https and http/2
TRANSCRIPT
HTTPS & HTTP/2M a t t h e w W a l k e r
A u g u s t 2 0 1 6
Identity confirmation
Confidentiality
Integrity
Unlock new browser features
Small PageRank boost
HTTP/2
Geolocation
HTTP/2
getUserMedia()
Push notifications
Device motion / orientation
Encrypted media extensions
AppCacheDeprecating Non-Secure HTTP, Mozilla Security Blog, 20 April 2015.https://blog.mozilla.org/security/2015/04/30/deprecating-non-secure-http/
Deprecating Powerful Features on Insecure Origins, The Chromium Projectshttps://www.chromium.org/Home/chromium-security/deprecating-powerful-features-on-insecure-origins
Past
• Hard to set up
• Expensive
• Only for ecommerce
Present
• Relatively easy to set up
• Certs start at $0
• All websites, all pages
Future
All HTTP sites will be
specifically marked as insecure!
Marking HTTP As Non-Secure
https://www.chromium.org/Home/chromium-security/marking-http-as-non-secure
The new normal
“Google estimates 25% of sites now use secure
connections. Google will work with some of the
non-secure top 100 sites on the web to help them
migrate to HTTPS.” -- March 2016
http://marketingland.com/google-estimates-25-sites-now-use-
secure-connections-168763
• 301 redirects must be done right
• Dedicated IP means small hosting cost bump
• HTTPS over HTTP/1.1 is marginally slower
• One more thing to set up and pay for / screw up
HTTPS migrations lose PageRank (?)
301 redirects result in around a 15% loss of PageRank
No PageRank loss redirect HTTP -> HTTPS
301 Redirects Rules Change: What You Need to Know for SEO, Moz Blog, 1 August 2016.https://moz.com/blog/301-redirection-rules-for-seo
Set up your dev environment for certs
One time setup
sudo a2enmod ssl
sudo a2enmod headers
sudo vim /etc/apache2/apache2.conf
And add NameVirtualHost *:443 near the bottom.
sudo service apache2 restart
sudo mkdir /etc/apache2/ssl
Self-signed certs
Create a cert
sudo openssl req -x509 -nodes -days 365 -newkey rsa:2048 -
keyout /etc/apache2/ssl/[newsite].key -out
/etc/apache2/ssl/[newsite].crt
[note fill common name in with the domain]
cd /etc/apache2/sites-available
sudo vim [newsite]
Duplicate the entire VirtualHost block and label as <VirtualHost *:443>
Put this at the bottomSSLEngine on
SSLCertificateFile /etc/apache2/ssl/[newsite].crt
SSLCertificateKeyFile /etc/apache2/ssl/[newsite].key
Free certs
https://letsencrypt.org/
https://www.startssl.com/
Secure all the things.
Every page. Every resource.
Phase 1
Search for http:// //
Check canonical links have full https:// url
Check your sitemap and robots.txt
New property in Google Search Console
robots.txt
Sitemap: https://domain.com/sitemap.xml
Use TLS 1.0 / 1.1 / 1.2 only:
Test your setuphttps://www.ssllabs.com/ssltest/index.html
How to disable SSL:https://www.digicert.com/ssl-support/apache-
disabling-ssl-v3.htm
Phase 2
301 redirects http https
HTTP HTTPS
RewriteEngine On
RewriteCond %{HTTPS} off
RewriteRule . https://%{HTTP_HOST}%{REQUEST_URI} [L,R=301]
. is a regular expression, but we just want to match anything
L flag: stop processing further rules
R flag: redirect
If you already have domain name redirects….
RewriteEngine On
# Redirect to canonical
RewriteCond %{HTTP_HOST} ^domain\.com$ [NC]
RewriteRule . https://canonical.com%{REQUEST_URI} [L,R=301]
# Redirect to HTTPS
RewriteCond %{HTTPS} off
RewriteRule . https://%{HTTP_HOST}%{REQUEST_URI} [L,R=301]
NC flag: case-insensitive
Secure your cookies:
<ifModule mod_headers.c>
Header always edit Set-Cookie (.*)
"$1; HTTPOnly; Secure"
</ifModule>
HTTPOnly option locks out JavaScript.
Secure refuses cookie over HTTP
HTTPS link to HTTP loses referrer by default
<meta name="referrer" content="origin-when-crossorigin">
The Meta Referrer Tag: An Advancement for SEO and the Internet.https://moz.com/blog/meta-referrer-tag
Phase 3
HSTS saves a round trip
HTTP/2 via a CDN
HSTS -- not done lightly!
<ifModule mod_headers.c>
Header set Strict-Transport-Security "max-
age=31536000; includeSubDomains" env=HTTPS
</ifModule>
• https://www.httpvshttps.com/
• HTTPS unlocks HTTP/2
• 70% of websites using HTTP/2 are served via CloudFlare
• https://www.cloudflare.com/http2/
• Why Everyone Should Be Moving To HTTP/2
http://searchengineland.com/everyone-
moving-http2-236716
CloudFlare
If you have https redirects, don’t use flexible!
HTTP/1.1 optimisations you don’t need anymore
• Domain sharding
• Image sprites
• Combined CSS and JS files
What about TTFB?
“I heard that the HTTP/2 TTFB (Time to First Byte) which is a measured metric in SEO and
FEO, is sometimes see higher than HTTP/1.1. What can be done to again have the TTFB
measure be seen as on-par with HTTP/1.1?”
Catchpoint AMA on HTTP/2 with staff from Google, Akamai, CloudFlare, Catchpointhttp://pages.catchpoint.com/HTTP2-AMA-Registration.html
“I think that's a very good and important point. TTFB is important as a metric. If
you can make it faster, do so. That's just a good thing to optimize. You're right in
that just watching the TTFB is not indicative of when the content is painted to the
screen, which is ultimately what the user cares about. Not when they receive the
first byte, but when is the text showing up on the screen? I can show you plenty
of traces where I can see that, even if I compare the unencrypted version with
encrypted over HTTP/2, the time to first byte may be slower, but the page renders
faster, because we're able to leverage other features in HTTP/2 to fetch other
things faster, maybe using server push, so we don't have to do extra round trips.
One metric regresses, but the metric that you care about actually improves.”
-- Ilya Grigorik, Google
Is TLS Fast Yet?https://istlsfastyet.com/
Mythbusting HTTPS: Squashing security’s urban legends - Google I/O 2016https://www.youtube.com/watch?v=YMfW1bfyGSY
Mozilla SSL Configuration Generator
Mozilla SSL Configuration Generatorhttps://mozilla.github.io/server-side-tls/ssl-config-generator/
evelopers
HTTP/2 For Web Developershttps://blog.cloudflare.com/http-2-for-web-developers/
7 Tips for Faster HTTP/2 Performancehttps://www.nginx.com/blog/7-tips-for-faster-http2-performance/
Secure browsing by defaulthttps://www.facebook.com/notes/facebook-engineering/secure-browsing-by-
default/10151590414803920/
Websites Must Use HSTS in Order to Be Securehttps://www.eff.org/deeplinks/2014/02/websites-hsts