Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

WordCamp US: Delivering the news over HTTPS

1,162 views

Published on

HTTP is dead. Here’s why, and what you need to know to migrate to HTTPS.

Delivered to WordCamp US in Philadelphia on December 5, 2015.

Detailed guide: https://docs.google.com/document/d/1EJKAoa4Hxc4AyH0znuA_AAplcNeNejEhATFptFX-OME/edit

Published in: Technology
  • Be the first to comment

WordCamp US: Delivering the news over HTTPS

  1. 1. Delivering the news over HTTPS
  2. 2. Paul Schreiber@paulschreiber
  3. 3. HTTP1991–2015
  4. 4. HTTP1991–2015
  5. 5. Marking HTTP As Non-Secure We, the Chrome Security Team, propose that user agents (UAs) gradually change their UX to display non-secure origins as affirmatively non-secure. We intend to devise and begin deploying a transition plan for Chrome in 2015. The goal of this proposal is to more clearly display to users that HTTP provides no data security.
  6. 6. Marking HTTP As Non-Secure We, the Chrome Security Team, propose that user agents (UAs) gradually change their UX to display non-secure origins as affirmatively non-secure. We intend to devise and begin deploying a transition plan for Chrome in 2015. The goal of this proposal is to more clearly display to users that HTTP provides no data security.
  7. 7. Deprecating Non-Secure HTTP Today we are announcing our intent to phase out non-secure HTTP. There are two broad elements of this plan: 1. Setting a date after which all new features will be available only to secure websites 2. Gradually phasing out access to browser features for non-secure websites, especially features that pose risks to users’ security and privacy.
  8. 8. Deprecating Non-Secure HTTP Today we are announcing our intent to phase out non-secure HTTP. There are two broad elements of this plan: 1. Setting a date after which all new features will be available only to secure websites 2. Gradually phasing out access to browser features for non-secure websites, especially features that pose risks to users’ security and privacy.
  9. 9. Deprecating Non-Secure HTTP Today we are announcing our intent to phase out non-secure HTTP. There are two broad elements of this plan: 1. Setting a date after which all new features will be available only to secure websites 2. Gradually phasing out access to browser features for non-secure websites, especially features that pose risks to users’ security and privacy.
  10. 10. The HTTPS-Only Standard All browsing activity should be considered private and sensitive. —https.cio.gov
  11. 11. A Call to Action If you run a news site, or any site at all, we’d like to issue a friendly challenge to you. Make a commitment to have your site fully on HTTPS by the end of 2015 and pledge your support with the hashtag #https2015. —Eitan Konigsburg, Rajiv Pant and Elena Kvochko “Embracing HTTPS” November 13, 2014
  12. 12. HTTP
  13. 13. HTTPS
  14. 14. HTTPS
  15. 15. example.com single
  16. 16. example.com greeneggsham.info wordpressfan.biz SAN
  17. 17. example.com beta.example.com shoebox.example.com wildcard
  18. 18. SGC
  19. 19. domain validation
  20. 20. organization validation
  21. 21. extended validation
  22. 22. extended validation
  23. 23. Selected DV Certificates Comodo PositiveSSL Comodo SSL Thawte SSL123 0 32 64 96 128 160 149 99 49
  24. 24. PositiveSSL DV Certificates SSLs.com SSLMate Comodo 0 32 64 96 128 160 49 15.95 8.95
  25. 25. Selected Certificates Let’s Encrypt PositiveSSL (SSLs.com) GeoTrust QuickSSL Premium Thawte SSL123 GeoTrust True BusinessID Symantec Secure Site Symantec Secure Site Pro EV 0 300 600 900 1200 1500 1400 399 199 149 99.98 8.95 0
  26. 26. $ sslmate mkconfig
  27. 27. https://mozilla.github.io/ server-side-tls/ ssl-config-generator/
  28. 28. https://github.com/ tollmanz/lets-encrypt-wp
  29. 29. $ wp cert new
  30. 30. HTTPS enabled
  31. 31. HTTPS enabled HTTPS default
  32. 32. HTTPS enabled HTTPS default HSTS
  33. 33. HTTPS enabled HTTPS default HSTS HSTS preload
  34. 34. SNI
  35. 35. SHA1vs SHA2
  36. 36. content
  37. 37. content 😕
  38. 38. comments
  39. 39. ads
  40. 40. social
  41. 41. analytics
  42. 42. CDNs
  43. 43. fonts
  44. 44. 2008 HTTPS is slow
  45. 45. 2008 HTTPS is slow 2015 HTTPS is fast
  46. 46. HTTP 2.0
  47. 47. HTTPS
  48. 48. 1.88X per http2.loadimpact.com
  49. 49. mixedcontent
  50. 50. mixedcontent $ mixed-content-scan
  51. 51. mixedcontent Content-Security-Policy: upgrade-insecure-requests
  52. 52. mixedcontent Content-Security-Policy- Report-Only: default-src https: data: 'self' 'unsafe-inline' 'unsafe- eval'; report-uri: https://myserver.com/log- tool/
  53. 53. NoHTTPS? ask nicely.
  54. 54. NoHTTPS? SoundCite placehold.it
  55. 55. mixedcontent Akamai http://hostname.com → https://a248.e.akamai.net/f/ 12/621/60d/hostname.com
  56. 56. <script src="//google.com/… <script src="https://googl… mixedcontent
  57. 57. <script src="//google.com/… <script src="https://googl… mixedcontent
  58. 58. mixedcontent
  59. 59. Many graphics from The Noun Project Tombstone by Jakob Wells. Congress by Martha Ormiston. Shield by Wayne Thayer. Snail by aLf. Server by Yazmin Alanis. SEO by Azis. Money by Nick Levesque. Warning by Icomatic. Shopping cart by Patrizia Daidone. Lock with keyhole by Brennan Novak. Scribble by Michael Chanover. Calendar by Mani Amini. Error by Anas Ramadan. Network by Stephen Boak. Hat based on work by Blake Kimmel.

×