HTTPSWhy Your Website Should Use HTTPS and How

Seattle WordPress Meetup March 15, 2016

SpeakerJoe Fletcher

@merchantguru

HTTPS: // Overview

HTTPS vs HTTP Why and Why Now? Implementation Overview Resources

HTTPS vs HTTPWhat’s the diff?

Not easily manipulated Encrypted (SSL/TLS) Verifies ownership

Plain text and easily read Easily manipulated History tracked and profiled

HTTPSecure from Bad GuysEasily Read & Manipulated

HTTPS

HTTPS: // 2 Main Types

Extended Validation (EV)Domain Validation (DV)

HTTPS: // Examples

IE 11

Edge

Safari

Firefox

Chrome

Domain Validation Extended ValidationPadlock Name… and more green

SEO Speed Trust & Branding Browser Warnings HTML5 (geolocation, etc.) ISP/Carrier Manipulation Credit Card Processing Security & Privacy Peace of Mind

HTTPS: // Why?

BTW, WordPress logins & dashboards are not secure without https! — And browsers are stepping up their warnings

Google Ranks HTTPS Higher — Improve your SEO

HTTP/2 Speed Increase 50%+ — Requires HTTPS

Free, Automated Certificates — Let’s Encrypt — Symantec (soon)

HTTPS Everywhere — Green/padlock becoming the standard — Surveillance concerns— U.S. Federal website requirement

HTTPS: // Why Now?

Implementation Overview

UPDATE

TEST

BUY

INSTALL

Major SSL Certificate BrandsUPDATE TESTBUY INSTALL

SSL Certificate Sources

Free Services & DNS CloudFlare AWS Certificate Manager

Do It Yourself ($7-$1000+) thesslstore.com ssls.com gogetssl.com GoDaddy Comodo CertSimple (EV)

Free Do It Yourself Comodo (90 days) Let’s Encrypt (90 days) Symantec (coming soon via web hosts)

Managed WP Hosting WP Engine: $49/yr, installed + https configured Liquid Web: free, installed for you SiteGround: free, install via cPanel DreamHost: free, install via control panel

UPDATE TESTBUY INSTALL

Installing an SSL Certificate

Follow Instructions from Your SSL Vendor & Web Host

UPDATE TESTBUY INSTALL

Generate CSRBuy SSL

SSL Vendor Your Host

Verification Install SSL

CSR

SSL

Update Old HTTP References

For example: jQuery, Google Fonts, CDN Assets Protocol Relative URLs no longer recommended

UPDATE TESTBUY INSTALL

Do:<scriptsrc="https://www.everyasset.com/myasset.js"></script>

Don’t:<scriptsrc="http://www.everyasset.com/myasset.js"></script>

Don’t:<scriptsrc="//www.everyasset.com/myasset.js"></script>

URLs should use only: https://

Use CDNs with HTTPs option SEO: Best to use subdomain: https://cdn.yourdomain.com/

- KeyCDN & AWS Certificate Manager free & easy options

Update WordPress References

Images CSS JS

Iframes Forms

Settings Plugin Options Content Editor

May need to override Contact plugin developer

Search & Replace plugin WP Migrate DB plugin WP CLI

UPDATE TESTBUY INSTALL

WordPress Database: Settings & Content

WordPress Theme Files WordPress Plugins

BEST TO USE

Force HTTPS Everywhere

Redirect HTTP to HTTPS .htaccess or nginx redirect rules (301 redirect) plugins: Really Simple SSL plugin + WP Force SSL plugin

UPDATE TESTBUY INSTALL

Google Search Console (add a new profile https://support.google.com/webmasters/answer/6033049) Google Analytics Sitemap Robots.txt Canonical tags

Social media Ads Directory listings Email templates Forms (MailChimp, etc)

Use HTTPS Everywhere From Now On:

TestEspecially for Mixed Content UPDATE TESTBUY INSTALL

Mixed Content May “Break Your Site”, Cause Warnings, or Prevent the Green / Padlock

should be

Test Tools

www.whynopadlock.com

UPDATE TESTBUY INSTALL

Chrome Dev Tools

Recommended Reading

A few practical, real-world examples why HTTPS is important https://certsimple.com/blog/ssl-why-do-i-need-it

Great how-to resources https://www.keycdn.com/blog/http-to-https/ https://developers.google.com/web/fundamentals/security/ https://support.google.com/webmasters/answer/6073543 https://https.cio.gov/ … especially … https://https.cio.gov/mixed-content/

Use a custom domain with AWS CloudFront https://deliciousbrains.com/custom-domain-https-cloudfront/

TLS performance checklist for server admins http://chimera.labs.oreilly.com/books/1230000000545/ch04.html#_performance_checklist_2

What developers should know about SSL but probably don’t https://certsimple.com/blog/obsolete-cipher-suite-and-things-web-developers-should-know-about-ssl

Deep dive videos Part I: https://youtu.be/d2GmcPYWm5k & Part II: https://youtu.be/rnM2qAfEG-M

Thank You!Seattle WordPress Meetup

March 15, 2016

SpeakerJoe Fletcher

@merchantguru

merchantguru.com/https

Appendix

AdvancedForce HTTPS Across Your Site

<IfModulemod_rewrite.c>RewriteEngineOnRewriteCond%{HTTPS}!=onRewriteRule^(.*)$https://%{HTTP_HOST}/$1[R=301,L]</IfModule>

server{listen80;server_nameyoursite.com;return301https://$server_name$request_uri;}

Really Simple SSL plugin + WP Force SSL plugin

nginx

.htaccess

plugins 2 recommended plugins, but didn’t work on my test nginx hosted site: Easy HTTPS Redirection SSL Insecure Content Fixer

HTTP Strict Transport Security (HSTS)

HTTP Strict Transport Security (HSTS) is a simple and widely supported standard to protect visitors by ensuring that their browsers always connect to a website over HTTPS. HSTS exists to remove the need for the common, insecure practice of redirecting users from http:// to https:// URLs. Strict-Transport-Security

When a browser knows that a domain has enabled HSTS, it does two things:

Always uses an https:// connection, even when clicking on an http:// link or after typing a domain into the location bar without specifying a protocol. Removes the ability for users to click through warnings about invalid certificates.

AdvancedStrict Transport Security Header

<IfModulemod_headers.c>HeaderalwayssetStrict-Transport-Security"max-age=16070400;includeSubDomains;preload”</IfModule>

add_headerStrict-Transport-Security"max-age=31536000;includeSubdomains;preload”;

Really Simple SSL plugin

nginx

.htaccess

plugins

Misc

Chrome Mobile DV looks same as EV

No More Warning

Misc

IE6 no longer supported (TLS 1.0+) IE6-8 on Windows XP, and Android 2.3 browser unless dedicated IP address is used (SNI)

Installing an SSL Certificate

Buy an SSL Certificate 1. Generate a “Certificate Signing Request” (CSR) on your server 2. Give CSR to SSL certificate vendor 3. Vendor verifies you own the domain 4. Vendor provides SSL certificate Install Certificate (options) * Upload/paste it via SSL Certificates area of your control panel * Open support ticket with your web host

Generally, follow the instructions from your SSL certificate vendor

UPDATE TESTBUY INSTALL

CDNs with Free Custom SSL CertificatesFor subdomains, i.e., https://cdn.yoursite.com

KeyCDN* CDN77* CloudFlare AWS CloudFront

* Capitalize on HTTP/2 for increased speed

Referral Links

KeyCDN https://www.keycdn.com/?a=8580

https://www.merchantguru.com/go/wpengine/WP Engine