Download - HTTPS and HTTP/2
![Page 1: HTTPS and HTTP/2](https://reader033.vdocuments.us/reader033/viewer/2022051301/5a67dd337f8b9afa468b5db3/html5/thumbnails/1.jpg)
HTTPS & HTTP/2M a t t h e w W a l k e r
A u g u s t 2 0 1 6
![Page 2: HTTPS and HTTP/2](https://reader033.vdocuments.us/reader033/viewer/2022051301/5a67dd337f8b9afa468b5db3/html5/thumbnails/2.jpg)
![Page 3: HTTPS and HTTP/2](https://reader033.vdocuments.us/reader033/viewer/2022051301/5a67dd337f8b9afa468b5db3/html5/thumbnails/3.jpg)
Identity confirmation
Confidentiality
Integrity
![Page 4: HTTPS and HTTP/2](https://reader033.vdocuments.us/reader033/viewer/2022051301/5a67dd337f8b9afa468b5db3/html5/thumbnails/4.jpg)
Unlock new browser features
Small PageRank boost
HTTP/2
![Page 5: HTTPS and HTTP/2](https://reader033.vdocuments.us/reader033/viewer/2022051301/5a67dd337f8b9afa468b5db3/html5/thumbnails/5.jpg)
Geolocation
HTTP/2
getUserMedia()
Push notifications
Device motion / orientation
Encrypted media extensions
AppCacheDeprecating Non-Secure HTTP, Mozilla Security Blog, 20 April 2015.https://blog.mozilla.org/security/2015/04/30/deprecating-non-secure-http/
Deprecating Powerful Features on Insecure Origins, The Chromium Projectshttps://www.chromium.org/Home/chromium-security/deprecating-powerful-features-on-insecure-origins
![Page 6: HTTPS and HTTP/2](https://reader033.vdocuments.us/reader033/viewer/2022051301/5a67dd337f8b9afa468b5db3/html5/thumbnails/6.jpg)
Past
• Hard to set up
• Expensive
• Only for ecommerce
![Page 7: HTTPS and HTTP/2](https://reader033.vdocuments.us/reader033/viewer/2022051301/5a67dd337f8b9afa468b5db3/html5/thumbnails/7.jpg)
Present
• Relatively easy to set up
• Certs start at $0
• All websites, all pages
![Page 8: HTTPS and HTTP/2](https://reader033.vdocuments.us/reader033/viewer/2022051301/5a67dd337f8b9afa468b5db3/html5/thumbnails/8.jpg)
Future
All HTTP sites will be
specifically marked as insecure!
Marking HTTP As Non-Secure
https://www.chromium.org/Home/chromium-security/marking-http-as-non-secure
![Page 9: HTTPS and HTTP/2](https://reader033.vdocuments.us/reader033/viewer/2022051301/5a67dd337f8b9afa468b5db3/html5/thumbnails/9.jpg)
The new normal
“Google estimates 25% of sites now use secure
connections. Google will work with some of the
non-secure top 100 sites on the web to help them
migrate to HTTPS.” -- March 2016
http://marketingland.com/google-estimates-25-sites-now-use-
secure-connections-168763
![Page 10: HTTPS and HTTP/2](https://reader033.vdocuments.us/reader033/viewer/2022051301/5a67dd337f8b9afa468b5db3/html5/thumbnails/10.jpg)
![Page 11: HTTPS and HTTP/2](https://reader033.vdocuments.us/reader033/viewer/2022051301/5a67dd337f8b9afa468b5db3/html5/thumbnails/11.jpg)
• 301 redirects must be done right
• Dedicated IP means small hosting cost bump
• HTTPS over HTTP/1.1 is marginally slower
• One more thing to set up and pay for / screw up
![Page 12: HTTPS and HTTP/2](https://reader033.vdocuments.us/reader033/viewer/2022051301/5a67dd337f8b9afa468b5db3/html5/thumbnails/12.jpg)
HTTPS migrations lose PageRank (?)
301 redirects result in around a 15% loss of PageRank
No PageRank loss redirect HTTP -> HTTPS
301 Redirects Rules Change: What You Need to Know for SEO, Moz Blog, 1 August 2016.https://moz.com/blog/301-redirection-rules-for-seo
![Page 13: HTTPS and HTTP/2](https://reader033.vdocuments.us/reader033/viewer/2022051301/5a67dd337f8b9afa468b5db3/html5/thumbnails/13.jpg)
![Page 14: HTTPS and HTTP/2](https://reader033.vdocuments.us/reader033/viewer/2022051301/5a67dd337f8b9afa468b5db3/html5/thumbnails/14.jpg)
Set up your dev environment for certs
One time setup
sudo a2enmod ssl
sudo a2enmod headers
sudo vim /etc/apache2/apache2.conf
And add NameVirtualHost *:443 near the bottom.
sudo service apache2 restart
sudo mkdir /etc/apache2/ssl
![Page 15: HTTPS and HTTP/2](https://reader033.vdocuments.us/reader033/viewer/2022051301/5a67dd337f8b9afa468b5db3/html5/thumbnails/15.jpg)
Self-signed certs
Create a cert
sudo openssl req -x509 -nodes -days 365 -newkey rsa:2048 -
keyout /etc/apache2/ssl/[newsite].key -out
/etc/apache2/ssl/[newsite].crt
[note fill common name in with the domain]
cd /etc/apache2/sites-available
sudo vim [newsite]
Duplicate the entire VirtualHost block and label as <VirtualHost *:443>
Put this at the bottomSSLEngine on
SSLCertificateFile /etc/apache2/ssl/[newsite].crt
SSLCertificateKeyFile /etc/apache2/ssl/[newsite].key
![Page 16: HTTPS and HTTP/2](https://reader033.vdocuments.us/reader033/viewer/2022051301/5a67dd337f8b9afa468b5db3/html5/thumbnails/16.jpg)
Free certs
https://letsencrypt.org/
https://www.startssl.com/
![Page 17: HTTPS and HTTP/2](https://reader033.vdocuments.us/reader033/viewer/2022051301/5a67dd337f8b9afa468b5db3/html5/thumbnails/17.jpg)
![Page 18: HTTPS and HTTP/2](https://reader033.vdocuments.us/reader033/viewer/2022051301/5a67dd337f8b9afa468b5db3/html5/thumbnails/18.jpg)
Secure all the things.
Every page. Every resource.
![Page 19: HTTPS and HTTP/2](https://reader033.vdocuments.us/reader033/viewer/2022051301/5a67dd337f8b9afa468b5db3/html5/thumbnails/19.jpg)
Phase 1
Search for http:// //
Check canonical links have full https:// url
Check your sitemap and robots.txt
New property in Google Search Console
![Page 20: HTTPS and HTTP/2](https://reader033.vdocuments.us/reader033/viewer/2022051301/5a67dd337f8b9afa468b5db3/html5/thumbnails/20.jpg)
robots.txt
Sitemap: https://domain.com/sitemap.xml
![Page 21: HTTPS and HTTP/2](https://reader033.vdocuments.us/reader033/viewer/2022051301/5a67dd337f8b9afa468b5db3/html5/thumbnails/21.jpg)
Use TLS 1.0 / 1.1 / 1.2 only:
Test your setuphttps://www.ssllabs.com/ssltest/index.html
How to disable SSL:https://www.digicert.com/ssl-support/apache-
disabling-ssl-v3.htm
![Page 22: HTTPS and HTTP/2](https://reader033.vdocuments.us/reader033/viewer/2022051301/5a67dd337f8b9afa468b5db3/html5/thumbnails/22.jpg)
Phase 2
301 redirects http https
![Page 23: HTTPS and HTTP/2](https://reader033.vdocuments.us/reader033/viewer/2022051301/5a67dd337f8b9afa468b5db3/html5/thumbnails/23.jpg)
HTTP HTTPS
RewriteEngine On
RewriteCond %{HTTPS} off
RewriteRule . https://%{HTTP_HOST}%{REQUEST_URI} [L,R=301]
. is a regular expression, but we just want to match anything
L flag: stop processing further rules
R flag: redirect
![Page 24: HTTPS and HTTP/2](https://reader033.vdocuments.us/reader033/viewer/2022051301/5a67dd337f8b9afa468b5db3/html5/thumbnails/24.jpg)
If you already have domain name redirects….
RewriteEngine On
# Redirect to canonical
RewriteCond %{HTTP_HOST} ^domain\.com$ [NC]
RewriteRule . https://canonical.com%{REQUEST_URI} [L,R=301]
# Redirect to HTTPS
RewriteCond %{HTTPS} off
RewriteRule . https://%{HTTP_HOST}%{REQUEST_URI} [L,R=301]
NC flag: case-insensitive
![Page 25: HTTPS and HTTP/2](https://reader033.vdocuments.us/reader033/viewer/2022051301/5a67dd337f8b9afa468b5db3/html5/thumbnails/25.jpg)
Secure your cookies:
<ifModule mod_headers.c>
Header always edit Set-Cookie (.*)
"$1; HTTPOnly; Secure"
</ifModule>
HTTPOnly option locks out JavaScript.
Secure refuses cookie over HTTP
![Page 26: HTTPS and HTTP/2](https://reader033.vdocuments.us/reader033/viewer/2022051301/5a67dd337f8b9afa468b5db3/html5/thumbnails/26.jpg)
HTTPS link to HTTP loses referrer by default
<meta name="referrer" content="origin-when-crossorigin">
The Meta Referrer Tag: An Advancement for SEO and the Internet.https://moz.com/blog/meta-referrer-tag
![Page 27: HTTPS and HTTP/2](https://reader033.vdocuments.us/reader033/viewer/2022051301/5a67dd337f8b9afa468b5db3/html5/thumbnails/27.jpg)
Phase 3
HSTS saves a round trip
HTTP/2 via a CDN
![Page 28: HTTPS and HTTP/2](https://reader033.vdocuments.us/reader033/viewer/2022051301/5a67dd337f8b9afa468b5db3/html5/thumbnails/28.jpg)
![Page 29: HTTPS and HTTP/2](https://reader033.vdocuments.us/reader033/viewer/2022051301/5a67dd337f8b9afa468b5db3/html5/thumbnails/29.jpg)
HSTS -- not done lightly!
<ifModule mod_headers.c>
Header set Strict-Transport-Security "max-
age=31536000; includeSubDomains" env=HTTPS
</ifModule>
![Page 30: HTTPS and HTTP/2](https://reader033.vdocuments.us/reader033/viewer/2022051301/5a67dd337f8b9afa468b5db3/html5/thumbnails/30.jpg)
• https://www.httpvshttps.com/
• HTTPS unlocks HTTP/2
• 70% of websites using HTTP/2 are served via CloudFlare
• https://www.cloudflare.com/http2/
• Why Everyone Should Be Moving To HTTP/2
http://searchengineland.com/everyone-
moving-http2-236716
![Page 31: HTTPS and HTTP/2](https://reader033.vdocuments.us/reader033/viewer/2022051301/5a67dd337f8b9afa468b5db3/html5/thumbnails/31.jpg)
CloudFlare
![Page 32: HTTPS and HTTP/2](https://reader033.vdocuments.us/reader033/viewer/2022051301/5a67dd337f8b9afa468b5db3/html5/thumbnails/32.jpg)
If you have https redirects, don’t use flexible!
![Page 33: HTTPS and HTTP/2](https://reader033.vdocuments.us/reader033/viewer/2022051301/5a67dd337f8b9afa468b5db3/html5/thumbnails/33.jpg)
HTTP/1.1 optimisations you don’t need anymore
• Domain sharding
• Image sprites
• Combined CSS and JS files
![Page 34: HTTPS and HTTP/2](https://reader033.vdocuments.us/reader033/viewer/2022051301/5a67dd337f8b9afa468b5db3/html5/thumbnails/34.jpg)
What about TTFB?
“I heard that the HTTP/2 TTFB (Time to First Byte) which is a measured metric in SEO and
FEO, is sometimes see higher than HTTP/1.1. What can be done to again have the TTFB
measure be seen as on-par with HTTP/1.1?”
Catchpoint AMA on HTTP/2 with staff from Google, Akamai, CloudFlare, Catchpointhttp://pages.catchpoint.com/HTTP2-AMA-Registration.html
“I think that's a very good and important point. TTFB is important as a metric. If
you can make it faster, do so. That's just a good thing to optimize. You're right in
that just watching the TTFB is not indicative of when the content is painted to the
screen, which is ultimately what the user cares about. Not when they receive the
first byte, but when is the text showing up on the screen? I can show you plenty
of traces where I can see that, even if I compare the unencrypted version with
encrypted over HTTP/2, the time to first byte may be slower, but the page renders
faster, because we're able to leverage other features in HTTP/2 to fetch other
things faster, maybe using server push, so we don't have to do extra round trips.
One metric regresses, but the metric that you care about actually improves.”
-- Ilya Grigorik, Google
![Page 35: HTTPS and HTTP/2](https://reader033.vdocuments.us/reader033/viewer/2022051301/5a67dd337f8b9afa468b5db3/html5/thumbnails/35.jpg)
Is TLS Fast Yet?https://istlsfastyet.com/
Mythbusting HTTPS: Squashing security’s urban legends - Google I/O 2016https://www.youtube.com/watch?v=YMfW1bfyGSY
Mozilla SSL Configuration Generator
Mozilla SSL Configuration Generatorhttps://mozilla.github.io/server-side-tls/ssl-config-generator/
evelopers
HTTP/2 For Web Developershttps://blog.cloudflare.com/http-2-for-web-developers/
7 Tips for Faster HTTP/2 Performancehttps://www.nginx.com/blog/7-tips-for-faster-http2-performance/
Secure browsing by defaulthttps://www.facebook.com/notes/facebook-engineering/secure-browsing-by-
default/10151590414803920/
Websites Must Use HSTS in Order to Be Securehttps://www.eff.org/deeplinks/2014/02/websites-hsts
![Page 36: HTTPS and HTTP/2](https://reader033.vdocuments.us/reader033/viewer/2022051301/5a67dd337f8b9afa468b5db3/html5/thumbnails/36.jpg)