Post on 14-Apr-2017
HTTPSWhy Your Website Should Use HTTPS and How
Seattle WordPress Meetup March 15, 2016
SpeakerJoe Fletcher
@merchantguru
HTTPS: // Overview
HTTPS vs HTTP Why and Why Now? Implementation Overview Resources
HTTPS vs HTTPWhat’s the diff?
Not easily manipulated Encrypted (SSL/TLS) Verifies ownership
Plain text and easily read Easily manipulated History tracked and profiled
HTTPSecure from Bad GuysEasily Read & Manipulated
HTTPS
HTTPS: // 2 Main Types
Extended Validation (EV)Domain Validation (DV)
HTTPS: // Examples
IE 11
Edge
Safari
Firefox
Chrome
Domain Validation Extended ValidationPadlock Name… and more green
SEO Speed Trust & Branding Browser Warnings HTML5 (geolocation, etc.) ISP/Carrier Manipulation Credit Card Processing Security & Privacy Peace of Mind
HTTPS: // Why?
BTW, WordPress logins & dashboards are not secure without https! — And browsers are stepping up their warnings
Google Ranks HTTPS Higher — Improve your SEO
HTTP/2 Speed Increase 50%+ — Requires HTTPS
Free, Automated Certificates — Let’s Encrypt — Symantec (soon)
HTTPS Everywhere — Green/padlock becoming the standard — Surveillance concerns— U.S. Federal website requirement
HTTPS: // Why Now?
Implementation Overview
UPDATE
TEST
BUY
INSTALL
Major SSL Certificate BrandsUPDATE TESTBUY INSTALL
SSL Certificate Sources
Free Services & DNS CloudFlare AWS Certificate Manager
Do It Yourself ($7-$1000+) thesslstore.com ssls.com gogetssl.com GoDaddy Comodo CertSimple (EV)
Free Do It Yourself Comodo (90 days) Let’s Encrypt (90 days) Symantec (coming soon via web hosts)
Managed WP Hosting WP Engine: $49/yr, installed + https configured Liquid Web: free, installed for you SiteGround: free, install via cPanel DreamHost: free, install via control panel
UPDATE TESTBUY INSTALL
Installing an SSL Certificate
Follow Instructions from Your SSL Vendor & Web Host
UPDATE TESTBUY INSTALL
Generate CSRBuy SSL
SSL Vendor Your Host
Verification Install SSL
CSR
SSL
Update Old HTTP References
For example: jQuery, Google Fonts, CDN Assets Protocol Relative URLs no longer recommended
UPDATE TESTBUY INSTALL
Do:<scriptsrc="https://www.everyasset.com/myasset.js"></script>
Don’t:<scriptsrc="http://www.everyasset.com/myasset.js"></script>
Don’t:<scriptsrc="//www.everyasset.com/myasset.js"></script>
URLs should use only: https://
Use CDNs with HTTPs option SEO: Best to use subdomain: https://cdn.yourdomain.com/
- KeyCDN & AWS Certificate Manager free & easy options
Update WordPress References
Images CSS JS
Iframes Forms
Settings Plugin Options Content Editor
May need to override Contact plugin developer
Search & Replace plugin WP Migrate DB plugin WP CLI
UPDATE TESTBUY INSTALL
WordPress Database: Settings & Content
WordPress Theme Files WordPress Plugins
BEST TO USE
Force HTTPS Everywhere
Redirect HTTP to HTTPS .htaccess or nginx redirect rules (301 redirect) plugins: Really Simple SSL plugin + WP Force SSL plugin
UPDATE TESTBUY INSTALL
Google Search Console (add a new profile https://support.google.com/webmasters/answer/6033049) Google Analytics Sitemap Robots.txt Canonical tags
Social media Ads Directory listings Email templates Forms (MailChimp, etc)
Use HTTPS Everywhere From Now On:
TestEspecially for Mixed Content UPDATE TESTBUY INSTALL
Mixed Content May “Break Your Site”, Cause Warnings, or Prevent the Green / Padlock
should be
Test Tools
www.whynopadlock.com
UPDATE TESTBUY INSTALL
Chrome Dev Tools
Recommended Reading
A few practical, real-world examples why HTTPS is important https://certsimple.com/blog/ssl-why-do-i-need-it
Great how-to resources https://www.keycdn.com/blog/http-to-https/ https://developers.google.com/web/fundamentals/security/ https://support.google.com/webmasters/answer/6073543 https://https.cio.gov/ … especially … https://https.cio.gov/mixed-content/
Use a custom domain with AWS CloudFront https://deliciousbrains.com/custom-domain-https-cloudfront/
TLS performance checklist for server admins http://chimera.labs.oreilly.com/books/1230000000545/ch04.html#_performance_checklist_2
What developers should know about SSL but probably don’t https://certsimple.com/blog/obsolete-cipher-suite-and-things-web-developers-should-know-about-ssl
Deep dive videos Part I: https://youtu.be/d2GmcPYWm5k & Part II: https://youtu.be/rnM2qAfEG-M
Thank You!Seattle WordPress Meetup
March 15, 2016
SpeakerJoe Fletcher
@merchantguru
merchantguru.com/https
Appendix
AdvancedForce HTTPS Across Your Site
<IfModulemod_rewrite.c>RewriteEngineOnRewriteCond%{HTTPS}!=onRewriteRule^(.*)$https://%{HTTP_HOST}/$1[R=301,L]</IfModule>
server{listen80;server_nameyoursite.com;return301https://$server_name$request_uri;}
Really Simple SSL plugin + WP Force SSL plugin
nginx
.htaccess
plugins 2 recommended plugins, but didn’t work on my test nginx hosted site: Easy HTTPS Redirection SSL Insecure Content Fixer
HTTP Strict Transport Security (HSTS)
HTTP Strict Transport Security (HSTS) is a simple and widely supported standard to protect visitors by ensuring that their browsers always connect to a website over HTTPS. HSTS exists to remove the need for the common, insecure practice of redirecting users from http:// to https:// URLs. Strict-Transport-Security
When a browser knows that a domain has enabled HSTS, it does two things:
Always uses an https:// connection, even when clicking on an http:// link or after typing a domain into the location bar without specifying a protocol. Removes the ability for users to click through warnings about invalid certificates.
AdvancedStrict Transport Security Header
<IfModulemod_headers.c>HeaderalwayssetStrict-Transport-Security"max-age=16070400;includeSubDomains;preload”</IfModule>
add_headerStrict-Transport-Security"max-age=31536000;includeSubdomains;preload”;
Really Simple SSL plugin
nginx
.htaccess
plugins
Misc
Chrome Mobile DV looks same as EV
No More Warning
Misc
IE6 no longer supported (TLS 1.0+) IE6-8 on Windows XP, and Android 2.3 browser unless dedicated IP address is used (SNI)
Installing an SSL Certificate
Buy an SSL Certificate 1. Generate a “Certificate Signing Request” (CSR) on your server 2. Give CSR to SSL certificate vendor 3. Vendor verifies you own the domain 4. Vendor provides SSL certificate Install Certificate (options) * Upload/paste it via SSL Certificates area of your control panel * Open support ticket with your web host
Generally, follow the instructions from your SSL certificate vendor
UPDATE TESTBUY INSTALL
CDNs with Free Custom SSL CertificatesFor subdomains, i.e., https://cdn.yoursite.com
KeyCDN* CDN77* CloudFlare AWS CloudFront
* Capitalize on HTTP/2 for increased speed
Referral Links
KeyCDN https://www.keycdn.com/?a=8580
https://www.merchantguru.com/go/wpengine/WP Engine