Post on 15-Apr-2017
Delivering the news over HTTPS
Paul Schreiber@paulschreiber
HTTP1991–2015
HTTP1991–2015
Marking HTTP As Non-SecureWe, the Chrome Security Team, propose that user agents (UAs) gradually change their UX to display non-secure origins as affirmatively non-secure. We intend to devise and begin deploying a transition plan for Chrome in 2015.
The goal of this proposal is to more clearly display to users that HTTP provides no data security.
Marking HTTP As Non-SecureWe, the Chrome Security Team, propose that user agents (UAs) gradually change their UX to display non-secure origins as affirmatively non-secure. We intend to devise and begin deploying a transition plan for Chrome in 2015.
The goal of this proposal is to more clearly display to users that HTTP provides no data security.
Deprecating Non-Secure HTTPToday we are announcing our intent to phase out non-secure HTTP.
There are two broad elements of this plan: 1. Setting a date after which all new features will be
available only to secure websites 2. Gradually phasing out access to browser
features for non-secure websites, especially features that pose risks to users’ security and privacy.
Deprecating Non-Secure HTTPToday we are announcing our intent to phase out non-secure HTTP.
There are two broad elements of this plan: 1. Setting a date after which all new features will be
available only to secure websites 2. Gradually phasing out access to browser
features for non-secure websites, especially features that pose risks to users’ security and privacy.
Deprecating Non-Secure HTTPToday we are announcing our intent to phase out non-secure HTTP.
There are two broad elements of this plan: 1. Setting a date after which all new features will be
available only to secure websites 2. Gradually phasing out access to browser
features for non-secure websites, especially features that pose risks to users’ security and privacy.
The HTTPS-Only StandardAll browsing activity should be considered private and sensitive.
—https.cio.gov
A Call to ActionIf you run a news site, or any site at all, we’d like to issue a friendly challenge to you. Make a commitment to have your site fully on HTTPS by the end of 2015 and pledge your support with the hashtag #https2015.
—Eitan Konigsburg, Rajiv Pant and Elena Kvochko “Embracing HTTPS” November 13, 2014
HTT
P
HTT
PS
HTTPS
example.com
sing
le
example.com greeneggsham.info wordpressfan.bizSA
N
example.com beta.example.com shoebox.example.comw
ildca
rd
SGC
domain validation
organization validation
extended validation
extended validation
Selected DV Certificates
Comodo PositiveSSL
Comodo SSL
Thawte SSL123
0 32 64 96 128 160
149
99
49
PositiveSSL DV Certificates
SSLs.com
SSLMate
Comodo
0 32 64 96 128 160
49
15.95
8.95
Selected CertificatesLet’s Encrypt
PositiveSSL (SSLs.com)
GeoTrust QuickSSL Premium
Thawte SSL123
GeoTrust True BusinessID
Symantec Secure Site
Symantec Secure Site Pro EV0 300 600 900 1200 1500
1400
399
199
149
99.98
8.95
0
$sslmatemkconfig
https://mozilla.github.io/server-side-tls/
ssl-config-generator/
https://github.com/tollmanz/lets-encrypt-wp
$wpcertnew
HTTPS enabled
HTTPS enabledHTTPS default
HTTPS enabledHTTPS defaultHSTS
HTTPS enabledHTTPS defaultHSTSHSTS preload
SNI
SHA1 vs
SHA2
cont
ent
cont
ent
😕
com
men
ts
ads
soci
al
anal
ytic
s
CD
Ns
font
s
2008 HTTPS is slow
2008 HTTPS is slow2015 HTTPS is fast
HTTP 2.0
HTTPS
1.88Xper http2.loadimpact.com
mix
ed c
onte
nt
mix
ed c
onte
nt
$mixed-content-scan
mix
ed c
onte
nt
Content-Security-Policy:upgrade-insecure-requests
mix
ed c
onte
nt Content-Security-Policy-Report-Only:default-srchttps:data:'self''unsafe-inline''unsafe-eval';report-uri:https://myserver.com/log-tool/
No
HTT
PS?
ask nicely.
No
HTT
PS?
SoundCiteplacehold.it
mix
ed c
onte
nt
Akamai http://hostname.com→https://a248.e.akamai.net/f/12/621/60d/hostname.com
<scriptsrc="//google.com/…<scriptsrc="https://googl…
mix
ed c
onte
nt
<scriptsrc="//google.com/…<scriptsrc="https://googl…
mix
ed c
onte
nt
mix
ed c
onte
nt
Many graphics from The Noun ProjectTombstone by Jakob Wells. Congress by Martha Ormiston. Shield by Wayne Thayer. Snail by aLf. Server by Yazmin Alanis. SEO by Azis. Money by Nick Levesque. Warning by Icomatic. Shopping cart by Patrizia Daidone. Lock with keyhole by Brennan Novak. Scribble by Michael Chanover. Calendar by Mani Amini. Error by Anas Ramadan. Network by Stephen Boak. Hat based on work by Blake Kimmel.