Find out HTTPS benefits beyond what is generally known and HTTPS usage today. Learn more about TLS, type of TLS Certificates, HSTS and best way to implement HSTS. Step by step HTTPS migration. Discover how some HTTP headers, configuration and check tools can help you during HTTPS migrations.

1. Aysun Akarsu
SEARCHDATALOGY
On the road to HTTPS
Everywhere
@aysunakarsu
https://www.searchdatalogy.com/blog/brightonseo/

2. @aysunakarsu @searchdatalogy #brightonseo
1
HTTPS
HyperText Transfer Protocol
Secure

3. @aysunakarsu @searchdatalogy #brightonseo
Transport Layer Security
Secure Sockets Layer (SSL)
Transport Layer Security (TLS)

4. @aysunakarsu @searchdatalogy #brightonseo
Transport Layer Security
Authentication
Encryption
Integrity

5. @aysunakarsu @searchdatalogy #brightonseo
2
Benefits

6. @aysunakarsu @searchdatalogy #brightonseo
Your
content
& design
Users
Experience
HTTPS ensures on your site
What
intruders
may
provide

7. @aysunakarsu @searchdatalogy #brightonseo
HTTPS protects
SecurityPrivacy
USERS

8. @aysunakarsu @searchdatalogy #brightonseo
HTTP/2 requires HTTPS

9. @aysunakarsu @searchdatalogy #brightonseo
Brotli requires HTTPS

10. @aysunakarsu @searchdatalogy #brightonseo
Not all but some AMP require
HTTPS

11. @aysunakarsu @searchdatalogy #brightonseo
HTTPS enables on the web

12. @aysunakarsu @searchdatalogy #brightonseo
Service Workers require
HTTPS

13. @aysunakarsu @searchdatalogy #brightonseo
HTTPS enables
Referrer data
(from HTTPS sites)

14. @aysunakarsu @searchdatalogy #brightonseo
Google’s mission
3

15. @aysunakarsu @searchdatalogy #brightonseo
“We're committed to making the web
a safer place not only for Google users,
but for all users. HTTPS makes it
difficult for Internet Service Providers,
governments and others to watch
what you're doing online.”
Google

16. @aysunakarsu @searchdatalogy #brightonseo
Motivating HTTPS migration
By SEO

17. @aysunakarsu @searchdatalogy #brightonseo
Motivating HTTPS migration
By Chrome
1. HTTP2
2. Marking HTTP sites

18. @aysunakarsu @searchdatalogy #brightonseo
Migration dates
Top sites

19. @aysunakarsu @searchdatalogy #brightonseo
Among top sites
Google was one of the
First in
Moving to HTTPS
Last in
Bringing HSTS

20. @aysunakarsu @searchdatalogy #brightonseo
HTTPS on top 100 non Google sites

21. @aysunakarsu @searchdatalogy #brightonseo
Percentage of Web pages loaded by
Firefox using HTTPS

22. @aysunakarsu @searchdatalogy #brightonseo
4
TLS certificates

23. @aysunakarsu @searchdatalogy #brightonseo
Type of TLS certificates
Domain Validation Organization Validation
Extended Validation
By validation level

24. @aysunakarsu @searchdatalogy #brightonseo
Type of TLS certificates
By secured domains
Single Name
https://www.firstsite.com
Wildcard
https://www.firstsite.com
https://blog.firstsite.com
https://shop.firstsite.com
Multi-domain
https://www.firstsite.com
https://www.secondsite.com
https://www.thirdsite.com

25. @aysunakarsu @searchdatalogy #brightonseo
5
HSTS
HTTP Strict Transport
Security

26. @aysunakarsu @searchdatalogy #brightonseo
HSTS
Strict-Transport-Security: max-age=31536000; includeSubDomains; preload
In seconds
Optional
(Recommended)
Optional

27. @aysunakarsu @searchdatalogy #brightonseo
HSTS
chrome://net-internals/#hsts

28. @aysunakarsu @searchdatalogy #brightonseo
HSTS
https://chromium.googlesource.com/chromium/src/+/
master/net/http/transport_security_state_static.json
{ "name": "wikipedia.org", "include_subdomains": true, "mode": "force-https" },
{ "name": "www.facebook.com", "include_subdomains": true, "mode": "force-https", "pins": "facebook" },
{ "name": "facebook.com", "mode": "force-https", "pins": "facebook" },
{ "name": "twitter.com", "mode": "force-https", "pins": "twitterCom" },
{ "name": "www.twitter.com", "include_subdomains": true, "mode": "force-https", "pins": "twitterCom" },
Chrome HSTS preload list

29. @aysunakarsu @searchdatalogy #brightonseo
6
Before

30. @aysunakarsu @searchdatalogy #brightonseo
Choose well your
IT infrastructure

31. https://istlsfastyet.com/

32. https://istlsfastyet.com/

33. @aysunakarsu @searchdatalogy #brightonseo
If using SNI
Check web servers & browsers support

34. @aysunakarsu @searchdatalogy #brightonseo
Consider HTTP2
https://www.nginx.com/blog/supporting-http2-google-chrome-users/

35. @aysunakarsu @searchdatalogy #brightonseo
Plan only HTTPS migration
https://www.seroundtable.com/google-url-structures-https-23084.html

36. @aysunakarsu @searchdatalogy #brightonseo
HTTPS
No access to users & bots

37. @aysunakarsu @searchdatalogy #brightonseo
Get (staging)
TLS certificate

38. @aysunakarsu @searchdatalogy #brightonseo
Configure (staging)
https://mozilla.github.io/server-side-tls/ssl-config-generator/

39. @aysunakarsu @searchdatalogy #brightonseo
Prevent & report
Content-Security-Policy: upgrade-insecure-requests;
Content-Security-Policy-Report-Only: default-src https:;
report-uri /csp-logs
Mixed content

40. @aysunakarsu @searchdatalogy #brightonseo
Preserve referrer
Referrer-Policy: origin-when-cross-origin
Referrer-Policy: origin
Referrer-Policy

41. @aysunakarsu @searchdatalogy #brightonseo
Collect data
Staging
Production
Crawl sites
Web server logs
Analytics tools
E.g. Google Analytics
Google search
console
External Links
E.g. Majestic

42. @aysunakarsu @searchdatalogy #brightonseo
Analyze data (staging)
Urls of the links, web
assets on the page
Url of the page
Scheme
(protocol)
Tags
Canonical
Hreflang
Meta
HTTP Headers
Status code
Content
On each page check

43. @aysunakarsu @searchdatalogy #brightonseo
Analyze data (production)
Pages
Error
Low quality content
Orphan
Crawl waste

44. @aysunakarsu @searchdatalogy #brightonseo
Prepare
Migration section planning
(If moving in sections)
URL list
Mapping
Monitoring
Update
HTTP
HTTPS
Sitemaps

45. @aysunakarsu @searchdatalogy #brightonseo
SSLLabs
https://www.ssllabs.com/ssltest/analyze.html?d=www.searchdatalogy.com

46. @aysunakarsu @searchdatalogy #brightonseo
Mozilla TLS observatory
https://observatory.mozilla.org/

47. @aysunakarsu @searchdatalogy #brightonseo
Register (destination site)
Google Search Console
https://example.com
https://www.example.com
https://m.example.com (If mobile on the origin)
https://fr.example.com (If subdomains on the origin)
https://www.example.com/fr/ (If directories on the origin)

48. @aysunakarsu @searchdatalogy #brightonseo
Configure (destination site)
Analytics tools
E.g. Google Analytics
Google
search
console
Urls parameters
Geotargeting
Disavow
Preferred domain
Submit sitemaps
Replicate origin’s
configuration

49. @aysunakarsu @searchdatalogy #brightonseo
7
Ready ?

50. @aysunakarsu @searchdatalogy #brightonseo
Give users & bots access to
HTTPS

51. @aysunakarsu @searchdatalogy #brightonseo
Implement redirects
HTTPSHTTP

52. @aysunakarsu @searchdatalogy #brightonseo
Collect & analyze data
Web server logs
Crawl
Production site
Analytics tools
E.g. Google Analytics

53. @aysunakarsu @searchdatalogy #brightonseo
Update urls
Owned media
Profile links
E.g. Facebook, Twitter, Linkedin
Partner sites
Ad campaigns

54. @aysunakarsu @searchdatalogy #brightonseo
8
After

55. @aysunakarsu @searchdatalogy #brightonseo
Collect / monitor / analyze
data
Sitemaps
Production site
Crawl
Web server logs
Analytics tools
E.g. Google Analytics
Google search
console
External Links
E.g. Majestic

56. @aysunakarsu @searchdatalogy #brightonseo
Implement HSTS
Start HSTS
max-age=300;includeSubDomains
Increase max-age progressively
max-age=604800; includeSubDomains
max-age=2592000; includeSubDomains
Chrome HSTS preload list
max-age=63072000;
includeSubDomains; preload

57. @aysunakarsu @searchdatalogy #brightonseo
“Protecting less sensitive
sites strengthens the
protections of more
sensitive sites.”
https://https.cio.gov/
“The good we secure for
ourselves is precarious
and uncertain until it is
secured for all of us and
incorporated into our
common life.”
Jane Addams

58. Thank
you!