WordCamp US: Delivering the news over HTTPS

Delivering the news over HTTPS

Paul Schreiber@paulschreiber

HTTP1991–2015

Marking HTTP As Non-SecureWe, the Chrome Security Team, propose that user agents (UAs) gradually change their UX to display non-secure origins as affirmatively non-secure. We intend to devise and begin deploying a transition plan for Chrome in 2015.

The goal of this proposal is to more clearly display to users that HTTP provides no data security.

Deprecating Non-Secure HTTPToday we are announcing our intent to phase out non-secure HTTP.

There are two broad elements of this plan: 1. Setting a date after which all new features will be

available only to secure websites 2. Gradually phasing out access to browser

features for non-secure websites, especially features that pose risks to users’ security and privacy.

The HTTPS-Only StandardAll browsing activity should be considered private and sensitive.

—https.cio.gov

A Call to ActionIf you run a news site, or any site at all, we’d like to issue a friendly challenge to you. Make a commitment to have your site fully on HTTPS by the end of 2015 and pledge your support with the hashtag #https2015.

—Eitan Konigsburg, Rajiv Pant and Elena Kvochko “Embracing HTTPS” November 13, 2014

HTT

P

HTT

PS

example.com

sing

le

example.com greeneggsham.info wordpressfan.bizSA

N

example.com beta.example.com shoebox.example.comw

ildca

rd

domain validation

organization validation

extended validation

Selected DV Certificates

Comodo PositiveSSL

Comodo SSL

Thawte SSL123

0 32 64 96 128 160

149

99

49

PositiveSSL DV Certificates

SSLs.com

SSLMate

Comodo

0 32 64 96 128 160

49

15.95

8.95

Selected CertificatesLet’s Encrypt

PositiveSSL (SSLs.com)

GeoTrust QuickSSL Premium

Thawte SSL123

GeoTrust True BusinessID

Symantec Secure Site

Symantec Secure Site Pro EV0 300 600 900 1200 1500

1400

399

199

149

99.98

8.95

0

$sslmatemkconfig

https://mozilla.github.io/server-side-tls/

ssl-config-generator/

https://github.com/tollmanz/lets-encrypt-wp

$wpcertnew

HTTPS enabled

HTTPS enabledHTTPS default

HTTPS enabledHTTPS defaultHSTS

HTTPS enabledHTTPS defaultHSTSHSTS preload

SHA1 vs

SHA2

cont

ent

cont

ent

😕

com

men

ts

soci

al

anal

ytic

s

CD

Ns

font

s

2008 HTTPS is slow

2008 HTTPS is slow2015 HTTPS is fast

HTTP 2.0

1.88Xper http2.loadimpact.com

mix

ed c

onte

nt

mix

ed c

onte

nt

$mixed-content-scan

mix

ed c

onte

nt

Content-Security-Policy:upgrade-insecure-requests

mix

ed c

onte

nt Content-Security-Policy-Report-Only:default-srchttps:data:'self''unsafe-inline''unsafe-eval';report-uri:https://myserver.com/log-tool/

No

HTT

PS?

ask nicely.

No

HTT

PS?

SoundCiteplacehold.it

mix

ed c

onte

nt

Akamai http://hostname.com→https://a248.e.akamai.net/f/12/621/60d/hostname.com

<scriptsrc="//google.com/…<scriptsrc="https://googl…

mix

ed c

onte

nt

mix

ed c

onte

nt

Many graphics from The Noun ProjectTombstone by Jakob Wells. Congress by Martha Ormiston. Shield by Wayne Thayer. Snail by aLf. Server by Yazmin Alanis. SEO by Azis. Money by Nick Levesque. Warning by Icomatic. Shopping cart by Patrizia Daidone. Lock with keyhole by Brennan Novak. Scribble by Michael Chanover. Calendar by Mani Amini. Error by Anas Ramadan. Network by Stephen Boak. Hat based on work by Blake Kimmel.

WordCamp US: Delivering the news over HTTPS

Technology

Transcript of WordCamp US: Delivering the news over HTTPS