Upload
patrickstox
View
23
Download
0
Embed Size (px)
Citation preview
#SMX #24A3 @patrickstoxThe Good, the Bad, and the Terrifying
Better Safe Than Sorry With HTTPS
#SMX #24A3 @patrickstox
You Know You Should Have Switched Right?
#SMX #24A3 @patrickstox
THE INFORMATION
#SMX #24A3 @patrickstox
HTTPS Everywherehttps://www.youtube.com/watch?v=cBhZ6S0PFCY
HTTPS as a Ranking Signal https://webmasters.googleblog.com/2014/08/https-as-ranking-signal.html
HTTPS by Default https://webmasters.googleblog.com/2015/12/indexing-https-pages-by-default.html
#SMX #24A3 @patrickstox
Then There’s This Guy
#SMX #24A3 @patrickstox
Securing Your Website With HTTPShttps://support.google.com/webmasters/answer/6073543
Google Wrote A Guide To Help
#SMX #24A3 @patrickstox
HTTP to HTTPS: An SEO’s guide to securing a websitehttp://searchengineland.com/http-https-seos-guide-securing-website-246940
I Also Wrote A Guide To Help
#SMX #24A3 @patrickstox
https://plus.google.com/+JohnMueller/posts/PY1xCWbeDVC
John Mueller Wrote An FAQ
#SMX #24A3 @patrickstox
John Mueller Liked My Guide
#SMX #24A3 @patrickstox
Why Aren’t People Adopting?
#SMX #24A3 @patrickstox
Top Ranking Sites Are Adopting
@methode is Google Webmaster Trends Analyst Gary Illyes
Dr. Pete Meyers of Moz ran a test and showed over 30% of first page results were secure in June 2016.https://moz.com/blog/https-tops-30-how-google-is-winning-the-long-war
#SMX #24A3 @patrickstox
THE GOOD
#SMX #24A3 @patrickstox
AuthenticationThis is who I’m supposed to be talking to
Data IntegrityWho is messing with my stuff
EncryptionWho is listening
What Does TLS Offer?
#SMX #24A3 @patrickstox
When going from HTTPS > HTTP, referral data is dropped. HTTPS > HTTPS, HTTP > HTTP, and HTTP > HTTPS DO pass the value.
This accounts for a lot of what people call “Dark Traffic” and “Dark Social”. Switching to HTTPS fixes some of these attribution errors.
Without this referral data, the traffic looks like it’s direct traffic.
Referral Data
HTTP HTTPSHTTP Yes YesHTTPS No Yes
#SMX #24A3 @patrickstox
Read any of the guides out there. They make it sound so easy because it can be.
Moving To HTTPS Is A Website Migration
#SMX #24A3 @patrickstox
Let’s Encrypthttps://letsencrypt.org/
Hosts are offering them
CDNs are offering them
Free Certificates
#SMX #24A3 @patrickstox
What’s the one thing everyone knows about AMP?
It’s FAST right, but why?
AMP
#SMX #24A3 @patrickstox
Single Connection. Only one connection to the server is used to load a website, and that connection remains open as long as the website is open. This reduces the number of round trips needed to set up multiple TCP connections.Multiplexing. Multiple requests are allowed at the same time, on the same connection. Previously, with HTTP/1.1, each transfer would have to wait for other transfers to complete.Server Push. Additional resources can be sent to a client for future use.
HTTP/2 – So Much Goodness
#SMX #24A3 @patrickstox
Prioritization. Requests are assigned dependency levels that the server can use to deliver higher priority resources faster.Binary. Makes HTTP/2 easier for a server to parse, more compact and less error-prone. No additional time is wasted translating information from text to binary, which is the computer’s native language.Header Compression. HTTP/2 uses HPACK compressions, which reduces overhead. Many headers were sent with the same values in every request in HTTP/1.1. CloudFlare saw a 30% reduction in size.
HTTP/2 – Even More Goodness
#SMX #24A3 @patrickstox
http://searchengineland.com/everyone-moving-http2-236716
HTTP/2 – Read About It
#SMX #24A3 @patrickstox
• For every 100ms decrease in homepage load speed, Mobify's customer base saw a 1.11% lift in session based conversion, amounting to an average annual revenue increase of $376,789
• For every 100ms decrease in checkout page load speed, Mobify's customers saw a 1.55% life in session based conversion, amounting to an average annual revenue increase of $526,147
• Shoppers browse more on faster mobile websites• An increase of one pageview per user results in a 5.17% lift in user
based conversion, i.e. for each additional page viewed per user, Mobify saw their average customer's annual revenue increase by: $398,484
Mobify’s Mobile Test
#SMX #24A3 @patrickstox
THE BAD
#SMX #24A3 @patrickstox
What if you’re a website who makes money by sending people from your website to another website? Affiliates, Directories, Niche Magazines.
You need that referral data to prove your value!
Referral Data – Didn’t We Say This Was Good?
#SMX #24A3 @patrickstox
Hard Mode
Load balancers, CDNs, legacy infrastructure, legacy software, multiple CMS systems, routing, APIs
Moving to HTTPS, a new CMS, bringing in outside domains, new taxonomy, new content, killing old content, redirects, redirects, and more redirects
Moving To HTTPS Is A Website Migration
#SMX #24A3 @patrickstox
There’s a difference between getting it done and getting it done correctly.
There’s some hard choices that people aren’t willing to make like changing providers, upgrading systems, or just killing off things.
Is It Harder For Bigger Companies?
#SMX #24A3 @patrickstox
Making The Switch To HTTPS Can Go Wrong, Ask Buffer
#SMX #24A3 @patrickstox
https://www.wired.com/2016/05/wired-first-big-https-rollout-snag
https://www.wired.com/2016/08/wired-https-progress/
Wired’s Transition To HTTPS
#SMX #24A3 @patrickstox
https://security.googleblog.com/2016/09/moving-towards-more-secure-web.html
Chrome
#SMX #24A3 @patrickstox
They looked at accessibility via HTTP and HTTPS, redirects, and status codes.• 1 in 10 websites had what they considered a flawless HTTPS setup.• 60% of the websites tested have no HTTPS whatsoever (increasing to
over 65% when taking into account websites with errors in SSL setup).• Almost 1 in 4 domains were missing a canonical HTTPS version.• Almost 1 in 4 domains were using 302 (temporary) redirects instead
of 301 (permanent) redirects.• Even Google can’t be bothered to use permanent redirects and uses
temporary redirects (HTTP status code 302) instead.
LinksSpy Analyzed 10,000 Top Domains
#SMX #24A3 @patrickstox
THE TERRIFYING
#SMX #24A3 @patrickstox
Do you want to be de-indexed by Bing and Baidu?
TLS SNI
#SMX #24A3 @patrickstox
Injection
Happens all the time with hotel chains, airlines and ISPs.
AT&T Injecting Adshttp://webpolicy.org/2015/08/25/att-hotspots-now-with-advertising-injection/
Comcast blocking VPN Traffichttps://blog.wjd.io/comcast-blocks-vpn-trafficComcast again Injecting Ads ------------
#SMX #24A3 @patrickstox
Headline
#SMX #24A3 @patrickstox
Think what could happen when a country controls the data.i.e. The Great Firewall
Injection Is Scary Enough, Censorship Is Terrifying
#SMX #24A3 @patrickstox
Did you know GitHub was DDoS attacked. The attackers hijacked HTTP connections and rewrote the Baidu tracking code with malicious JS that attacked two GitHub projects that focused on Chinese anti-censorship.http://www.infoworld.com/article/2903533/security/github-still-recovering-from-massive-ddos-attacks.html
Or How About Attacks?
#SMX #24A3 @patrickstox
Many Apps Send Data Over HTTP
They ask for so many permissions and then they do something like this. It’s one of the most terrifying things I’ve seen in my life.
#SMX #24A3 @patrickstox
But more than likely your data was already stolen in one of the many data breaches:https://haveibeenpwned.com/
Sending Your Data Openly is Scary
#SMX #24A3 @patrickstox
RouterModemISPWhat else is between the person and the server or CDN?
Just Because Your Site Shows Secure, Not Everything Is
#SMX #24A3 @patrickstox
https://www.troyhunt.com/understanding-http-strict-transport/The guy takes a Wifi Pineapple with him and shows how websites not using HSTS, i.e. the first request is still HTTP, can be hijacked if they’re connected to your wifi.
Troy Hunt Is My Hero
#SMX #24A3 @patrickstox
THE IMPROVEMENTS
#SMX #24A3 @patrickstox
https://istlsfastyet.com/
TLS Improvements By Server
#SMX #24A3 @patrickstoxhttps://istlsfastyet.com/
TLS Improvements By CDN
#SMX #24A3 @patrickstox
High Performance Browser Networking by Ilya Grigorikhttp://chimera.labs.oreilly.com/books/1230000000545
OpenSSL Cookbook & Bulletproof SSL and TLS by Ivan Ristichttps://www.feistyduck.com/books/openssl-cookbook/https://www.feistyduck.com/books/bulletproof-ssl-and-tls/
https://wiki.mozilla.org/Security/Server_Side_TLS
Performance Resources
#SMX #24A3 @patrickstox
https://www.ssllabs.com/ssltest/
They also have a best practice guide:https://github.com/ssllabs/research/wiki/SSL-and-TLS-Deployment-Best-Practices
Test Your Server
#SMX #24A3 @patrickstoxLEARN MORE: UPCOMING @SMX EVENTS
THANK YOU! SEE YOU AT THE NEXT #SMX