Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.
Delivering the news
over HTTPS
Paul Schreiber@paulschreiber
HTTP1991–2015
HTTP1991–2015
Marking HTTP As Non-Secure
We, the Chrome Security Team, propose that user
agents (UAs) gradually change their UX to
displ...
Marking HTTP As Non-Secure
We, the Chrome Security Team, propose that user
agents (UAs) gradually change their UX to
displ...
Deprecating Non-Secure HTTP
Today we are announcing our intent to phase out
non-secure HTTP.
There are two broad elements ...
Deprecating Non-Secure HTTP
Today we are announcing our intent to phase out
non-secure HTTP.
There are two broad elements ...
Deprecating Non-Secure HTTP
Today we are announcing our intent to phase out
non-secure HTTP.
There are two broad elements ...
The HTTPS-Only Standard
All browsing activity should be considered
private and sensitive.
—https.cio.gov
A Call to Action
If you run a news site, or any site at all, we’d like
to issue a friendly challenge to you. Make a
commit...
HTTP
HTTPS
HTTPS
example.com
single
example.com
greeneggsham.info
wordpressfan.biz
SAN
example.com
beta.example.com
shoebox.example.com
wildcard
SGC
domain
validation
organization
validation
extended
validation
extended
validation
Selected DV Certificates
Comodo PositiveSSL
Comodo SSL
Thawte SSL123
0 32 64 96 128 160
149
99
49
PositiveSSL DV Certificates
SSLs.com
SSLMate
Comodo
0 32 64 96 128 160
49
15.95
8.95
Selected Certificates
Let’s Encrypt
PositiveSSL (SSLs.com)
GeoTrust QuickSSL Premium
Thawte SSL123
GeoTrust True BusinessID...
$	sslmate	mkconfig
https://mozilla.github.io/	
server-side-tls/	
ssl-config-generator/
https://github.com/
tollmanz/lets-encrypt-wp
$	wp	cert	new
HTTPS enabled
HTTPS enabled
HTTPS default
HTTPS enabled
HTTPS default
HSTS
HTTPS enabled
HTTPS default
HSTS
HSTS preload
SNI
SHA1vs
SHA2
content
content
😕
comments
ads
social
analytics
CDNs
fonts
2008 HTTPS is slow
2008 HTTPS is slow
2015 HTTPS is fast
HTTP 2.0
HTTPS
1.88X
per http2.loadimpact.com
mixedcontent
mixedcontent
$	mixed-content-scan
mixedcontent
Content-Security-Policy:	
		upgrade-insecure-requests
mixedcontent Content-Security-Policy-
Report-Only:	default-src	
https:	data:	'self'	
'unsafe-inline'	'unsafe-
eval';	repor...
NoHTTPS?
ask
nicely.
NoHTTPS?
SoundCite
placehold.it
mixedcontent
Akamai
http://hostname.com	→	
https://a248.e.akamai.net/f/
12/621/60d/hostname.com
<script	src="//google.com/…	
<script	src="https://googl…
mixedcontent
<script	src="//google.com/…	
<script	src="https://googl…
mixedcontent
mixedcontent
Many graphics from The Noun Project

Tombstone by Jakob Wells. Congress by Martha Ormiston.
Shield by Wayne Thayer. Snail ...
WordCamp US: Delivering the news over HTTPS
WordCamp US: Delivering the news over HTTPS
WordCamp US: Delivering the news over HTTPS
WordCamp US: Delivering the news over HTTPS
WordCamp US: Delivering the news over HTTPS
WordCamp US: Delivering the news over HTTPS
WordCamp US: Delivering the news over HTTPS
WordCamp US: Delivering the news over HTTPS
WordCamp US: Delivering the news over HTTPS
WordCamp US: Delivering the news over HTTPS
WordCamp US: Delivering the news over HTTPS
WordCamp US: Delivering the news over HTTPS
WordCamp US: Delivering the news over HTTPS
WordCamp US: Delivering the news over HTTPS
WordCamp US: Delivering the news over HTTPS
WordCamp US: Delivering the news over HTTPS
WordCamp US: Delivering the news over HTTPS
WordCamp US: Delivering the news over HTTPS
WordCamp US: Delivering the news over HTTPS
WordCamp US: Delivering the news over HTTPS
WordCamp US: Delivering the news over HTTPS
WordCamp US: Delivering the news over HTTPS
WordCamp US: Delivering the news over HTTPS
WordCamp US: Delivering the news over HTTPS
WordCamp US: Delivering the news over HTTPS
WordCamp US: Delivering the news over HTTPS
WordCamp US: Delivering the news over HTTPS
WordCamp US: Delivering the news over HTTPS
WordCamp US: Delivering the news over HTTPS
WordCamp US: Delivering the news over HTTPS
WordCamp US: Delivering the news over HTTPS
WordCamp US: Delivering the news over HTTPS
WordCamp US: Delivering the news over HTTPS
WordCamp US: Delivering the news over HTTPS
WordCamp US: Delivering the news over HTTPS
WordCamp US: Delivering the news over HTTPS
WordCamp US: Delivering the news over HTTPS
WordCamp US: Delivering the news over HTTPS
WordCamp US: Delivering the news over HTTPS
WordCamp US: Delivering the news over HTTPS
WordCamp US: Delivering the news over HTTPS
WordCamp US: Delivering the news over HTTPS
WordCamp US: Delivering the news over HTTPS
WordCamp US: Delivering the news over HTTPS
WordCamp US: Delivering the news over HTTPS
WordCamp US: Delivering the news over HTTPS
Upcoming SlideShare
Loading in …5
×

of

WordCamp US: Delivering the news over HTTPS Slide 1 WordCamp US: Delivering the news over HTTPS Slide 2 WordCamp US: Delivering the news over HTTPS Slide 3 WordCamp US: Delivering the news over HTTPS Slide 4 WordCamp US: Delivering the news over HTTPS Slide 5 WordCamp US: Delivering the news over HTTPS Slide 6 WordCamp US: Delivering the news over HTTPS Slide 7 WordCamp US: Delivering the news over HTTPS Slide 8 WordCamp US: Delivering the news over HTTPS Slide 9 WordCamp US: Delivering the news over HTTPS Slide 10 WordCamp US: Delivering the news over HTTPS Slide 11 WordCamp US: Delivering the news over HTTPS Slide 12 WordCamp US: Delivering the news over HTTPS Slide 13 WordCamp US: Delivering the news over HTTPS Slide 14 WordCamp US: Delivering the news over HTTPS Slide 15 WordCamp US: Delivering the news over HTTPS Slide 16 WordCamp US: Delivering the news over HTTPS Slide 17 WordCamp US: Delivering the news over HTTPS Slide 18 WordCamp US: Delivering the news over HTTPS Slide 19 WordCamp US: Delivering the news over HTTPS Slide 20 WordCamp US: Delivering the news over HTTPS Slide 21 WordCamp US: Delivering the news over HTTPS Slide 22 WordCamp US: Delivering the news over HTTPS Slide 23 WordCamp US: Delivering the news over HTTPS Slide 24 WordCamp US: Delivering the news over HTTPS Slide 25 WordCamp US: Delivering the news over HTTPS Slide 26 WordCamp US: Delivering the news over HTTPS Slide 27 WordCamp US: Delivering the news over HTTPS Slide 28 WordCamp US: Delivering the news over HTTPS Slide 29 WordCamp US: Delivering the news over HTTPS Slide 30 WordCamp US: Delivering the news over HTTPS Slide 31 WordCamp US: Delivering the news over HTTPS Slide 32 WordCamp US: Delivering the news over HTTPS Slide 33 WordCamp US: Delivering the news over HTTPS Slide 34 WordCamp US: Delivering the news over HTTPS Slide 35 WordCamp US: Delivering the news over HTTPS Slide 36 WordCamp US: Delivering the news over HTTPS Slide 37 WordCamp US: Delivering the news over HTTPS Slide 38 WordCamp US: Delivering the news over HTTPS Slide 39 WordCamp US: Delivering the news over HTTPS Slide 40 WordCamp US: Delivering the news over HTTPS Slide 41 WordCamp US: Delivering the news over HTTPS Slide 42 WordCamp US: Delivering the news over HTTPS Slide 43 WordCamp US: Delivering the news over HTTPS Slide 44 WordCamp US: Delivering the news over HTTPS Slide 45 WordCamp US: Delivering the news over HTTPS Slide 46 WordCamp US: Delivering the news over HTTPS Slide 47 WordCamp US: Delivering the news over HTTPS Slide 48 WordCamp US: Delivering the news over HTTPS Slide 49 WordCamp US: Delivering the news over HTTPS Slide 50 WordCamp US: Delivering the news over HTTPS Slide 51 WordCamp US: Delivering the news over HTTPS Slide 52 WordCamp US: Delivering the news over HTTPS Slide 53 WordCamp US: Delivering the news over HTTPS Slide 54 WordCamp US: Delivering the news over HTTPS Slide 55 WordCamp US: Delivering the news over HTTPS Slide 56 WordCamp US: Delivering the news over HTTPS Slide 57 WordCamp US: Delivering the news over HTTPS Slide 58 WordCamp US: Delivering the news over HTTPS Slide 59 WordCamp US: Delivering the news over HTTPS Slide 60 WordCamp US: Delivering the news over HTTPS Slide 61 WordCamp US: Delivering the news over HTTPS Slide 62 WordCamp US: Delivering the news over HTTPS Slide 63 WordCamp US: Delivering the news over HTTPS Slide 64 WordCamp US: Delivering the news over HTTPS Slide 65 WordCamp US: Delivering the news over HTTPS Slide 66 WordCamp US: Delivering the news over HTTPS Slide 67 WordCamp US: Delivering the news over HTTPS Slide 68 WordCamp US: Delivering the news over HTTPS Slide 69 WordCamp US: Delivering the news over HTTPS Slide 70 WordCamp US: Delivering the news over HTTPS Slide 71 WordCamp US: Delivering the news over HTTPS Slide 72 WordCamp US: Delivering the news over HTTPS Slide 73 WordCamp US: Delivering the news over HTTPS Slide 74 WordCamp US: Delivering the news over HTTPS Slide 75 WordCamp US: Delivering the news over HTTPS Slide 76 WordCamp US: Delivering the news over HTTPS Slide 77 WordCamp US: Delivering the news over HTTPS Slide 78 WordCamp US: Delivering the news over HTTPS Slide 79 WordCamp US: Delivering the news over HTTPS Slide 80 WordCamp US: Delivering the news over HTTPS Slide 81 WordCamp US: Delivering the news over HTTPS Slide 82 WordCamp US: Delivering the news over HTTPS Slide 83 WordCamp US: Delivering the news over HTTPS Slide 84 WordCamp US: Delivering the news over HTTPS Slide 85 WordCamp US: Delivering the news over HTTPS Slide 86 WordCamp US: Delivering the news over HTTPS Slide 87 WordCamp US: Delivering the news over HTTPS Slide 88 WordCamp US: Delivering the news over HTTPS Slide 89 WordCamp US: Delivering the news over HTTPS Slide 90 WordCamp US: Delivering the news over HTTPS Slide 91 WordCamp US: Delivering the news over HTTPS Slide 92 WordCamp US: Delivering the news over HTTPS Slide 93 WordCamp US: Delivering the news over HTTPS Slide 94 WordCamp US: Delivering the news over HTTPS Slide 95 WordCamp US: Delivering the news over HTTPS Slide 96 WordCamp US: Delivering the news over HTTPS Slide 97 WordCamp US: Delivering the news over HTTPS Slide 98 WordCamp US: Delivering the news over HTTPS Slide 99 WordCamp US: Delivering the news over HTTPS Slide 100 WordCamp US: Delivering the news over HTTPS Slide 101 WordCamp US: Delivering the news over HTTPS Slide 102 WordCamp US: Delivering the news over HTTPS Slide 103 WordCamp US: Delivering the news over HTTPS Slide 104 WordCamp US: Delivering the news over HTTPS Slide 105
Upcoming SlideShare
Delivering the news over HTTPS
Next
Download to read offline and view in fullscreen.

3 Likes

Share

Download to read offline

WordCamp US: Delivering the news over HTTPS

Download to read offline

HTTP is dead. Here’s why, and what you need to know to migrate to HTTPS.

Delivered to WordCamp US in Philadelphia on December 5, 2015.

Detailed guide: https://docs.google.com/document/d/1EJKAoa4Hxc4AyH0znuA_AAplcNeNejEhATFptFX-OME/edit

Related Books

Free with a 30 day trial from Scribd

See all

WordCamp US: Delivering the news over HTTPS

  1. 1. Delivering the news over HTTPS
  2. 2. Paul Schreiber@paulschreiber
  3. 3. HTTP1991–2015
  4. 4. HTTP1991–2015
  5. 5. Marking HTTP As Non-Secure We, the Chrome Security Team, propose that user agents (UAs) gradually change their UX to display non-secure origins as affirmatively non-secure. We intend to devise and begin deploying a transition plan for Chrome in 2015. The goal of this proposal is to more clearly display to users that HTTP provides no data security.
  6. 6. Marking HTTP As Non-Secure We, the Chrome Security Team, propose that user agents (UAs) gradually change their UX to display non-secure origins as affirmatively non-secure. We intend to devise and begin deploying a transition plan for Chrome in 2015. The goal of this proposal is to more clearly display to users that HTTP provides no data security.
  7. 7. Deprecating Non-Secure HTTP Today we are announcing our intent to phase out non-secure HTTP. There are two broad elements of this plan: 1. Setting a date after which all new features will be available only to secure websites 2. Gradually phasing out access to browser features for non-secure websites, especially features that pose risks to users’ security and privacy.
  8. 8. Deprecating Non-Secure HTTP Today we are announcing our intent to phase out non-secure HTTP. There are two broad elements of this plan: 1. Setting a date after which all new features will be available only to secure websites 2. Gradually phasing out access to browser features for non-secure websites, especially features that pose risks to users’ security and privacy.
  9. 9. Deprecating Non-Secure HTTP Today we are announcing our intent to phase out non-secure HTTP. There are two broad elements of this plan: 1. Setting a date after which all new features will be available only to secure websites 2. Gradually phasing out access to browser features for non-secure websites, especially features that pose risks to users’ security and privacy.
  10. 10. The HTTPS-Only Standard All browsing activity should be considered private and sensitive. —https.cio.gov
  11. 11. A Call to Action If you run a news site, or any site at all, we’d like to issue a friendly challenge to you. Make a commitment to have your site fully on HTTPS by the end of 2015 and pledge your support with the hashtag #https2015. —Eitan Konigsburg, Rajiv Pant and Elena Kvochko “Embracing HTTPS” November 13, 2014
  12. 12. HTTP
  13. 13. HTTPS
  14. 14. HTTPS
  15. 15. example.com single
  16. 16. example.com greeneggsham.info wordpressfan.biz SAN
  17. 17. example.com beta.example.com shoebox.example.com wildcard
  18. 18. SGC
  19. 19. domain validation
  20. 20. organization validation
  21. 21. extended validation
  22. 22. extended validation
  23. 23. Selected DV Certificates Comodo PositiveSSL Comodo SSL Thawte SSL123 0 32 64 96 128 160 149 99 49
  24. 24. PositiveSSL DV Certificates SSLs.com SSLMate Comodo 0 32 64 96 128 160 49 15.95 8.95
  25. 25. Selected Certificates Let’s Encrypt PositiveSSL (SSLs.com) GeoTrust QuickSSL Premium Thawte SSL123 GeoTrust True BusinessID Symantec Secure Site Symantec Secure Site Pro EV 0 300 600 900 1200 1500 1400 399 199 149 99.98 8.95 0
  26. 26. $ sslmate mkconfig
  27. 27. https://mozilla.github.io/ server-side-tls/ ssl-config-generator/
  28. 28. https://github.com/ tollmanz/lets-encrypt-wp
  29. 29. $ wp cert new
  30. 30. HTTPS enabled
  31. 31. HTTPS enabled HTTPS default
  32. 32. HTTPS enabled HTTPS default HSTS
  33. 33. HTTPS enabled HTTPS default HSTS HSTS preload
  34. 34. SNI
  35. 35. SHA1vs SHA2
  36. 36. content
  37. 37. content 😕
  38. 38. comments
  39. 39. ads
  40. 40. social
  41. 41. analytics
  42. 42. CDNs
  43. 43. fonts
  44. 44. 2008 HTTPS is slow
  45. 45. 2008 HTTPS is slow 2015 HTTPS is fast
  46. 46. HTTP 2.0
  47. 47. HTTPS
  48. 48. 1.88X per http2.loadimpact.com
  49. 49. mixedcontent
  50. 50. mixedcontent $ mixed-content-scan
  51. 51. mixedcontent Content-Security-Policy: upgrade-insecure-requests
  52. 52. mixedcontent Content-Security-Policy- Report-Only: default-src https: data: 'self' 'unsafe-inline' 'unsafe- eval'; report-uri: https://myserver.com/log- tool/
  53. 53. NoHTTPS? ask nicely.
  54. 54. NoHTTPS? SoundCite placehold.it
  55. 55. mixedcontent Akamai http://hostname.com → https://a248.e.akamai.net/f/ 12/621/60d/hostname.com
  56. 56. <script src="//google.com/… <script src="https://googl… mixedcontent
  57. 57. <script src="//google.com/… <script src="https://googl… mixedcontent
  58. 58. mixedcontent
  59. 59. Many graphics from The Noun Project Tombstone by Jakob Wells. Congress by Martha Ormiston. Shield by Wayne Thayer. Snail by aLf. Server by Yazmin Alanis. SEO by Azis. Money by Nick Levesque. Warning by Icomatic. Shopping cart by Patrizia Daidone. Lock with keyhole by Brennan Novak. Scribble by Michael Chanover. Calendar by Mani Amini. Error by Anas Ramadan. Network by Stephen Boak. Hat based on work by Blake Kimmel.
  • TTun46

    Mar. 13, 2020
  • AndySimpson4

    Oct. 22, 2016
  • Xtraboy

    Dec. 5, 2015

HTTP is dead. Here’s why, and what you need to know to migrate to HTTPS. Delivered to WordCamp US in Philadelphia on December 5, 2015. Detailed guide: https://docs.google.com/document/d/1EJKAoa4Hxc4AyH0znuA_AAplcNeNejEhATFptFX-OME/edit

Views

Total views

1,771

On Slideshare

0

From embeds

0

Number of embeds

200

Actions

Downloads

10

Shares

0

Comments

0

Likes

3

×