Everyone Screws Up HTTPS
•Download as PPTX, PDF•
0 likes•30,501 views
This document discusses HTTPS, a protocol that encrypts communications between browsers and websites to secure data transmission. It notes that HTTPS helps prevent tampering, supports user identity verification and encrypted communication, and may boost search rankings. While HTTPS improves security, it requires technical expertise to properly implement, including obtaining certificates, enabling encryption at the server level, ensuring proper redirects, and avoiding common WordPress issues. The document outlines both benefits and potential risks of moving a site to HTTPS.
Recommended
Recommended
More Related Content
What's hot
What's hot (20)
Similar to Everyone Screws Up HTTPS
Similar to Everyone Screws Up HTTPS (20)
More from patrickstox
More from patrickstox (9)
Recently uploaded
Recently uploaded (20)
Everyone Screws Up HTTPS
- 2. WHAT IS HTTPS A PROTOCOL MADE TO SECURE COMMUNICATIONS BETWEEN YOUR BROWSER AND A WEBSITE BY ENCRYPTING THE DATA, ENSURING THE DATA HAS NOT BEEN MODIFIED, AND AUTHENTICATING THE RECIPIENT.
- 3. WHY YOU SHOULD BE SECURE •IDENTITY VERIFICATION •ENCRYPTED COMMUNICATION •HELPS PREVENT TAMPERING AND MAN-IN-THE-MIDDLE ATTACKS •TRUST •NO LOSS OF REFERRAL DATA •GOOGLE RANKINGS BOOST?
- 4. USES HTTPS AS A RANKING SIGNAL http://googlewebmastercentral.blogspot.com/2014/ 08/https-as-ranking-signal.html *MAY STRENGTHEN OVER TIME
- 5. GARY ILLYES, GOOGLE WEBMASTER TRENDS ANALYST SAID: “If you're an SEO and you're recommending against going HTTPS, you're wrong and you should feel bad.” https://twitter.com/methode/status/633541668403 310593 MORE RECENTLY, GARY STATED HTTPS IS MORE OF A TIE-BREAKER http://searchengineland.com/googles-gary-illyes- https-may-break-ties-between-two-equal-search- results-230691
- 6. REASONS NOT TO GO SECURE •DOES NOT PREVENT HACKS •COST •EXPERTISE/RISKS
- 7. HTTPS DOES NOT SECURE YOUR WEBSITE •DOWNGRADE ATTACKS •SSL/TLS VULNERABILITIES HEARTBLEED, POODLE, LOGJAM, OH MY! •HACKS OF A WEBSITE, SERVER, OR NETWORK •SOFTWARE VULNERABILITIES •BRUTE FORCE ATTACKS •DDOS ATTACKS
- 8. SECURING •FORCE STRONG PASSWORDS •KEEP CORE AND PLUGINS UPDATED •SCAN FOR MALWARE •SFTP •FILE PERMISSIONS •STOP BOTNET ATTACKS http://codex.wordpress.org/Hardening _WordPress
- 9. COST? THE COST OF A CERTIFICATE DEPENDS ON THE LEVEL OF PROTECTION AND PROVIDER FREE: https://www.startssl.com/ https://letsencrypt.org/ Arriving Q4 2015
- 10. EXPERTISE: HTTPS AT THE SERVER LEVEL •MOD_SSL NEEDS TO BE ENABLED •PORT 443 OPENED •PROPERLY CONFIGURED VIRTUAL HOST •SPDY (SPEED IMPROVEMENTS) •OCSP STAPLING (CUTS DOWN ON CHECKS) •SO MUCH MORE
- 11. EXPERTISE: HTTPS FOR WORDPRESS SETTINGS » GENERAL CHANGE WORDPRESS ADDRESS AND SITE ADDRESS TO USE HTTPS: THIS IS NOT ENOUGH AS IT ALLOWS LOADING OF BOTH HTTP AND HTTPS PLUGIN: https://wordpress.org/plugins/wordpress- https/
- 12. EXPERTISE: COMMON WORDPRESS PROBLEMS •NOT USING RELATIVE URLS •FAILING TO CLEAN UP HARD CODED LINKS •DUPLICATION (HTTP AND HTTPS) •DEPRECATED FUNCTIONS THAT DON’T WORK WITH HTTPS •MIXED CONTENT (CONTENT LOADED FROM HTTP AND HTTPS) •CANONICAL TAG ISSUES
- 13. EXPERTISE: REDIRECTS SHOULD BE DONE AT THE SERVER LEVEL IN THE SERVER CONFIG FILE HTTPD.CONF https://wiki.apache.org/httpd/RedirectSSL MORE OFTEN THAN NOT REDIRECTS EITHER DON’T GET DONE OR GET PLACED IN .HTACCESS
- 14. EXPERTISE: REDIRECTS IN .HTACCESS https://wiki.apache.org/httpd/RewriteHTTPToHTTPS RewriteEngine On RewriteCond %{HTTPS} !=on RewriteRule ^/?(.*) https://%{SERVER_NAME}/$1 [R,L] WRONG!!! NOT A 301
- 15. EXPERTISE: REDIRECTS IN .HTACCESS CORRECTED # Force HTTPS <IfModule mod_rewrite.c> RewriteEngine On RewriteCond %{HTTPS} !=on RewriteRule ^(.*)$ https://www.yourdomain.com/$1 [R=301,L] </IfModule>
- 16. EXPERTISE: OTHER .HTACCESS ISSUES •APACHE DEFAULTS TO 302 •CODE NOT PROPERLY PLACED •REDIRECT CHAINS •NOT TESTED
- 17. RISKS “Moved from HTTP to HTTPS, now SEO is in the ditch.” “switched to the https version...After that the ranking on Google dropped for almost every keyword.” “Huge drop [50%] in traffic after HTTPS move”
- 18. BUFFER SAW A 90% DROP
- 19. TAKE THESE STORIES WITH A GRAIN OF SALT THEY LIKELY DIDN’T HAVE THE EXPERTISE TO IMPLEMENT HTTPS AND LIKELY WEREN’T SETUP TO TRACK PROPERLY
- 20. EVEN THE BEST OF US FAIL SOMETIMES