1) The document summarizes notes from Matt Ryan about his experience at WordCamp Philly 2015, where he learned about secure (HTTPS) connections on websites.
2) A key topic was the US government's requirement that all federal websites use HTTPS by December 2016 for security and privacy reasons. Google also plans to use HTTPS as a ranking signal.
3) The notes provide tips for setting up HTTPS certificates and moving existing sites to HTTPS, as well as resources for testing and obtaining affordable certificates. Matt plans to help his clients upgrade to HTTPS.
2. Advanced Topics in WordPress
Development
- Andrew Nacin
❖ https - aka http over TLS
➢ Secure version of http
➢ Combination of http and Transport Layer Security
(TLS)
➢ Secures the communication pipe NOT the
endpoints
❖ https, TLS & SSL <> website security
3. What’s The Rush
“Agencies must make all existing websites
and services accessible through a secure
connection (HTTPS-only, with HSTS) by
December 31, 2016.”
❖ https://https.cio.gov/apis/ - US Gov’s memo on
requiring access to Federal sites to use secure connections
➢ web-friendly
❖ Google’s Webmaster Central blog -
postedon August 06, 2014
“ … we're starting to use HTTPS as a ranking signal … ”
4. Tips to Get Started with https
❖ Determine kind of certificate needed (single, multiple, wildcard)
❖ 2048-bit key certificates
❖ Relative URLs for resources on same secure domain
❖ Protocol relative URLs for all other domains
❖ Check out Google’s Site move article for guidelines
5. Takeaways
❖ Move my clients to HTTPS
➢ Price not deciding factor
➢ Simplicity of installation
❖ Good sites
➢ ssllabs.com for testing
➢ sslmate.com for cost effective certs
❖ Volunteering was cool
➢ Good People && Fun && Different Perspective
7. Referenced Resources
Perez rant on SSL and website security => http://perezbox.com/2015/07/https-does-not-secure-
your-website/#
Google’s Announcement of SSL as Ranking Component =>
http://googlewebmastercentral.blogspot.com/2014/08/https-as-ranking-signal.html
Secure Your Site With HTTPS =>
https://support.google.com/webmasters/answer/6073543?utm_source=wmx_blog&utm_medium
=referral&utm_campaign=tls_en_post
Move A Site With URL Changes =>
https://support.google.com/webmasters/answer/6033049?utm_source=wmx_blog&utm_medium
=referral&utm_campaign=tls_en_post
Editor's Notes
Hi - my name is matt ryan. I’m here to share some nuggets of information I took away from WC Philly this year. It was my 2nd Philly WordCamp
.
If you search through WordPress.TV or anywhere else you’ll find this same topic title used everywhere. Andrew says it is his “catch-all topic for challenging ideas”. It lets him adjust the content to topical discussions. What is https - secure version of http. Providing TLS encryption for the connection between your browser and the host endpoint. It does not ensure security at either endpoint. Prevents a successful man in the middle attack - everything is encrypted. This by itself is NOT website security.
Andrew referenced the US Gov’s work on the topic - especially close to his heart as he is on a sabatical from wordpress.org working with the US Digital Service. Good web-friendly read on why fed’s mandate that their websites get secure. Mandate = Yes. By the end of next year.
About a year agao Google reported that it had started a project to tweak its algorithm and include https connections. It has been a successful test and continues. They have only said that it MAY become more heavily weighted in the future. They do offer a number of resources on how to make the change. I’ve referenced them at the end.
Some of the things I took away from the talk. Start moving my clients to HTTPS now . It may take time depending on the amount of testing and page address testing. When purchasing an SSL cert, price is not the deciding factor. GoDaddy’s single site cert at $55.99 is not functionally better than SSLmate’s at $15.95
What? No t-shirt? Nope. Not this WC. Swag = portable power charger !!
Onward and upward.