HTTPS & HTTP/2M a t t h e w W a l k e r

A u g u s t 2 0 1 6

Identity confirmation

Confidentiality

Integrity

Unlock new browser features

Small PageRank boost

HTTP/2

Geolocation

HTTP/2

getUserMedia()

Push notifications

Device motion / orientation

Encrypted media extensions

AppCacheDeprecating Non-Secure HTTP, Mozilla Security Blog, 20 April 2015.https://blog.mozilla.org/security/2015/04/30/deprecating-non-secure-http/

Deprecating Powerful Features on Insecure Origins, The Chromium Projectshttps://www.chromium.org/Home/chromium-security/deprecating-powerful-features-on-insecure-origins

Past

• Hard to set up

• Expensive

• Only for ecommerce

Present

• Relatively easy to set up

• Certs start at $0

• All websites, all pages

Future

All HTTP sites will be

specifically marked as insecure!

Marking HTTP As Non-Secure

https://www.chromium.org/Home/chromium-security/marking-http-as-non-secure

The new normal

“Google estimates 25% of sites now use secure

connections. Google will work with some of the

non-secure top 100 sites on the web to help them

migrate to HTTPS.” -- March 2016

http://marketingland.com/google-estimates-25-sites-now-use-

secure-connections-168763

• 301 redirects must be done right

• Dedicated IP means small hosting cost bump

• HTTPS over HTTP/1.1 is marginally slower

• One more thing to set up and pay for / screw up

HTTPS migrations lose PageRank (?)

301 redirects result in around a 15% loss of PageRank

No PageRank loss redirect HTTP -> HTTPS

301 Redirects Rules Change: What You Need to Know for SEO, Moz Blog, 1 August 2016.https://moz.com/blog/301-redirection-rules-for-seo

Set up your dev environment for certs

One time setup

sudo a2enmod ssl

sudo a2enmod headers

sudo vim /etc/apache2/apache2.conf

And add NameVirtualHost *:443 near the bottom.

sudo service apache2 restart

sudo mkdir /etc/apache2/ssl

Self-signed certs

Create a cert

sudo openssl req -x509 -nodes -days 365 -newkey rsa:2048 -

keyout /etc/apache2/ssl/[newsite].key -out

/etc/apache2/ssl/[newsite].crt

[note fill common name in with the domain]

cd /etc/apache2/sites-available

sudo vim [newsite]

Duplicate the entire VirtualHost block and label as <VirtualHost *:443>

Put this at the bottomSSLEngine on

SSLCertificateFile /etc/apache2/ssl/[newsite].crt

SSLCertificateKeyFile /etc/apache2/ssl/[newsite].key

Free certs

https://letsencrypt.org/

https://www.startssl.com/

Secure all the things.

Every page. Every resource.

Phase 1

Search for http:// //

Check canonical links have full https:// url

Check your sitemap and robots.txt

New property in Google Search Console

robots.txt

Sitemap: https://domain.com/sitemap.xml

Use TLS 1.0 / 1.1 / 1.2 only:

Test your setuphttps://www.ssllabs.com/ssltest/index.html

How to disable SSL:https://www.digicert.com/ssl-support/apache-

disabling-ssl-v3.htm

Phase 2

301 redirects http https

HTTP HTTPS

RewriteEngine On

RewriteCond %{HTTPS} off

RewriteRule . https://%{HTTP_HOST}%{REQUEST_URI} [L,R=301]

. is a regular expression, but we just want to match anything

L flag: stop processing further rules

R flag: redirect

If you already have domain name redirects….

RewriteEngine On

# Redirect to canonical

RewriteCond %{HTTP_HOST} ^domain\.com$ [NC]

RewriteRule . https://canonical.com%{REQUEST_URI} [L,R=301]

# Redirect to HTTPS

RewriteCond %{HTTPS} off

RewriteRule . https://%{HTTP_HOST}%{REQUEST_URI} [L,R=301]

NC flag: case-insensitive

Secure your cookies:

<ifModule mod_headers.c>

Header always edit Set-Cookie (.*)

"$1; HTTPOnly; Secure"

</ifModule>

HTTPOnly option locks out JavaScript.

Secure refuses cookie over HTTP

HTTPS link to HTTP loses referrer by default

<meta name="referrer" content="origin-when-crossorigin">

The Meta Referrer Tag: An Advancement for SEO and the Internet.https://moz.com/blog/meta-referrer-tag

Phase 3

HSTS saves a round trip

HTTP/2 via a CDN

HSTS -- not done lightly!

<ifModule mod_headers.c>

Header set Strict-Transport-Security "max-

age=31536000; includeSubDomains" env=HTTPS

</ifModule>

• https://www.httpvshttps.com/

• HTTPS unlocks HTTP/2

• 70% of websites using HTTP/2 are served via CloudFlare

• https://www.cloudflare.com/http2/

• Why Everyone Should Be Moving To HTTP/2

http://searchengineland.com/everyone-

moving-http2-236716

CloudFlare

If you have https redirects, don’t use flexible!

HTTP/1.1 optimisations you don’t need anymore

• Domain sharding

• Image sprites

• Combined CSS and JS files

What about TTFB?

“I heard that the HTTP/2 TTFB (Time to First Byte) which is a measured metric in SEO and

FEO, is sometimes see higher than HTTP/1.1. What can be done to again have the TTFB

measure be seen as on-par with HTTP/1.1?”

Catchpoint AMA on HTTP/2 with staff from Google, Akamai, CloudFlare, Catchpointhttp://pages.catchpoint.com/HTTP2-AMA-Registration.html

“I think that's a very good and important point. TTFB is important as a metric. If

you can make it faster, do so. That's just a good thing to optimize. You're right in

that just watching the TTFB is not indicative of when the content is painted to the

screen, which is ultimately what the user cares about. Not when they receive the

first byte, but when is the text showing up on the screen? I can show you plenty

of traces where I can see that, even if I compare the unencrypted version with

encrypted over HTTP/2, the time to first byte may be slower, but the page renders

faster, because we're able to leverage other features in HTTP/2 to fetch other

things faster, maybe using server push, so we don't have to do extra round trips.

One metric regresses, but the metric that you care about actually improves.”

-- Ilya Grigorik, Google

Is TLS Fast Yet?https://istlsfastyet.com/

Mythbusting HTTPS: Squashing security’s urban legends - Google I/O 2016https://www.youtube.com/watch?v=YMfW1bfyGSY

Mozilla SSL Configuration Generator

Mozilla SSL Configuration Generatorhttps://mozilla.github.io/server-side-tls/ssl-config-generator/

evelopers

HTTP/2 For Web Developershttps://blog.cloudflare.com/http-2-for-web-developers/

7 Tips for Faster HTTP/2 Performancehttps://www.nginx.com/blog/7-tips-for-faster-http2-performance/

Secure browsing by defaulthttps://www.facebook.com/notes/facebook-engineering/secure-browsing-by-

default/10151590414803920/

Websites Must Use HSTS in Order to Be Securehttps://www.eff.org/deeplinks/2014/02/websites-hsts