Policy:      upgrade-­‐insecure-­‐requests
  39. 39. mixedcontent Content-­‐Security-­‐Policy-­‐ Report-­‐Only:  default-­‐src   https:  data:  'self'   'unsafe-­‐inline'  'unsafe-­‐ eval';  report-­‐uri:   https://myserver.com/log-­‐ tool/
  40. 40. mixedcontent
  41. 41. mixedcontent Akamai http://hostname.com  →   https://a248.e.akamai.net/f/ 12/621/60d/hostname.com
  42. 42. Many graphics from The Noun Project Calendar by Mani Amini. Money by Nick Levesque. Shielf by Wayne Thayer. SEO by Azis. Gauge by Dalpat Prajapati. Scribble by Michael Chanover. Lock with keyhole by Brennan Novak. Warning by Icomatic. Error by Anas Ramadan. Network by Stephen Boak. Server by Yazmin Alanis. Hat based on work by Blake Kimmel.

×