Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

On The Road To HTTPS Everywhere / BrightonSEO 2017

4,448 views

Published on

Find out HTTPS benefits beyond what is generally known and HTTPS usage today. Learn more about TLS, type of TLS Certificates, HSTS and best way to implement HSTS. Step by step HTTPS migration. Discover how some HTTP headers, configuration and check tools can help you during HTTPS migrations.

Published in: Technology
  • Be the first to comment

On The Road To HTTPS Everywhere / BrightonSEO 2017

  1. 1. Aysun Akarsu SEARCHDATALOGY On the road to HTTPS Everywhere @aysunakarsu https://www.searchdatalogy.com/blog/brightonseo/
  2. 2. @aysunakarsu @searchdatalogy #brightonseo 1 HTTPS HyperText Transfer Protocol Secure
  3. 3. @aysunakarsu @searchdatalogy #brightonseo Transport Layer Security Secure Sockets Layer (SSL) Transport Layer Security (TLS)
  4. 4. @aysunakarsu @searchdatalogy #brightonseo Transport Layer Security Authentication Encryption Integrity
  5. 5. @aysunakarsu @searchdatalogy #brightonseo 2 Benefits
  6. 6. @aysunakarsu @searchdatalogy #brightonseo Your content & design Users Experience HTTPS ensures on your site What intruders may provide
  7. 7. @aysunakarsu @searchdatalogy #brightonseo HTTPS protects SecurityPrivacy USERS
  8. 8. @aysunakarsu @searchdatalogy #brightonseo HTTP/2 requires HTTPS
  9. 9. @aysunakarsu @searchdatalogy #brightonseo Brotli requires HTTPS
  10. 10. @aysunakarsu @searchdatalogy #brightonseo Not all but some AMP require HTTPS
  11. 11. @aysunakarsu @searchdatalogy #brightonseo HTTPS enables on the web
  12. 12. @aysunakarsu @searchdatalogy #brightonseo Service Workers require HTTPS
  13. 13. @aysunakarsu @searchdatalogy #brightonseo HTTPS enables Referrer data (from HTTPS sites)
  14. 14. @aysunakarsu @searchdatalogy #brightonseo Google’s mission 3
  15. 15. @aysunakarsu @searchdatalogy #brightonseo “We're committed to making the web a safer place not only for Google users, but for all users. HTTPS makes it difficult for Internet Service Providers, governments and others to watch what you're doing online.” Google
  16. 16. @aysunakarsu @searchdatalogy #brightonseo Motivating HTTPS migration By SEO
  17. 17. @aysunakarsu @searchdatalogy #brightonseo Motivating HTTPS migration By Chrome 1. HTTP2 2. Marking HTTP sites
  18. 18. @aysunakarsu @searchdatalogy #brightonseo Migration dates Top sites
  19. 19. @aysunakarsu @searchdatalogy #brightonseo Among top sites Google was one of the First in Moving to HTTPS Last in Bringing HSTS
  20. 20. @aysunakarsu @searchdatalogy #brightonseo HTTPS on top 100 non Google sites
  21. 21. @aysunakarsu @searchdatalogy #brightonseo Percentage of Web pages loaded by Firefox using HTTPS
  22. 22. @aysunakarsu @searchdatalogy #brightonseo 4 TLS certificates
  23. 23. @aysunakarsu @searchdatalogy #brightonseo Type of TLS certificates Domain Validation Organization Validation Extended Validation By validation level
  24. 24. @aysunakarsu @searchdatalogy #brightonseo Type of TLS certificates By secured domains Single Name https://www.firstsite.com Wildcard https://www.firstsite.com https://blog.firstsite.com https://shop.firstsite.com Multi-domain https://www.firstsite.com https://www.secondsite.com https://www.thirdsite.com
  25. 25. @aysunakarsu @searchdatalogy #brightonseo 5 HSTS HTTP Strict Transport Security
  26. 26. @aysunakarsu @searchdatalogy #brightonseo HSTS Strict-Transport-Security: max-age=31536000; includeSubDomains; preload In seconds Optional (Recommended) Optional
  27. 27. @aysunakarsu @searchdatalogy #brightonseo HSTS chrome://net-internals/#hsts
  28. 28. @aysunakarsu @searchdatalogy #brightonseo HSTS https://chromium.googlesource.com/chromium/src/+/ master/net/http/transport_security_state_static.json { "name": "wikipedia.org", "include_subdomains": true, "mode": "force-https" }, { "name": "www.facebook.com", "include_subdomains": true, "mode": "force-https", "pins": "facebook" }, { "name": "facebook.com", "mode": "force-https", "pins": "facebook" }, { "name": "twitter.com", "mode": "force-https", "pins": "twitterCom" }, { "name": "www.twitter.com", "include_subdomains": true, "mode": "force-https", "pins": "twitterCom" }, Chrome HSTS preload list
  29. 29. @aysunakarsu @searchdatalogy #brightonseo 6 Before
  30. 30. @aysunakarsu @searchdatalogy #brightonseo Choose well your IT infrastructure
  31. 31. https://istlsfastyet.com/
  32. 32. https://istlsfastyet.com/
  33. 33. @aysunakarsu @searchdatalogy #brightonseo If using SNI Check web servers & browsers support
  34. 34. @aysunakarsu @searchdatalogy #brightonseo Consider HTTP2 https://www.nginx.com/blog/supporting-http2-google-chrome-users/
  35. 35. @aysunakarsu @searchdatalogy #brightonseo Plan only HTTPS migration https://www.seroundtable.com/google-url-structures-https-23084.html
  36. 36. @aysunakarsu @searchdatalogy #brightonseo HTTPS No access to users & bots
  37. 37. @aysunakarsu @searchdatalogy #brightonseo Get (staging) TLS certificate
  38. 38. @aysunakarsu @searchdatalogy #brightonseo Configure (staging) https://mozilla.github.io/server-side-tls/ssl-config-generator/
  39. 39. @aysunakarsu @searchdatalogy #brightonseo Prevent & report Content-Security-Policy: upgrade-insecure-requests; Content-Security-Policy-Report-Only: default-src https:; report-uri /csp-logs Mixed content
  40. 40. @aysunakarsu @searchdatalogy #brightonseo Preserve referrer Referrer-Policy: origin-when-cross-origin Referrer-Policy: origin Referrer-Policy
  41. 41. @aysunakarsu @searchdatalogy #brightonseo Collect data Staging Production Crawl sites Web server logs Analytics tools E.g. Google Analytics Google search console External Links E.g. Majestic
  42. 42. @aysunakarsu @searchdatalogy #brightonseo Analyze data (staging) Urls of the links, web assets on the page Url of the page Scheme (protocol) Tags Canonical Hreflang Meta HTTP Headers Status code Content On each page check
  43. 43. @aysunakarsu @searchdatalogy #brightonseo Analyze data (production) Pages Error Low quality content Orphan Crawl waste
  44. 44. @aysunakarsu @searchdatalogy #brightonseo Prepare Migration section planning (If moving in sections) URL list Mapping Monitoring Update HTTP HTTPS Sitemaps
  45. 45. @aysunakarsu @searchdatalogy #brightonseo SSLLabs https://www.ssllabs.com/ssltest/analyze.html?d=www.searchdatalogy.com
  46. 46. @aysunakarsu @searchdatalogy #brightonseo Mozilla TLS observatory https://observatory.mozilla.org/
  47. 47. @aysunakarsu @searchdatalogy #brightonseo Register (destination site) Google Search Console https://example.com https://www.example.com https://m.example.com (If mobile on the origin) https://fr.example.com (If subdomains on the origin) https://www.example.com/fr/ (If directories on the origin)
  48. 48. @aysunakarsu @searchdatalogy #brightonseo Configure (destination site) Analytics tools E.g. Google Analytics Google search console Urls parameters Geotargeting Disavow Preferred domain Submit sitemaps Replicate origin’s configuration
  49. 49. @aysunakarsu @searchdatalogy #brightonseo 7 Ready ?
  50. 50. @aysunakarsu @searchdatalogy #brightonseo Give users & bots access to HTTPS
  51. 51. @aysunakarsu @searchdatalogy #brightonseo Implement redirects HTTPSHTTP
  52. 52. @aysunakarsu @searchdatalogy #brightonseo Collect & analyze data Web server logs Crawl Production site Analytics tools E.g. Google Analytics
  53. 53. @aysunakarsu @searchdatalogy #brightonseo Update urls Owned media Profile links E.g. Facebook, Twitter, Linkedin Partner sites Ad campaigns
  54. 54. @aysunakarsu @searchdatalogy #brightonseo 8 After
  55. 55. @aysunakarsu @searchdatalogy #brightonseo Collect / monitor / analyze data Sitemaps Production site Crawl Web server logs Analytics tools E.g. Google Analytics Google search console External Links E.g. Majestic
  56. 56. @aysunakarsu @searchdatalogy #brightonseo Implement HSTS Start HSTS max-age=300;includeSubDomains Increase max-age progressively max-age=604800; includeSubDomains max-age=2592000; includeSubDomains Chrome HSTS preload list max-age=63072000; includeSubDomains; preload
  57. 57. @aysunakarsu @searchdatalogy #brightonseo “Protecting less sensitive sites strengthens the protections of more sensitive sites.” https://https.cio.gov/ “The good we secure for ourselves is precarious and uncertain until it is secured for all of us and incorporated into our common life.” Jane Addams
  58. 58. Thank you!

×