Upcoming SlideShare
On The Road To HTTPS Everywhere / BrightonSEO 2017
- 1. Aysun Akarsu SEARCHDATALOGY On the road to HTTPS Everywhere @aysunakarsu https://www.searchdatalogy.com/blog/brightonseo/
- 2. @aysunakarsu @searchdatalogy #brightonseo 1 HTTPS HyperText Transfer Protocol Secure
- 3. @aysunakarsu @searchdatalogy #brightonseo Transport Layer Security Secure Sockets Layer (SSL) Transport Layer Security (TLS)
- 4. @aysunakarsu @searchdatalogy #brightonseo Transport Layer Security Authentication Encryption Integrity
- 5. @aysunakarsu @searchdatalogy #brightonseo 2 Benefits
- 6. @aysunakarsu @searchdatalogy #brightonseo Your content & design Users Experience HTTPS ensures on your site What intruders may provide
- 7. @aysunakarsu @searchdatalogy #brightonseo HTTPS protects SecurityPrivacy USERS
- 8. @aysunakarsu @searchdatalogy #brightonseo HTTP/2 requires HTTPS
- 9. @aysunakarsu @searchdatalogy #brightonseo Brotli requires HTTPS
- 10. @aysunakarsu @searchdatalogy #brightonseo Not all but some AMP require HTTPS
- 11. @aysunakarsu @searchdatalogy #brightonseo HTTPS enables on the web
- 12. @aysunakarsu @searchdatalogy #brightonseo Service Workers require HTTPS
- 13. @aysunakarsu @searchdatalogy #brightonseo HTTPS enables Referrer data (from HTTPS sites)
- 14. @aysunakarsu @searchdatalogy #brightonseo Google’s mission 3
- 15. @aysunakarsu @searchdatalogy #brightonseo “We're committed to making the web a safer place not only for Google users, but for all users. HTTPS makes it difficult for Internet Service Providers, governments and others to watch what you're doing online.” Google
- 16. @aysunakarsu @searchdatalogy #brightonseo Motivating HTTPS migration By SEO
- 17. @aysunakarsu @searchdatalogy #brightonseo Motivating HTTPS migration By Chrome 1. HTTP2 2. Marking HTTP sites
- 18. @aysunakarsu @searchdatalogy #brightonseo Migration dates Top sites
- 19. @aysunakarsu @searchdatalogy #brightonseo Among top sites Google was one of the First in Moving to HTTPS Last in Bringing HSTS
- 20. @aysunakarsu @searchdatalogy #brightonseo HTTPS on top 100 non Google sites
- 21. @aysunakarsu @searchdatalogy #brightonseo Percentage of Web pages loaded by Firefox using HTTPS
- 22. @aysunakarsu @searchdatalogy #brightonseo 4 TLS certificates
- 23. @aysunakarsu @searchdatalogy #brightonseo Type of TLS certificates Domain Validation Organization Validation Extended Validation By validation level
- 24. @aysunakarsu @searchdatalogy #brightonseo Type of TLS certificates By secured domains Single Name https://www.firstsite.com Wildcard https://www.firstsite.com https://blog.firstsite.com https://shop.firstsite.com Multi-domain https://www.firstsite.com https://www.secondsite.com https://www.thirdsite.com
- 25. @aysunakarsu @searchdatalogy #brightonseo 5 HSTS HTTP Strict Transport Security
- 26. @aysunakarsu @searchdatalogy #brightonseo HSTS Strict-Transport-Security: max-age=31536000; includeSubDomains; preload In seconds Optional (Recommended) Optional
- 27. @aysunakarsu @searchdatalogy #brightonseo HSTS chrome://net-internals/#hsts
- 28. @aysunakarsu @searchdatalogy #brightonseo HSTS https://chromium.googlesource.com/chromium/src/+/ master/net/http/transport_security_state_static.json { "name": "wikipedia.org", "include_subdomains": true, "mode": "force-https" }, { "name": "www.facebook.com", "include_subdomains": true, "mode": "force-https", "pins": "facebook" }, { "name": "facebook.com", "mode": "force-https", "pins": "facebook" }, { "name": "twitter.com", "mode": "force-https", "pins": "twitterCom" }, { "name": "www.twitter.com", "include_subdomains": true, "mode": "force-https", "pins": "twitterCom" }, Chrome HSTS preload list
- 29. @aysunakarsu @searchdatalogy #brightonseo 6 Before
- 30. @aysunakarsu @searchdatalogy #brightonseo Choose well your IT infrastructure
- 31. https://istlsfastyet.com/
- 32. https://istlsfastyet.com/
- 33. @aysunakarsu @searchdatalogy #brightonseo If using SNI Check web servers & browsers support
- 34. @aysunakarsu @searchdatalogy #brightonseo Consider HTTP2 https://www.nginx.com/blog/supporting-http2-google-chrome-users/
- 35. @aysunakarsu @searchdatalogy #brightonseo Plan only HTTPS migration https://www.seroundtable.com/google-url-structures-https-23084.html
- 36. @aysunakarsu @searchdatalogy #brightonseo HTTPS No access to users & bots
- 37. @aysunakarsu @searchdatalogy #brightonseo Get (staging) TLS certificate
- 38. @aysunakarsu @searchdatalogy #brightonseo Configure (staging) https://mozilla.github.io/server-side-tls/ssl-config-generator/
- 39. @aysunakarsu @searchdatalogy #brightonseo Prevent & report Content-Security-Policy: upgrade-insecure-requests; Content-Security-Policy-Report-Only: default-src https:; report-uri /csp-logs Mixed content
- 40. @aysunakarsu @searchdatalogy #brightonseo Preserve referrer Referrer-Policy: origin-when-cross-origin Referrer-Policy: origin Referrer-Policy
- 41. @aysunakarsu @searchdatalogy #brightonseo Collect data Staging Production Crawl sites Web server logs Analytics tools E.g. Google Analytics Google search console External Links E.g. Majestic
- 42. @aysunakarsu @searchdatalogy #brightonseo Analyze data (staging) Urls of the links, web assets on the page Url of the page Scheme (protocol) Tags Canonical Hreflang Meta HTTP Headers Status code Content On each page check
- 43. @aysunakarsu @searchdatalogy #brightonseo Analyze data (production) Pages Error Low quality content Orphan Crawl waste
- 44. @aysunakarsu @searchdatalogy #brightonseo Prepare Migration section planning (If moving in sections) URL list Mapping Monitoring Update HTTP HTTPS Sitemaps
- 45. @aysunakarsu @searchdatalogy #brightonseo SSLLabs https://www.ssllabs.com/ssltest/analyze.html?d=www.searchdatalogy.com
- 46. @aysunakarsu @searchdatalogy #brightonseo Mozilla TLS observatory https://observatory.mozilla.org/
- 47. @aysunakarsu @searchdatalogy #brightonseo Register (destination site) Google Search Console https://example.com https://www.example.com https://m.example.com (If mobile on the origin) https://fr.example.com (If subdomains on the origin) https://www.example.com/fr/ (If directories on the origin)
- 48. @aysunakarsu @searchdatalogy #brightonseo Configure (destination site) Analytics tools E.g. Google Analytics Google search console Urls parameters Geotargeting Disavow Preferred domain Submit sitemaps Replicate origin’s configuration
- 49. @aysunakarsu @searchdatalogy #brightonseo 7 Ready ?
- 50. @aysunakarsu @searchdatalogy #brightonseo Give users & bots access to HTTPS
- 51. @aysunakarsu @searchdatalogy #brightonseo Implement redirects HTTPSHTTP
- 52. @aysunakarsu @searchdatalogy #brightonseo Collect & analyze data Web server logs Crawl Production site Analytics tools E.g. Google Analytics
- 53. @aysunakarsu @searchdatalogy #brightonseo Update urls Owned media Profile links E.g. Facebook, Twitter, Linkedin Partner sites Ad campaigns
- 54. @aysunakarsu @searchdatalogy #brightonseo 8 After
- 55. @aysunakarsu @searchdatalogy #brightonseo Collect / monitor / analyze data Sitemaps Production site Crawl Web server logs Analytics tools E.g. Google Analytics Google search console External Links E.g. Majestic
- 56. @aysunakarsu @searchdatalogy #brightonseo Implement HSTS Start HSTS max-age=300;includeSubDomains Increase max-age progressively max-age=604800; includeSubDomains max-age=2592000; includeSubDomains Chrome HSTS preload list max-age=63072000; includeSubDomains; preload
- 57. @aysunakarsu @searchdatalogy #brightonseo “Protecting less sensitive sites strengthens the protections of more sensitive sites.” https://https.cio.gov/ “The good we secure for ourselves is precarious and uncertain until it is secured for all of us and incorporated into our common life.” Jane Addams
- 58. Thank you!
Login to see the comments