HTTPS The Road To A More Secure Web / SEOCamp Paris

@aysunakarsu @searchdatalogy #seocamp
The Road To A More Secure Web
Aysun Akarsu 10 March 2017 #SEOCamp Paris
@

Aysun Akarsu / Search Data Strategist
Digital data strategist specialized in technical and architectural SEO wanting to
help companies in making data driven decisions to generate more search traffic.
12 Years in Search Data Analysis
Founder & Blogger of SearchDatalogy
https://www.searchdatalogy.com/blog/

https://www.theguardian.com/info/developer-blog/2016/nov/29/the-guardian-has-moved-to-https

HTTPS

TLS

Transport Layer Security (TLS)
■ Secure Sockets Layer (SSL)
■ Transport Layer Security (TLS)
■ TLS replaced SSL

TLS Protocol / Authentication
Bob Alice

TLS Protocol / Encryption
Bob Alice

TLS Protocol / Integrity
Bob Alice

Good For What?

HTTPS HyperText Transfer Protocol Secure 1/2
Protects
■ Integrity of the website
■ Privacy and security of the user

HTTPS HyperText Transfer Protocol Secure 2/2
Requirement For
■ HTTP2 Protocol
■ Explicit user opt-in
■ Amp-ad, amp-embed, amp-video, amp-form, amp-iframe
Enables Powerful Features
■ Accessing user’s geolocation, taking pictures, recording video
■ Offline app experiences and notifications (Service Workers)
Enables Referrer Data (from HTTPS sites)

HTTPS As Google’s Mission

Google Explains
"Security is a top priority at Google. We are investing and working to make sure
that our sites and services provide modern HTTPS by default. We're committed to
making the web a safer place not only for Google users, but for all users. HTTPS
makes it difficult for Internet Service Providers, governments and others to
watch what you're doing online."

How Google Motivates HTTPS Migration 1/2
By SEO

How Google Motivates HTTPS Migration 2/2
By Chrome
■ Supporting HTTP2 on Chrome only if encrypted
■ Marking HTTP sites as Non Secure on Chrome

Top Sites
HTTPS migration dates

Among Top Sites
Google was one of the
■ First in moving on HTTPS
■ Last bringing HTTP Strict Transport Security(HSTS) to Google. (HSTS is
brought only to www.google.com on 27/07/2016)

HTTPS Across Google
According to Google's statistics, 86 percent of requests sent from around the world to
Google's servers used encrypted connections by mid February 2017. That was 47
percent at the end of 2013.Google has done a good job in terms of HTTPS at its own
side.

HTTPS In Google Index
SMX Advanced on 23/06/2016
http://searchengineland.com/key-takeaways-google-ama-rankbrain-panda-pengui
n-bots-252506

HTTPS Usage On Chrome
Percentage of pages loaded over HTTPS
Percentage of browsing time spent on HTTPS websites
Desktop users load more than
half of the pages they view
over HTTPS and spend
two-thirds of their time on
HTTPS pages.

HTTPS On Top 100 Non Google Sites
Google shared the data concerning a list
of top 100 non Google sites on the
Internet and their HTTPS states in
February 2016.
According to Google the sites in this list
accounts for approximately 25% of all
website traffic worldwide.

HTTPS On 1M Top Sites

TLS Certificates

Type Of TLS Certificates 1/2
TLS Certificates by Validation Level
■ Domain Validation TLS Certificates
■ Organization Validation TLS Certificates
■ Extended Validation TLS Certificates

Type Of TLS Certificates 2/2
TLS Certificates by Secured Domains
■ Single-name TLS Certificates
■ Wildcard TLS Certificates
■ Multi-Domain TLS Certificates

Free Certificates / Let’s Encrypt
Pros
■ Free (Accepts donations)
■ Sponsored by leading companies
Cons
■ TLS Configuration
■ Don’t provide wildcard certificates
■ Provide only domain-validated certificates. No future plans to provide
Organization Validation or Extended Validation Certificates.
■ Renewals

Free Certificates / Caddy Server
Pros
■ Free (Asks for donations)
■ Automatic Renewals
■ No TLS configuration
Cons
■ Don't provide wildcard certificates
■ Don't provide Organization Validation or Extended Validation Certificates.
■ It is the new kid in town.

HSTS

HSTS
Strict-Transport-Security: max-age=31536000; includeSubDomains; preload
In seconds
Optional
(Recommended)
Optional
HSTS lets a website tell web browsers that it should only be communicated with
using HTTPS instead of using HTTP.
HSTS eliminates HTTP → HTTPS redirects

chrome://net-internals/#hsts

Chrome HSTS Preload List
https://chromium.googlesource.com/chromium/src/+/master/net/http/transport_sec
urity_state_static.json
{ "name": "wikipedia.org", "include_subdomains": true, "mode": "force-https" },
{ "name": "www.facebook.com", "include_subdomains": true, "mode": "force-https", "pins": "facebook" },
{ "name": "facebook.com", "mode": "force-https", "pins": "facebook" },
{ "name": "twitter.com", "mode": "force-https", "pins": "twitterCom" },
{ "name": "www.twitter.com", "include_subdomains": true, "mode": "force-https", "pins": "twitterCom" },

Before Moving

Choose Well Your IT Infrastructure

@aysunakarsu @searchdatalogy #seocamp https://istlsfastyet.com/

If Using SNI
Check Web Servers & Browsers Support
http://caniuse.com/#search=sni

Consider HTTP2
https://www.nginx.com/blog/supporting-http2-google-chrome-users/

Plan Only HTTPS Migration
https://www.seroundtable.com/google-url-structures-https-23084.html

No Access To Users & Bots

Get & Configure TLS Certificate On Staging Server
■ Certificate from a reliable CA offering technical support.
■ Choose a 2048-bit key.

Collect Data
■ Production Site’s Crawl
■ Staging Site’s Crawl
■ Analytics Tools e.g. Google Analytics
■ Google Search Console
■ Web Server Logs
■ External Links e.g. Majestic

Analyze Data (Production)
■ Error Pages
■ Crawl Waste
■ Low Quality Content Pages
■ Orphan Pages

Analyze Data (Staging)
On each page check
■ Status Code
■ Scheme(Protocol) on the URL of the page
■ Scheme(Protocol) on the URLs of the links, web assets (images, tracking,
ads, js etc)
■ Canonical tag
■ Hreflang tag
■ Meta tags (e.g. noindex, nofollow)
■ HTTP Headers
■ Content

Prepare
■ Migration Section Planning (If moving in sections)
■ URL Mapping List
■ URL Monitoring List
■ Sitemaps (HTTP, HTTPS)

Check The TLS Certificate
https://www.sslshopper.com/ssl-checker.html#hostname=www.searchdatalogy.com

Check Common Configuration & Security Flaws
https://www.ssllabs.com/ssltest/analyze.html?d=www.searchdatalogy.com

Register
Google Search Console
https://example.com
https://www.example.com
https://m.example.com (If mobile on the origin)
https://en.example.com (If subdomains on the origin)
https://www.example.com/en/ (If directories on the origin)

Configure (On The Destination Site)
Google Search Console
Replicate Origin’s Configuration
■ URLs Parameters
■ Geotargeting
■ Disavow
■ Preferred domain
Submit Sitemaps
Analytics Tools e.g. Google Analytics Configuration

Ready?

Access To Users & Bots

Implement Redirects
HTTP → HTTPS

Data
Collect & Analyze
■ Web Server Logs

Update URLS
■ Profile Links (e.g. Facebook, Twitter,LinkedIn)
■ Owned Media
■ Partner Sites
■ Ad Campaigns

After

Data
■ Sitemaps Crawl
■ Web Server Logs
■ Google Search Console
■ External Links
COLLECT
MONITOR
ANALYZE

Implement HSTS
■ Send HSTS headers with a short max-age.
Strict-Transport-Security: max-age=300; includeSubDomains
■ Increase slowly the HSTS max-age.
Strict-Transport-Security: max-age=86400; includeSubDomains
■ If no impact on audience and search engines consider being added to the
Chrome HSTS preload list.
Strict-Transport-Security: max-age=31536000; includeSubDomains; preload

“Protecting less sensitive sites strengthens the protections of more sensitive sites.”
https://https.cio.gov/
“The good we secure for ourselves is precarious and uncertain until it is secured for
all of us and incorporated into our common life.”
Jane Addams

HTTPS The Road To A More Secure Web / SEOCamp Paris

More Related Content

What's hot

Similar to HTTPS The Road To A More Secure Web / SEOCamp Paris

Recently uploaded

HTTPS The Road To A More Secure Web / SEOCamp Paris