Better Safe Than Sorry with HTTPS - SMX East 2016 - Patrick Stox
Download as PPTX, PDF0 likes22,375 views
This document discusses the benefits and challenges of adopting HTTPS. It begins by outlining the key benefits of HTTPS such as authentication, data integrity, encryption and HTTP/2 improvements. However, it also acknowledges challenges including retaining referral data, the technical difficulties of migrating sites to HTTPS, and potential security risks if not implemented correctly. The document provides various resources for learning more about HTTPS best practices and testing site implementations.
Better Safe Than Sorry with HTTPS - SMX East 2016 - Patrick Stox
- 1. #SMX #24A3 @patrickstox The Good, the Bad, and the Terrifying Better Safe Than Sorry With HTTPS
- 2. #SMX #24A3 @patrickstox You Know You Should Have Switched Right?
- 3. #SMX #24A3 @patrickstox THE INFORMATION
- 4. #SMX #24A3 @patrickstox HTTPS Everywhere https://www.youtube.com/watch?v=cBhZ6S0PFCY HTTPS as a Ranking Signal https://webmasters.googleblog.com/2014/08/https-as-ranking-signal.html HTTPS by Default https://webmasters.googleblog.com/2015/12/indexing-https-pages-by-default.html
- 5. #SMX #24A3 @patrickstox Then There’s This Guy
- 6. #SMX #24A3 @patrickstox Securing Your Website With HTTPS https://support.google.com/webmasters/answer/6073543 Google Wrote A Guide To Help
- 7. #SMX #24A3 @patrickstox HTTP to HTTPS: An SEO’s guide to securing a website http://searchengineland.com/http-https-seos-guide-securing-website-246940 I Also Wrote A Guide To Help
- 8. #SMX #24A3 @patrickstox https://plus.google.com/+JohnMueller/posts/PY1xCWbeDVC John Mueller Wrote An FAQ
- 9. #SMX #24A3 @patrickstox John Mueller Liked My Guide
- 10. #SMX #24A3 @patrickstox Why Aren’t People Adopting?
- 11. #SMX #24A3 @patrickstox Top Ranking Sites Are Adopting @methode is Google Webmaster Trends Analyst Gary Illyes Dr. Pete Meyers of Moz ran a test and showed over 30% of first page results were secure in June 2016. https://moz.com/blog/https-tops-30-how-google-is-winning-the-long-war
- 12. #SMX #24A3 @patrickstox THE GOOD
- 13. #SMX #24A3 @patrickstox Authentication This is who I’m supposed to be talking to Data Integrity Who is messing with my stuff Encryption Who is listening What Does TLS Offer?
- 14. #SMX #24A3 @patrickstox When going from HTTPS > HTTP, referral data is dropped. HTTPS > HTTPS, HTTP > HTTP, and HTTP > HTTPS DO pass the value. This accounts for a lot of what people call “Dark Traffic” and “Dark Social”. Switching to HTTPS fixes some of these attribution errors. Without this referral data, the traffic looks like it’s direct traffic. Referral Data HTTP HTTPS HTTP Yes Yes HTTPS No Yes
- 15. #SMX #24A3 @patrickstox Read any of the guides out there. They make it sound so easy because it can be. Moving To HTTPS Is A Website Migration
- 16. #SMX #24A3 @patrickstox Let’s Encrypt https://letsencrypt.org/ Hosts are offering them CDNs are offering them Free Certificates
- 17. #SMX #24A3 @patrickstox What’s the one thing everyone knows about AMP? It’s FAST right, but why? AMP
- 18. #SMX #24A3 @patrickstox Single Connection. Only one connection to the server is used to load a website, and that connection remains open as long as the website is open. This reduces the number of round trips needed to set up multiple TCP connections. Multiplexing. Multiple requests are allowed at the same time, on the same connection. Previously, with HTTP/1.1, each transfer would have to wait for other transfers to complete. Server Push. Additional resources can be sent to a client for future use. HTTP/2 – So Much Goodness
- 19. #SMX #24A3 @patrickstox Prioritization. Requests are assigned dependency levels that the server can use to deliver higher priority resources faster. Binary. Makes HTTP/2 easier for a server to parse, more compact and less error-prone. No additional time is wasted translating information from text to binary, which is the computer’s native language. Header Compression. HTTP/2 uses HPACK compressions, which reduces overhead. Many headers were sent with the same values in every request in HTTP/1.1. CloudFlare saw a 30% reduction in size. HTTP/2 – Even More Goodness
- 20. #SMX #24A3 @patrickstox http://searchengineland.com/everyone-moving-http2-236716 HTTP/2 – Read About It
- 21. #SMX #24A3 @patrickstox • For every 100ms decrease in homepage load speed, Mobify's customer base saw a 1.11% lift in session based conversion, amounting to an average annual revenue increase of $376,789 • For every 100ms decrease in checkout page load speed, Mobify's customers saw a 1.55% life in session based conversion, amounting to an average annual revenue increase of $526,147 • Shoppers browse more on faster mobile websites • An increase of one pageview per user results in a 5.17% lift in user based conversion, i.e. for each additional page viewed per user, Mobify saw their average customer's annual revenue increase by: $398,484 Mobify’s Mobile Test
- 22. #SMX #24A3 @patrickstox THE BAD
- 23. #SMX #24A3 @patrickstox What if you’re a website who makes money by sending people from your website to another website? Affiliates, Directories, Niche Magazines. You need that referral data to prove your value! Referral Data – Didn’t We Say This Was Good?
- 24. #SMX #24A3 @patrickstox Hard Mode Load balancers, CDNs, legacy infrastructure, legacy software, multiple CMS systems, routing, APIs Moving to HTTPS, a new CMS, bringing in outside domains, new taxonomy, new content, killing old content, redirects, redirects, and more redirects Moving To HTTPS Is A Website Migration
- 25. #SMX #24A3 @patrickstox There’s a difference between getting it done and getting it done correctly. There’s some hard choices that people aren’t willing to make like changing providers, upgrading systems, or just killing off things. Is It Harder For Bigger Companies?
- 26. #SMX #24A3 @patrickstox Making The Switch To HTTPS Can Go Wrong, Ask Buffer
- 27. #SMX #24A3 @patrickstox https://www.wired.com/2016/05/wired-first- big-https-rollout-snag https://www.wired.com/2016/08/wired-https- progress/ Wired’s Transition To HTTPS
- 29. #SMX #24A3 @patrickstox They looked at accessibility via HTTP and HTTPS, redirects, and status codes. • 1 in 10 websites had what they considered a flawless HTTPS setup. • 60% of the websites tested have no HTTPS whatsoever (increasing to over 65% when taking into account websites with errors in SSL setup). • Almost 1 in 4 domains were missing a canonical HTTPS version. • Almost 1 in 4 domains were using 302 (temporary) redirects instead of 301 (permanent) redirects. • Even Google can’t be bothered to use permanent redirects and uses temporary redirects (HTTP status code 302) instead. LinksSpy Analyzed 10,000 Top Domains
- 30. #SMX #24A3 @patrickstox THE TERRIFYING
- 31. #SMX #24A3 @patrickstox Do you want to be de-indexed by Bing and Baidu? TLS SNI
- 32. #SMX #24A3 @patrickstox Injection Happens all the time with hotel chains, airlines and ISPs. AT&T Injecting Ads http://webpolicy.org/2015/08/25/att-hotspots-now-with- advertising-injection/ Comcast blocking VPN Traffic https://blog.wjd.io/comcast-blocks-vpn-traffic Comcast again Injecting Ads ------------
- 34. #SMX #24A3 @patrickstox Think what could happen when a country controls the data. i.e. The Great Firewall Injection Is Scary Enough, Censorship Is Terrifying
- 35. #SMX #24A3 @patrickstox Did you know GitHub was DDoS attacked. The attackers hijacked HTTP connections and rewrote the Baidu tracking code with malicious JS that attacked two GitHub projects that focused on Chinese anti-censorship. http://www.infoworld.com/article/2903533/security/github-still-recovering-from-massive- ddos-attacks.html Or How About Attacks?
- 36. #SMX #24A3 @patrickstox Many Apps Send Data Over HTTP They ask for so many permissions and then they do something like this. It’s one of the most terrifying things I’ve seen in my life.
- 37. #SMX #24A3 @patrickstox But more than likely your data was already stolen in one of the many data breaches: https://haveibeenpwned.com/ Sending Your Data Openly is Scary
- 38. #SMX #24A3 @patrickstox Router Modem ISP What else is between the person and the server or CDN? Just Because Your Site Shows Secure, Not Everything Is
- 39. #SMX #24A3 @patrickstox https://www.troyhunt.com/understanding-http-strict-transport/ The guy takes a Wifi Pineapple with him and shows how websites not using HSTS, i.e. the first request is still HTTP, can be hijacked if they’re connected to your wifi. Troy Hunt Is My Hero
- 40. #SMX #24A3 @patrickstox THE IMPROVEMENTS
- 41. #SMX #24A3 @patrickstox https://istlsfastyet.com/ TLS Improvements By Server
- 42. #SMX #24A3 @patrickstox https://istlsfastyet.com/ TLS Improvements By CDN
- 43. #SMX #24A3 @patrickstox High Performance Browser Networking by Ilya Grigorik http://chimera.labs.oreilly.com/books/1230000000545 OpenSSL Cookbook & Bulletproof SSL and TLS by Ivan Ristic https://www.feistyduck.com/books/openssl-cookbook/ https://www.feistyduck.com/books/bulletproof-ssl-and-tls/ https://wiki.mozilla.org/Security/Server_Side_TLS Performance Resources
- 44. #SMX #24A3 @patrickstox https://www.ssllabs.com/ssltest/ They also have a best practice guide: https://github.com/ssllabs/research/wiki/SSL-and-TLS-Deployment-Best-Practices Test Your Server
- 45. #SMX #24A3 @patrickstox LEARN MORE: UPCOMING @SMX EVENTS THANK YOU! SEE YOU AT THE NEXT #SMX