SlideShare a Scribd company logo
1 of 109
Download to read offline
Delivering the news
over HTTPS
Paul Schreiberpaul.schreiber@fivethirtyeight.com
@paulschreiber
15%
http://www.bbc.co.uk/
http://www.bbc.co.uk/persian/
✔
HTTP1991–2016
HTTP1991–2016
Marking HTTP As Non-Secure
We, the Chrome Security Team, propose that user
agents (UAs) gradually change their UX to
display non-secure origins as affirmatively
non-secure. We intend to devise and begin
deploying a transition plan for Chrome in 2015.
The goal of this proposal is to more clearly display
to users that HTTP provides no data security.
Marking HTTP As Non-Secure
We, the Chrome Security Team, propose that user
agents (UAs) gradually change their UX to
display non-secure origins as affirmatively
non-secure. We intend to devise and begin
deploying a transition plan for Chrome in 2015.
The goal of this proposal is to more clearly display
to users that HTTP provides no data security.
Deprecating Non-Secure HTTP
Today we are announcing our intent to phase out
non-secure HTTP.
There are two broad elements of this plan:
1. Setting a date after which all new features will be
available only to secure websites
2. Gradually phasing out access to browser
features for non-secure websites, especially
features that pose risks to users’ security and
privacy.
Deprecating Non-Secure HTTP
Today we are announcing our intent to phase out
non-secure HTTP.
There are two broad elements of this plan:
1. Setting a date after which all new features will be
available only to secure websites
2. Gradually phasing out access to browser
features for non-secure websites, especially
features that pose risks to users’ security and
privacy.
Deprecating Non-Secure HTTP
Today we are announcing our intent to phase out
non-secure HTTP.
There are two broad elements of this plan:
1. Setting a date after which all new features will be
available only to secure websites
2. Gradually phasing out access to browser
features for non-secure websites, especially
features that pose risks to users’ security and
privacy.
The HTTPS-Only Standard
All browsing activity should be considered
private and sensitive.
—https.cio.gov
A Call to Action
If you run a news site, or any site at all, we’d like
to issue a friendly challenge to you. Make a
commitment to have your site fully on HTTPS by
the end of 2015 and pledge your support with
the hashtag #https2015.
—Eitan Konigsburg, Rajiv Pant and Elena Kvochko
“Embracing HTTPS”
November 13, 2014
HTTPS
HTTP
HTTPS
2008 HTTPS is slow
2008 HTTPS is slow
2015 HTTPS is fast
HTTP 2.0
HTTPS
SHA-1
SHA-1
$	sslmate	mkconfig
https://mozilla.github.io/	
server-side-tls/	
ssl-config-generator/
HTTPS enabled
HTTPS enabled
HTTPS default
HTTPS enabled
HTTPS default
HSTS
HTTPS enabled
HTTPS default
HSTS
HSTS preload
content
content
😕
content
🤔
comments
ads
social
analytics
CDNs
fonts
mixedcontent
mixedcontent
$	mixed-content-scan
mixedcontent
Content-Security-Policy:	
		upgrade-insecure-requests
mixedcontent Content-Security-Policy-
Report-Only:	default-src	
https:	data:	'self'	
'unsafe-inline'	'unsafe-
eval';	report-uri:	
https://myserver.com/log-
tool/
NoHTTPS?
ask
nicely.
NoHTTPS?
SoundCite
placehold.it
mixedcontent
Akamai
http://hostname.com	→	
https://a248.e.akamai.net/f/
12/621/60d/hostname.com
<script	src="//google.com/…	
<script	src="https://googl…
mixedcontent
<script	src="//google.com/…	
<script	src="https://googl…
mixedcontent
mixedcontent
Many graphics from The Noun Project

Mountains by Chris Cole; Statue of Liberty by John Melven; Tombstone by Jakob
Wells; Congress by Martha Ormiston; Shield by Wayne Thayer; Books by Ashley
van Dyck; Snail by aLf; carrot by Creative Stall; Geolocation by Alexander Smith;
Notification by vijay sekhar; Microphone by Edward Boatman; Video camera by
Pham Thi Dieu Linh; Full screen by Garrett Knoll; Rotation by Lemon Liu;
speedmeter by Michal Beno; layers by Muhamad Ulum; arrow by Maurizio
Pedrazzoli; stick by Blaise Sewell; Server by Yazmin Alanis; SEO by Azis; Money
by Nick Levesque; Shopping cart by Patrizia Daidone; Lock with keyhole by
Brennan Novak; Scribble by Michael Chanover; Network by Stephen Boak; Hat
based on work by Blake Kimmel. ; Warning by Icomatic; Error by Anas Ramadan.

More Related Content

Viewers also liked

Factorisationpolynome2 Degre
Factorisationpolynome2 DegreFactorisationpolynome2 Degre
Factorisationpolynome2 Degre
atire
 
Recommendation Letter Mike Walters_Signed
Recommendation Letter Mike Walters_SignedRecommendation Letter Mike Walters_Signed
Recommendation Letter Mike Walters_Signed
Lorraine Lomas
 
nFusion Capabilities
nFusion CapabilitiesnFusion Capabilities
nFusion Capabilities
anne_spradley
 
AB Minerals - Tantalite Processing Project Presentation - web 2.0
AB Minerals - Tantalite Processing Project Presentation - web 2.0AB Minerals - Tantalite Processing Project Presentation - web 2.0
AB Minerals - Tantalite Processing Project Presentation - web 2.0
Nikolas Perrault
 
Equation2 Degre
Equation2 DegreEquation2 Degre
Equation2 Degre
atire
 
Grafico diario del dax perfomance index para el 12 04-2012 (1)
Grafico diario del dax perfomance index para el 12 04-2012 (1)Grafico diario del dax perfomance index para el 12 04-2012 (1)
Grafico diario del dax perfomance index para el 12 04-2012 (1)
Experiencia Trading
 

Viewers also liked (16)

Factorisationpolynome2 Degre
Factorisationpolynome2 DegreFactorisationpolynome2 Degre
Factorisationpolynome2 Degre
 
Recommendation Letter Mike Walters_Signed
Recommendation Letter Mike Walters_SignedRecommendation Letter Mike Walters_Signed
Recommendation Letter Mike Walters_Signed
 
Bio/Resume
Bio/ResumeBio/Resume
Bio/Resume
 
nFusion Capabilities
nFusion CapabilitiesnFusion Capabilities
nFusion Capabilities
 
Dd ey pe 2015 - 2016 2
Dd ey pe  2015 - 2016 2Dd ey pe  2015 - 2016 2
Dd ey pe 2015 - 2016 2
 
AB Minerals - Tantalite Processing Project Presentation - web 2.0
AB Minerals - Tantalite Processing Project Presentation - web 2.0AB Minerals - Tantalite Processing Project Presentation - web 2.0
AB Minerals - Tantalite Processing Project Presentation - web 2.0
 
Voice automator - Automator
Voice automator - AutomatorVoice automator - Automator
Voice automator - Automator
 
Vergil's Aeneid 1.87 94 ppt with translation steps
Vergil's Aeneid 1.87   94 ppt with translation stepsVergil's Aeneid 1.87   94 ppt with translation steps
Vergil's Aeneid 1.87 94 ppt with translation steps
 
Done For You SEO Brand Establisher PowerPoint
Done For You SEO Brand Establisher PowerPoint  Done For You SEO Brand Establisher PowerPoint
Done For You SEO Brand Establisher PowerPoint
 
Equation2 Degre
Equation2 DegreEquation2 Degre
Equation2 Degre
 
budgeting and scheduling projects
budgeting and scheduling projectsbudgeting and scheduling projects
budgeting and scheduling projects
 
LaunchIT #2 - Etady
LaunchIT #2 - EtadyLaunchIT #2 - Etady
LaunchIT #2 - Etady
 
A swimming pool project of junhao hotel(4 star)
A swimming pool project of junhao hotel(4 star)A swimming pool project of junhao hotel(4 star)
A swimming pool project of junhao hotel(4 star)
 
Grafico diario del dax perfomance index para el 12 04-2012 (1)
Grafico diario del dax perfomance index para el 12 04-2012 (1)Grafico diario del dax perfomance index para el 12 04-2012 (1)
Grafico diario del dax perfomance index para el 12 04-2012 (1)
 
Website Analysis Report : SEO, CRO Website Audit.
Website Analysis Report : SEO, CRO Website Audit.Website Analysis Report : SEO, CRO Website Audit.
Website Analysis Report : SEO, CRO Website Audit.
 
Revo Property Pay: Accept ePayments Today!
Revo Property Pay: Accept ePayments Today!Revo Property Pay: Accept ePayments Today!
Revo Property Pay: Accept ePayments Today!
 

Similar to NICAR delivering the news over HTTPS

Similar to NICAR delivering the news over HTTPS (20)

WPNYC: Moving your site to HTTPS
WPNYC: Moving your site to HTTPSWPNYC: Moving your site to HTTPS
WPNYC: Moving your site to HTTPS
 
BrightonSEO Sep 2015 - HTTPS | Mark Thomas
BrightonSEO Sep 2015 - HTTPS | Mark Thomas BrightonSEO Sep 2015 - HTTPS | Mark Thomas
BrightonSEO Sep 2015 - HTTPS | Mark Thomas
 
Google are pushing HTTPS hard. Why? And​,​ when should you act? by Mark Thoma...
Google are pushing HTTPS hard. Why? And​,​ when should you act? by Mark Thoma...Google are pushing HTTPS hard. Why? And​,​ when should you act? by Mark Thoma...
Google are pushing HTTPS hard. Why? And​,​ when should you act? by Mark Thoma...
 
How to be trusted in 2017
How to be trusted in 2017How to be trusted in 2017
How to be trusted in 2017
 
The Future of https in Search
The Future of https in SearchThe Future of https in Search
The Future of https in Search
 
From AMP to PWA
From AMP to PWAFrom AMP to PWA
From AMP to PWA
 
HTTP_Header_Security.pdf
HTTP_Header_Security.pdfHTTP_Header_Security.pdf
HTTP_Header_Security.pdf
 
What you need to know about Google Chrome 56?
What you need to know about Google Chrome 56?What you need to know about Google Chrome 56?
What you need to know about Google Chrome 56?
 
Google Chrome 56 What You Need to Know?
Google Chrome 56   What You Need to Know?Google Chrome 56   What You Need to Know?
Google Chrome 56 What You Need to Know?
 
The State of HTTPS In Search
The State of HTTPS In SearchThe State of HTTPS In Search
The State of HTTPS In Search
 
SEO Considerations When Migrating to HTTPS by Kenneth Sytian
SEO Considerations When Migrating to HTTPS by Kenneth SytianSEO Considerations When Migrating to HTTPS by Kenneth Sytian
SEO Considerations When Migrating to HTTPS by Kenneth Sytian
 
SEO benefits | ssl certificate | Learn SEO
SEO benefits | ssl certificate | Learn SEOSEO benefits | ssl certificate | Learn SEO
SEO benefits | ssl certificate | Learn SEO
 
Rails security: above and beyond the defaults
Rails security: above and beyond the defaultsRails security: above and beyond the defaults
Rails security: above and beyond the defaults
 
Securing the client side web
Securing the client side webSecuring the client side web
Securing the client side web
 
Crypto workshop part 1 - Web and Crypto
Crypto workshop part 1 - Web and CryptoCrypto workshop part 1 - Web and Crypto
Crypto workshop part 1 - Web and Crypto
 
Creating Secure Web Apps: What Every Developer Needs to Know About HTTPS Today
Creating Secure Web Apps: What Every Developer Needs to Know About HTTPS TodayCreating Secure Web Apps: What Every Developer Needs to Know About HTTPS Today
Creating Secure Web Apps: What Every Developer Needs to Know About HTTPS Today
 
HTTPS: What, Why and How (SmashingConf Freiburg, Sep 2015)
HTTPS: What, Why and How (SmashingConf Freiburg, Sep 2015)HTTPS: What, Why and How (SmashingConf Freiburg, Sep 2015)
HTTPS: What, Why and How (SmashingConf Freiburg, Sep 2015)
 
HTTPS Site Migration | SearchLondon
HTTPS Site Migration | SearchLondonHTTPS Site Migration | SearchLondon
HTTPS Site Migration | SearchLondon
 
State of Securing Restful APIs s12gx2015
State of Securing Restful APIs s12gx2015State of Securing Restful APIs s12gx2015
State of Securing Restful APIs s12gx2015
 
WordCamp Raleigh 2017 - Move from HTTP to HTTPS or become irrelevant - Peter ...
WordCamp Raleigh 2017 - Move from HTTP to HTTPS or become irrelevant - Peter ...WordCamp Raleigh 2017 - Move from HTTP to HTTPS or become irrelevant - Peter ...
WordCamp Raleigh 2017 - Move from HTTP to HTTPS or become irrelevant - Peter ...
 

More from Paul Schreiber

More from Paul Schreiber (14)

Brooklyn Soloists: personal digital security
Brooklyn Soloists: personal digital securityBrooklyn Soloists: personal digital security
Brooklyn Soloists: personal digital security
 
BigWP live blogs
BigWP live blogsBigWP live blogs
BigWP live blogs
 
CreativeMornings FieldTrip: information security for creative folks
CreativeMornings FieldTrip: information security for creative folksCreativeMornings FieldTrip: information security for creative folks
CreativeMornings FieldTrip: information security for creative folks
 
WordCamp for Publishers: Security for Newsrooms
WordCamp for Publishers: Security for NewsroomsWordCamp for Publishers: Security for Newsrooms
WordCamp for Publishers: Security for Newsrooms
 
VIP Workshop: Effective Habits of Development Teams
VIP Workshop: Effective Habits of Development TeamsVIP Workshop: Effective Habits of Development Teams
VIP Workshop: Effective Habits of Development Teams
 
BigWP Security Keys
BigWP Security KeysBigWP Security Keys
BigWP Security Keys
 
WordPress NYC: Information Security
WordPress NYC: Information SecurityWordPress NYC: Information Security
WordPress NYC: Information Security
 
Web Scraping with Python
Web Scraping with PythonWeb Scraping with Python
Web Scraping with Python
 
D'oh! Avoid annoyances with Grunt.
D'oh! Avoid annoyances with Grunt.D'oh! Avoid annoyances with Grunt.
D'oh! Avoid annoyances with Grunt.
 
Getting to Consistency
Getting to ConsistencyGetting to Consistency
Getting to Consistency
 
Junk Mail
Junk MailJunk Mail
Junk Mail
 
EqualityCamp: Lessons learned from the Obama Campaign
EqualityCamp: Lessons learned from the Obama CampaignEqualityCamp: Lessons learned from the Obama Campaign
EqualityCamp: Lessons learned from the Obama Campaign
 
Mac Productivity 101
Mac Productivity 101Mac Productivity 101
Mac Productivity 101
 
How NOT to rent a car
How NOT to rent a carHow NOT to rent a car
How NOT to rent a car
 

Recently uploaded

Recently uploaded (20)

What's New in Teams Calling, Meetings and Devices April 2024
What's New in Teams Calling, Meetings and Devices April 2024What's New in Teams Calling, Meetings and Devices April 2024
What's New in Teams Calling, Meetings and Devices April 2024
 
Free and Effective: Making Flows Publicly Accessible, Yumi Ibrahimzade
Free and Effective: Making Flows Publicly Accessible, Yumi IbrahimzadeFree and Effective: Making Flows Publicly Accessible, Yumi Ibrahimzade
Free and Effective: Making Flows Publicly Accessible, Yumi Ibrahimzade
 
A Business-Centric Approach to Design System Strategy
A Business-Centric Approach to Design System StrategyA Business-Centric Approach to Design System Strategy
A Business-Centric Approach to Design System Strategy
 
UiPath Test Automation using UiPath Test Suite series, part 1
UiPath Test Automation using UiPath Test Suite series, part 1UiPath Test Automation using UiPath Test Suite series, part 1
UiPath Test Automation using UiPath Test Suite series, part 1
 
SOQL 201 for Admins & Developers: Slice & Dice Your Org’s Data With Aggregate...
SOQL 201 for Admins & Developers: Slice & Dice Your Org’s Data With Aggregate...SOQL 201 for Admins & Developers: Slice & Dice Your Org’s Data With Aggregate...
SOQL 201 for Admins & Developers: Slice & Dice Your Org’s Data With Aggregate...
 
Designing for Hardware Accessibility at Comcast
Designing for Hardware Accessibility at ComcastDesigning for Hardware Accessibility at Comcast
Designing for Hardware Accessibility at Comcast
 
Measures in SQL (a talk at SF Distributed Systems meetup, 2024-05-22)
Measures in SQL (a talk at SF Distributed Systems meetup, 2024-05-22)Measures in SQL (a talk at SF Distributed Systems meetup, 2024-05-22)
Measures in SQL (a talk at SF Distributed Systems meetup, 2024-05-22)
 
WebAssembly is Key to Better LLM Performance
WebAssembly is Key to Better LLM PerformanceWebAssembly is Key to Better LLM Performance
WebAssembly is Key to Better LLM Performance
 
Introduction to FDO and How It works Applications _ Richard at FIDO Alliance.pdf
Introduction to FDO and How It works Applications _ Richard at FIDO Alliance.pdfIntroduction to FDO and How It works Applications _ Richard at FIDO Alliance.pdf
Introduction to FDO and How It works Applications _ Richard at FIDO Alliance.pdf
 
Behind the Scenes From the Manager's Chair: Decoding the Secrets of Successfu...
Behind the Scenes From the Manager's Chair: Decoding the Secrets of Successfu...Behind the Scenes From the Manager's Chair: Decoding the Secrets of Successfu...
Behind the Scenes From the Manager's Chair: Decoding the Secrets of Successfu...
 
IoT Analytics Company Presentation May 2024
IoT Analytics Company Presentation May 2024IoT Analytics Company Presentation May 2024
IoT Analytics Company Presentation May 2024
 
WSO2CONMay2024OpenSourceConferenceDebrief.pptx
WSO2CONMay2024OpenSourceConferenceDebrief.pptxWSO2CONMay2024OpenSourceConferenceDebrief.pptx
WSO2CONMay2024OpenSourceConferenceDebrief.pptx
 
Buy Epson EcoTank L3210 Colour Printer Online.pdf
Buy Epson EcoTank L3210 Colour Printer Online.pdfBuy Epson EcoTank L3210 Colour Printer Online.pdf
Buy Epson EcoTank L3210 Colour Printer Online.pdf
 
Secure Zero Touch enabled Edge compute with Dell NativeEdge via FDO _ Brad at...
Secure Zero Touch enabled Edge compute with Dell NativeEdge via FDO _ Brad at...Secure Zero Touch enabled Edge compute with Dell NativeEdge via FDO _ Brad at...
Secure Zero Touch enabled Edge compute with Dell NativeEdge via FDO _ Brad at...
 
Strategic AI Integration in Engineering Teams
Strategic AI Integration in Engineering TeamsStrategic AI Integration in Engineering Teams
Strategic AI Integration in Engineering Teams
 
Buy Epson EcoTank L3210 Colour Printer Online.pptx
Buy Epson EcoTank L3210 Colour Printer Online.pptxBuy Epson EcoTank L3210 Colour Printer Online.pptx
Buy Epson EcoTank L3210 Colour Printer Online.pptx
 
The Metaverse: Are We There Yet?
The  Metaverse:    Are   We  There  Yet?The  Metaverse:    Are   We  There  Yet?
The Metaverse: Are We There Yet?
 
UiPath Test Automation using UiPath Test Suite series, part 2
UiPath Test Automation using UiPath Test Suite series, part 2UiPath Test Automation using UiPath Test Suite series, part 2
UiPath Test Automation using UiPath Test Suite series, part 2
 
Speed Wins: From Kafka to APIs in Minutes
Speed Wins: From Kafka to APIs in MinutesSpeed Wins: From Kafka to APIs in Minutes
Speed Wins: From Kafka to APIs in Minutes
 
IESVE for Early Stage Design and Planning
IESVE for Early Stage Design and PlanningIESVE for Early Stage Design and Planning
IESVE for Early Stage Design and Planning
 

NICAR delivering the news over HTTPS