Post on 13-Jan-2017
Delivering the news over HTTPS
Paul Schreiberpaul.schreiber@fivethirtyeight.com @paulschreiber
15%
http://www.bbc.co.uk/ http://www.bbc.co.uk/persian/
✔
HTTP1991–2016
HTTP1991–2016
Marking HTTP As Non-SecureWe, the Chrome Security Team, propose that user agents (UAs) gradually change their UX to display non-secure origins as affirmatively non-secure. We intend to devise and begin deploying a transition plan for Chrome in 2015.
The goal of this proposal is to more clearly display to users that HTTP provides no data security.
Marking HTTP As Non-SecureWe, the Chrome Security Team, propose that user agents (UAs) gradually change their UX to display non-secure origins as affirmatively non-secure. We intend to devise and begin deploying a transition plan for Chrome in 2015.
The goal of this proposal is to more clearly display to users that HTTP provides no data security.
Deprecating Non-Secure HTTPToday we are announcing our intent to phase out non-secure HTTP.
There are two broad elements of this plan: 1. Setting a date after which all new features will be
available only to secure websites 2. Gradually phasing out access to browser
features for non-secure websites, especially features that pose risks to users’ security and privacy.
Deprecating Non-Secure HTTPToday we are announcing our intent to phase out non-secure HTTP.
There are two broad elements of this plan: 1. Setting a date after which all new features will be
available only to secure websites 2. Gradually phasing out access to browser
features for non-secure websites, especially features that pose risks to users’ security and privacy.
Deprecating Non-Secure HTTPToday we are announcing our intent to phase out non-secure HTTP.
There are two broad elements of this plan: 1. Setting a date after which all new features will be
available only to secure websites 2. Gradually phasing out access to browser
features for non-secure websites, especially features that pose risks to users’ security and privacy.
The HTTPS-Only StandardAll browsing activity should be considered private and sensitive.
—https.cio.gov
A Call to ActionIf you run a news site, or any site at all, we’d like to issue a friendly challenge to you. Make a commitment to have your site fully on HTTPS by the end of 2015 and pledge your support with the hashtag #https2015.
—Eitan Konigsburg, Rajiv Pant and Elena Kvochko “Embracing HTTPS” November 13, 2014
HTTPS
HTT
P
HTT
PS
2008 HTTPS is slow
2008 HTTPS is slow2015 HTTPS is fast
HTTP 2.0
HTTPS
SHA-1
SHA-1
$sslmatemkconfig
https://mozilla.github.io/server-side-tls/
ssl-config-generator/
HTTPS enabled
HTTPS enabledHTTPS default
HTTPS enabledHTTPS defaultHSTS
HTTPS enabledHTTPS defaultHSTSHSTS preload
cont
ent
cont
ent
😕
cont
ent
🤔
com
men
ts
ads
soci
al
anal
ytic
s
CD
Ns
font
s
mix
ed c
onte
nt
mix
ed c
onte
nt
$mixed-content-scan
mix
ed c
onte
nt
Content-Security-Policy:upgrade-insecure-requests
mix
ed c
onte
nt Content-Security-Policy-Report-Only:default-srchttps:data:'self''unsafe-inline''unsafe-eval';report-uri:https://myserver.com/log-tool/
No
HTT
PS?
ask nicely.
No
HTT
PS?
SoundCiteplacehold.it
mix
ed c
onte
nt
Akamai http://hostname.com→https://a248.e.akamai.net/f/12/621/60d/hostname.com
<scriptsrc="//google.com/…<scriptsrc="https://googl…
mix
ed c
onte
nt
<scriptsrc="//google.com/…<scriptsrc="https://googl…
mix
ed c
onte
nt
mix
ed c
onte
nt
Many graphics from The Noun ProjectMountains by Chris Cole; Statue of Liberty by John Melven; Tombstone by Jakob Wells; Congress by Martha Ormiston; Shield by Wayne Thayer; Books by Ashley van Dyck; Snail by aLf; carrot by Creative Stall; Geolocation by Alexander Smith; Notification by vijay sekhar; Microphone by Edward Boatman; Video camera by Pham Thi Dieu Linh; Full screen by Garrett Knoll; Rotation by Lemon Liu; speedmeter by Michal Beno; layers by Muhamad Ulum; arrow by Maurizio Pedrazzoli; stick by Blaise Sewell; Server by Yazmin Alanis; SEO by Azis; Money by Nick Levesque; Shopping cart by Patrizia Daidone; Lock with keyhole by Brennan Novak; Scribble by Michael Chanover; Network by Stephen Boak; Hat based on work by Blake Kimmel. ; Warning by Icomatic; Error by Anas Ramadan.