Moving your site to HTTPS

Paul Schreiberpaulschreiber@gmail.com @paulschreiber

15%

http://www.bbc.co.uk/ http://www.bbc.co.uk/persian/

✔

HTTP1991–2016

Marking HTTP As Non-SecureWe, the Chrome Security Team, propose that user agents (UAs) gradually change their UX to display non-secure origins as affirmatively non-secure. We intend to devise and begin deploying a transition plan for Chrome in 2015.

The goal of this proposal is to more clearly display to users that HTTP provides no data security.

Deprecating Non-Secure HTTPToday we are announcing our intent to phase out non-secure HTTP.

There are two broad elements of this plan: 1. Setting a date after which all new features will be

available only to secure websites 2. Gradually phasing out access to browser

features for non-secure websites, especially features that pose risks to users’ security and privacy.

The HTTPS-Only StandardAll browsing activity should be considered private and sensitive.

—https.cio.gov

HTTPS

HTT

P

HTT

PS

2008 HTTPS is slow 2016 HTTPS is fast

HTTP 2.0

HTTPS

SHA-1

$sslmatemkconfig

https://mozilla.github.io/ server-side-tls/ ssl-config-generator/

https://wordpress.org/plugins/wp-encrypt/

HTTPS enabled HTTPS default HSTS HSTS preload

cont

ent

cont

ent

com

men

ts

ads

soci

al

anal

ytic

s

CD

Ns

font

s

$mixed-content-scan

Content-Security-Policy:upgrade-insecure-requests

Content-Security-Policy-Report-Only:default-srchttps:data:'self''unsafe-inline''unsafe-eval';report-uri:https://myserver.com/log-tool/

<scriptsrc="//google.com/…<scriptsrc="https://googl…

No

HTT

PS?

ask nicely.

No

HTT

PS?

SoundCiteplacehold.it

mix

ed c

onte

nt

Akamai http://hostname.com→https://a248.e.akamai.net/f/12/621/60d/hostname.com

moarTLS Analyzer

HTTPS Everywhere

Chrome

ssllabs.com/ssltest/

observatory. mozilla.org

hstspreload. appspot.com

badssl.com

securityheaders.io

report-uri.io

cspisawesome.com

httpswatch.com

google.com/transparencyreport/https/grid/

Many graphics from The Noun ProjectMountains by Chris Cole; Statue of Liberty by John Melven; Tombstone by Jakob Wells; Congress by Martha Ormiston; Shield by Wayne Thayer; Books by Ashley van Dyck; Snail by aLf; carrot by Creative Stall; Geolocation by Alexander Smith; Notification by vijay sekhar; Microphone by Edward Boatman; Video camera by Pham Thi Dieu Linh; Full screen by Garrett Knoll; Rotation by Lemon Liu; speedmeter by Michal Beno; layers by Muhamad Ulum; arrow by Maurizio Pedrazzoli; stick by Blaise Sewell; Server by Yazmin Alanis; SEO by Azis; Money by Nick Levesque; Shopping cart by Patrizia Daidone; Lock with keyhole by Brennan Novak; Scribble by Michael Chanover; Network by Stephen Boak; Hat based on work by Blake Kimmel. ; Warning by Icomatic; Error by Anas Ramadan.