Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.
Moving your site
to HTTPS
Paul Schreiberpaulschreiber@gmail.com
@paulschreiber
15%
http://www.bbc.co.uk/
http://www.bbc.co.uk/persian/
✔
HTTP1991–2016
Marking HTTP As Non-Secure
We, the Chrome Security Team, propose that user
agents (UAs) gradually change their UX to
displ...
Deprecating Non-Secure HTTP
Today we are announcing our intent to phase out
non-secure HTTP.
There are two broad elements ...
The HTTPS-Only Standard
All browsing activity should be considered
private and sensitive.
—https.cio.gov
HTTPS
HTTP
HTTPS
2008 HTTPS is slow
2016 HTTPS is fast
HTTP 2.0
HTTPS
SHA-1
$	sslmate	mkconfig
https://mozilla.github.io/
server-side-tls/
ssl-config-generator/
https://wordpress.org/
plugins/wp-encrypt/
HTTPS enabled
HTTPS default
HSTS
HSTS preload
content
content
comments
ads
social
analytics
CDNs
fonts
$	mixed-content-scan
Content-Security-Policy:	
		upgrade-insecure-requests
Content-Security-Policy-
Report-Only:	default-src	
https:	data:	'self'	
'unsafe-inline'	'unsafe-
eval';	report-uri:	
https...
<script	src="//google.com/…	
<script	src="https://googl…
NoHTTPS?
ask
nicely.
NoHTTPS?
SoundCite
placehold.it
mixedcontent
Akamai
http://hostname.com	→	
https://a248.e.akamai.net/f/
12/621/60d/hostname.com
moarTLS
Analyzer
HTTPS
Everywhere
Chrome
ssllabs.com/
ssltest/
observatory.
mozilla.org
hstspreload.
appspot.com
badssl.com
securityheaders.io
report-uri.io
cspisawesome.com
httpswatch.com
google.com/
transparencyreport/
https/grid/
Many graphics from The Noun Project

Mountains by Chris Cole; Statue of Liberty by John Melven; Tombstone by Jakob
Wells; ...
WPNYC: Moving your site to HTTPS
WPNYC: Moving your site to HTTPS
WPNYC: Moving your site to HTTPS
WPNYC: Moving your site to HTTPS
WPNYC: Moving your site to HTTPS
WPNYC: Moving your site to HTTPS
WPNYC: Moving your site to HTTPS
WPNYC: Moving your site to HTTPS
WPNYC: Moving your site to HTTPS
WPNYC: Moving your site to HTTPS
WPNYC: Moving your site to HTTPS
WPNYC: Moving your site to HTTPS
WPNYC: Moving your site to HTTPS
WPNYC: Moving your site to HTTPS
WPNYC: Moving your site to HTTPS
WPNYC: Moving your site to HTTPS
WPNYC: Moving your site to HTTPS
WPNYC: Moving your site to HTTPS
WPNYC: Moving your site to HTTPS
WPNYC: Moving your site to HTTPS
WPNYC: Moving your site to HTTPS
WPNYC: Moving your site to HTTPS
WPNYC: Moving your site to HTTPS
WPNYC: Moving your site to HTTPS
WPNYC: Moving your site to HTTPS
WPNYC: Moving your site to HTTPS
WPNYC: Moving your site to HTTPS
WPNYC: Moving your site to HTTPS
WPNYC: Moving your site to HTTPS
WPNYC: Moving your site to HTTPS
WPNYC: Moving your site to HTTPS
WPNYC: Moving your site to HTTPS
WPNYC: Moving your site to HTTPS
WPNYC: Moving your site to HTTPS
WPNYC: Moving your site to HTTPS
WPNYC: Moving your site to HTTPS
WPNYC: Moving your site to HTTPS
WPNYC: Moving your site to HTTPS
WPNYC: Moving your site to HTTPS
WPNYC: Moving your site to HTTPS
WPNYC: Moving your site to HTTPS
WPNYC: Moving your site to HTTPS
WPNYC: Moving your site to HTTPS
WPNYC: Moving your site to HTTPS
WPNYC: Moving your site to HTTPS
WPNYC: Moving your site to HTTPS
WPNYC: Moving your site to HTTPS
WPNYC: Moving your site to HTTPS
WPNYC: Moving your site to HTTPS
WPNYC: Moving your site to HTTPS
WPNYC: Moving your site to HTTPS
WPNYC: Moving your site to HTTPS
WPNYC: Moving your site to HTTPS
WPNYC: Moving your site to HTTPS
WPNYC: Moving your site to HTTPS
WPNYC: Moving your site to HTTPS
WPNYC: Moving your site to HTTPS
WPNYC: Moving your site to HTTPS
WPNYC: Moving your site to HTTPS
WPNYC: Moving your site to HTTPS
WPNYC: Moving your site to HTTPS
WPNYC: Moving your site to HTTPS
WPNYC: Moving your site to HTTPS
WPNYC: Moving your site to HTTPS
WPNYC: Moving your site to HTTPS
WPNYC: Moving your site to HTTPS
WPNYC: Moving your site to HTTPS
WPNYC: Moving your site to HTTPS
WPNYC: Moving your site to HTTPS
WPNYC: Moving your site to HTTPS
WPNYC: Moving your site to HTTPS
WPNYC: Moving your site to HTTPS
WPNYC: Moving your site to HTTPS
WPNYC: Moving your site to HTTPS
Upcoming SlideShare
Loading in …5
×

WPNYC: Moving your site to HTTPS

272 views

Published on

Many websites — from Wikipedia to Reddit to the Washington Post — are encrypting all of their web traffic to protect their readers' privacy by using SSL certificates are directing their traffic over HTTPS.

Besides the obvious security advantages, webmasters have another reason: Google is using HTTPS as a ranking signal.

At this meetup, we'll talk about what this all means (benefits, downsides) and problems encountered moving to HTTPS (and how they solved them).

Published in: Technology
  • Be the first to comment

WPNYC: Moving your site to HTTPS

  1. 1. Moving your site to HTTPS
  2. 2. Paul Schreiberpaulschreiber@gmail.com @paulschreiber
  3. 3. 15%
  4. 4. http://www.bbc.co.uk/ http://www.bbc.co.uk/persian/ ✔
  5. 5. HTTP1991–2016
  6. 6. Marking HTTP As Non-Secure We, the Chrome Security Team, propose that user agents (UAs) gradually change their UX to display non-secure origins as affirmatively non-secure. We intend to devise and begin deploying a transition plan for Chrome in 2015. The goal of this proposal is to more clearly display to users that HTTP provides no data security.
  7. 7. Deprecating Non-Secure HTTP Today we are announcing our intent to phase out non-secure HTTP. There are two broad elements of this plan: 1. Setting a date after which all new features will be available only to secure websites 2. Gradually phasing out access to browser features for non-secure websites, especially features that pose risks to users’ security and privacy.
  8. 8. The HTTPS-Only Standard All browsing activity should be considered private and sensitive. —https.cio.gov
  9. 9. HTTPS
  10. 10. HTTP
  11. 11. HTTPS
  12. 12. 2008 HTTPS is slow 2016 HTTPS is fast
  13. 13. HTTP 2.0
  14. 14. HTTPS
  15. 15. SHA-1
  16. 16. $ sslmate mkconfig
  17. 17. https://mozilla.github.io/ server-side-tls/ ssl-config-generator/
  18. 18. https://wordpress.org/ plugins/wp-encrypt/
  19. 19. HTTPS enabled HTTPS default HSTS HSTS preload
  20. 20. content
  21. 21. content
  22. 22. comments
  23. 23. ads
  24. 24. social
  25. 25. analytics
  26. 26. CDNs
  27. 27. fonts
  28. 28. $ mixed-content-scan
  29. 29. Content-Security-Policy: upgrade-insecure-requests
  30. 30. Content-Security-Policy- Report-Only: default-src https: data: 'self' 'unsafe-inline' 'unsafe- eval'; report-uri: https://myserver.com/log- tool/
  31. 31. <script src="//google.com/… <script src="https://googl…
  32. 32. NoHTTPS? ask nicely.
  33. 33. NoHTTPS? SoundCite placehold.it
  34. 34. mixedcontent Akamai http://hostname.com → https://a248.e.akamai.net/f/ 12/621/60d/hostname.com
  35. 35. moarTLS Analyzer
  36. 36. HTTPS Everywhere
  37. 37. Chrome
  38. 38. ssllabs.com/ ssltest/
  39. 39. observatory. mozilla.org
  40. 40. hstspreload. appspot.com
  41. 41. badssl.com
  42. 42. securityheaders.io
  43. 43. report-uri.io
  44. 44. cspisawesome.com
  45. 45. httpswatch.com
  46. 46. google.com/ transparencyreport/ https/grid/
  47. 47. Many graphics from The Noun Project Mountains by Chris Cole; Statue of Liberty by John Melven; Tombstone by Jakob Wells; Congress by Martha Ormiston; Shield by Wayne Thayer; Books by Ashley van Dyck; Snail by aLf; carrot by Creative Stall; Geolocation by Alexander Smith; Notification by vijay sekhar; Microphone by Edward Boatman; Video camera by Pham Thi Dieu Linh; Full screen by Garrett Knoll; Rotation by Lemon Liu; speedmeter by Michal Beno; layers by Muhamad Ulum; arrow by Maurizio Pedrazzoli; stick by Blaise Sewell; Server by Yazmin Alanis; SEO by Azis; Money by Nick Levesque; Shopping cart by Patrizia Daidone; Lock with keyhole by Brennan Novak; Scribble by Michael Chanover; Network by Stephen Boak; Hat based on work by Blake Kimmel. ; Warning by Icomatic; Error by Anas Ramadan.

×