On The Road To HTTPS Everywhere / BrightonSEO 2017

Aysun Akarsu
SEARCHDATALOGY
On the road to HTTPS
Everywhere
@aysunakarsu
https://www.searchdatalogy.com/blog/brightonseo/

@aysunakarsu @searchdatalogy #brightonseo
1
HTTPS
HyperText Transfer Protocol
Secure

Transport Layer Security
Secure Sockets Layer (SSL)
Transport Layer Security (TLS)

Transport Layer Security
Authentication
Encryption
Integrity

2
Benefits

Your
content
& design
Users
Experience
HTTPS ensures on your site
What
intruders
may
provide

HTTPS protects
SecurityPrivacy
USERS

HTTP/2 requires HTTPS

Brotli requires HTTPS

Not all but some AMP require
HTTPS

HTTPS enables on the web

Service Workers require
HTTPS

HTTPS enables
Referrer data
(from HTTPS sites)

Google’s mission
3

“We're committed to making the web
a safer place not only for Google users,
but for all users. HTTPS makes it
difficult for Internet Service Providers,
governments and others to watch
what you're doing online.”
Google

Motivating HTTPS migration
By SEO

Motivating HTTPS migration
By Chrome
1. HTTP2
2. Marking HTTP sites

Migration dates
Top sites

Among top sites
Google was one of the
First in
Moving to HTTPS
Last in
Bringing HSTS

HTTPS on top 100 non Google sites

Percentage of Web pages loaded by
Firefox using HTTPS

4
TLS certificates

Type of TLS certificates
Domain Validation Organization Validation
Extended Validation
By validation level

Type of TLS certificates
By secured domains
Single Name
https://www.firstsite.com
Wildcard
https://blog.firstsite.com
https://shop.firstsite.com
Multi-domain
https://www.secondsite.com
https://www.thirdsite.com

5
HSTS
HTTP Strict Transport
Security

HSTS
Strict-Transport-Security: max-age=31536000; includeSubDomains; preload
In seconds
Optional
(Recommended)
Optional

HSTS
chrome://net-internals/#hsts

HSTS
https://chromium.googlesource.com/chromium/src/+/
master/net/http/transport_security_state_static.json
{ "name": "wikipedia.org", "include_subdomains": true, "mode": "force-https" },
{ "name": "www.facebook.com", "include_subdomains": true, "mode": "force-https", "pins": "facebook" },
{ "name": "facebook.com", "mode": "force-https", "pins": "facebook" },
{ "name": "twitter.com", "mode": "force-https", "pins": "twitterCom" },
{ "name": "www.twitter.com", "include_subdomains": true, "mode": "force-https", "pins": "twitterCom" },
Chrome HSTS preload list

6
Before

Choose well your
IT infrastructure

If using SNI
Check web servers & browsers support

Consider HTTP2
https://www.nginx.com/blog/supporting-http2-google-chrome-users/

Plan only HTTPS migration
https://www.seroundtable.com/google-url-structures-https-23084.html

HTTPS
No access to users & bots

Get (staging)
TLS certificate

Configure (staging)
https://mozilla.github.io/server-side-tls/ssl-config-generator/

Prevent & report
Content-Security-Policy: upgrade-insecure-requests;
Content-Security-Policy-Report-Only: default-src https:;
report-uri /csp-logs
Mixed content

Preserve referrer
Referrer-Policy: origin-when-cross-origin
Referrer-Policy: origin
Referrer-Policy

Collect data
Staging
Production
Crawl sites
Web server logs
Analytics tools
E.g. Google Analytics
Google search
console
External Links
E.g. Majestic

Analyze data (staging)
Urls of the links, web
assets on the page
Url of the page
Scheme
(protocol)
Tags
Canonical
Hreflang
Meta
HTTP Headers
Status code
Content
On each page check

Analyze data (production)
Pages
Error
Low quality content
Orphan
Crawl waste

Prepare
Migration section planning
(If moving in sections)
URL list
Mapping
Monitoring
Update
HTTP
HTTPS
Sitemaps

SSLLabs
https://www.ssllabs.com/ssltest/analyze.html?d=www.searchdatalogy.com

Mozilla TLS observatory
https://observatory.mozilla.org/

Register (destination site)
Google Search Console
https://example.com
https://www.example.com
https://m.example.com (If mobile on the origin)
https://fr.example.com (If subdomains on the origin)
https://www.example.com/fr/ (If directories on the origin)

Configure (destination site)
Analytics tools
Google
search
console
Urls parameters
Geotargeting
Disavow
Preferred domain
Submit sitemaps
Replicate origin’s
configuration

7
Ready ?

Give users & bots access to
HTTPS

Implement redirects
HTTPSHTTP

Collect & analyze data
Web server logs
Crawl
Production site
Analytics tools

Update urls
Owned media
Profile links
E.g. Facebook, Twitter, Linkedin
Partner sites
Ad campaigns

8
After

Collect / monitor / analyze
data
Sitemaps
Production site
Crawl
Web server logs
Analytics tools
Google search
console
External Links
E.g. Majestic

Implement HSTS
Start HSTS
max-age=300;includeSubDomains
Increase max-age progressively
max-age=604800; includeSubDomains
max-age=2592000; includeSubDomains
Chrome HSTS preload list
max-age=63072000;
includeSubDomains; preload

“Protecting less sensitive
sites strengthens the
protections of more
sensitive sites.”
https://https.cio.gov/
“The good we secure for
ourselves is precarious
and uncertain until it is
secured for all of us and
incorporated into our
common life.”
Jane Addams

On The Road To HTTPS Everywhere / BrightonSEO 2017

More Related Content

Viewers also liked

Recently uploaded

On The Road To HTTPS Everywhere / BrightonSEO 2017