#SMX #24A3 @patrickstoxThe Good, the Bad, and the Terrifying

Better Safe Than Sorry With HTTPS

#SMX #24A3 @patrickstox

You Know You Should Have Switched Right?

#SMX #24A3 @patrickstox

THE INFORMATION

#SMX #24A3 @patrickstox

HTTPS Everywherehttps://www.youtube.com/watch?v=cBhZ6S0PFCY

HTTPS as a Ranking Signal https://webmasters.googleblog.com/2014/08/https-as-ranking-signal.html

HTTPS by Default https://webmasters.googleblog.com/2015/12/indexing-https-pages-by-default.html

#SMX #24A3 @patrickstox

Then There’s This Guy

#SMX #24A3 @patrickstox

Securing Your Website With HTTPShttps://support.google.com/webmasters/answer/6073543

Google Wrote A Guide To Help

#SMX #24A3 @patrickstox

HTTP to HTTPS: An SEO’s guide to securing a websitehttp://searchengineland.com/http-https-seos-guide-securing-website-246940

I Also Wrote A Guide To Help

#SMX #24A3 @patrickstox

https://plus.google.com/+JohnMueller/posts/PY1xCWbeDVC

John Mueller Wrote An FAQ

#SMX #24A3 @patrickstox

John Mueller Liked My Guide

#SMX #24A3 @patrickstox

Why Aren’t People Adopting?

#SMX #24A3 @patrickstox

Top Ranking Sites Are Adopting

@methode is Google Webmaster Trends Analyst Gary Illyes

Dr. Pete Meyers of Moz ran a test and showed over 30% of first page results were secure in June 2016.https://moz.com/blog/https-tops-30-how-google-is-winning-the-long-war

#SMX #24A3 @patrickstox

THE GOOD

#SMX #24A3 @patrickstox

AuthenticationThis is who I’m supposed to be talking to

Data IntegrityWho is messing with my stuff

EncryptionWho is listening

What Does TLS Offer?

#SMX #24A3 @patrickstox

When going from HTTPS > HTTP, referral data is dropped. HTTPS > HTTPS, HTTP > HTTP, and HTTP > HTTPS DO pass the value.

This accounts for a lot of what people call “Dark Traffic” and “Dark Social”. Switching to HTTPS fixes some of these attribution errors.

Without this referral data, the traffic looks like it’s direct traffic.

Referral Data

HTTP HTTPSHTTP Yes YesHTTPS No Yes

#SMX #24A3 @patrickstox

Read any of the guides out there. They make it sound so easy because it can be.

Moving To HTTPS Is A Website Migration

#SMX #24A3 @patrickstox

Let’s Encrypthttps://letsencrypt.org/

Hosts are offering them

CDNs are offering them

Free Certificates

#SMX #24A3 @patrickstox

What’s the one thing everyone knows about AMP?

It’s FAST right, but why?

AMP

#SMX #24A3 @patrickstox

Single Connection. Only one connection to the server is used to load a website, and that connection remains open as long as the website is open. This reduces the number of round trips needed to set up multiple TCP connections.Multiplexing. Multiple requests are allowed at the same time, on the same connection. Previously, with HTTP/1.1, each transfer would have to wait for other transfers to complete.Server Push. Additional resources can be sent to a client for future use.

HTTP/2 – So Much Goodness

#SMX #24A3 @patrickstox

Prioritization. Requests are assigned dependency levels that the server can use to deliver higher priority resources faster.Binary. Makes HTTP/2 easier for a server to parse, more compact and less error-prone. No additional time is wasted translating information from text to binary, which is the computer’s native language.Header Compression. HTTP/2 uses HPACK compressions, which reduces overhead. Many headers were sent with the same values in every request in HTTP/1.1. CloudFlare saw a 30% reduction in size.

HTTP/2 – Even More Goodness

#SMX #24A3 @patrickstox

http://searchengineland.com/everyone-moving-http2-236716

HTTP/2 – Read About It

#SMX #24A3 @patrickstox

• For every 100ms decrease in homepage load speed, Mobify's customer base saw a 1.11% lift in session based conversion, amounting to an average annual revenue increase of $376,789

• For every 100ms decrease in checkout page load speed, Mobify's customers saw a 1.55% life in session based conversion, amounting to an average annual revenue increase of $526,147

• Shoppers browse more on faster mobile websites• An increase of one pageview per user results in a 5.17% lift in user

based conversion, i.e. for each additional page viewed per user, Mobify saw their average customer's annual revenue increase by: $398,484

Mobify’s Mobile Test

#SMX #24A3 @patrickstox

THE BAD

#SMX #24A3 @patrickstox

What if you’re a website who makes money by sending people from your website to another website? Affiliates, Directories, Niche Magazines.

You need that referral data to prove your value!

Referral Data – Didn’t We Say This Was Good?

#SMX #24A3 @patrickstox

Hard Mode

Load balancers, CDNs, legacy infrastructure, legacy software, multiple CMS systems, routing, APIs

Moving to HTTPS, a new CMS, bringing in outside domains, new taxonomy, new content, killing old content, redirects, redirects, and more redirects

Moving To HTTPS Is A Website Migration

#SMX #24A3 @patrickstox

There’s a difference between getting it done and getting it done correctly.

There’s some hard choices that people aren’t willing to make like changing providers, upgrading systems, or just killing off things.

Is It Harder For Bigger Companies?

#SMX #24A3 @patrickstox

Making The Switch To HTTPS Can Go Wrong, Ask Buffer

#SMX #24A3 @patrickstox

https://www.wired.com/2016/05/wired-first-big-https-rollout-snag

https://www.wired.com/2016/08/wired-https-progress/

Wired’s Transition To HTTPS

#SMX #24A3 @patrickstox

https://security.googleblog.com/2016/09/moving-towards-more-secure-web.html

Chrome

#SMX #24A3 @patrickstox

They looked at accessibility via HTTP and HTTPS, redirects, and status codes.• 1 in 10 websites had what they considered a flawless HTTPS setup.• 60% of the websites tested have no HTTPS whatsoever (increasing to

over 65% when taking into account websites with errors in SSL setup).• Almost 1 in 4 domains were missing a canonical HTTPS version.• Almost 1 in 4 domains were using 302 (temporary) redirects instead

of 301 (permanent) redirects.• Even Google can’t be bothered to use permanent redirects and uses

temporary redirects (HTTP status code 302) instead.

LinksSpy Analyzed 10,000 Top Domains

#SMX #24A3 @patrickstox

THE TERRIFYING

#SMX #24A3 @patrickstox

Do you want to be de-indexed by Bing and Baidu?

TLS SNI

#SMX #24A3 @patrickstox

Injection

Happens all the time with hotel chains, airlines and ISPs.

AT&T Injecting Adshttp://webpolicy.org/2015/08/25/att-hotspots-now-with-advertising-injection/

Comcast blocking VPN Traffichttps://blog.wjd.io/comcast-blocks-vpn-trafficComcast again Injecting Ads ------------

#SMX #24A3 @patrickstox

Headline

#SMX #24A3 @patrickstox

Think what could happen when a country controls the data.i.e. The Great Firewall

Injection Is Scary Enough, Censorship Is Terrifying

#SMX #24A3 @patrickstox

Did you know GitHub was DDoS attacked. The attackers hijacked HTTP connections and rewrote the Baidu tracking code with malicious JS that attacked two GitHub projects that focused on Chinese anti-censorship.http://www.infoworld.com/article/2903533/security/github-still-recovering-from-massive-ddos-attacks.html

Or How About Attacks?

#SMX #24A3 @patrickstox

Many Apps Send Data Over HTTP

They ask for so many permissions and then they do something like this. It’s one of the most terrifying things I’ve seen in my life.

#SMX #24A3 @patrickstox

But more than likely your data was already stolen in one of the many data breaches:https://haveibeenpwned.com/

Sending Your Data Openly is Scary

#SMX #24A3 @patrickstox

RouterModemISPWhat else is between the person and the server or CDN?

Just Because Your Site Shows Secure, Not Everything Is

#SMX #24A3 @patrickstox

https://www.troyhunt.com/understanding-http-strict-transport/The guy takes a Wifi Pineapple with him and shows how websites not using HSTS, i.e. the first request is still HTTP, can be hijacked if they’re connected to your wifi.

Troy Hunt Is My Hero

#SMX #24A3 @patrickstox

THE IMPROVEMENTS

#SMX #24A3 @patrickstox

https://istlsfastyet.com/

TLS Improvements By Server

#SMX #24A3 @patrickstoxhttps://istlsfastyet.com/

TLS Improvements By CDN

#SMX #24A3 @patrickstox

High Performance Browser Networking by Ilya Grigorikhttp://chimera.labs.oreilly.com/books/1230000000545

OpenSSL Cookbook & Bulletproof SSL and TLS by Ivan Ristichttps://www.feistyduck.com/books/openssl-cookbook/https://www.feistyduck.com/books/bulletproof-ssl-and-tls/

https://wiki.mozilla.org/Security/Server_Side_TLS

Performance Resources

#SMX #24A3 @patrickstox

https://www.ssllabs.com/ssltest/

They also have a best practice guide:https://github.com/ssllabs/research/wiki/SSL-and-TLS-Deployment-Best-Practices

Test Your Server

#SMX #24A3 @patrickstoxLEARN MORE: UPCOMING @SMX EVENTS

THANK YOU! SEE YOU AT THE NEXT #SMX