moving from http to https
TRANSCRIPT
Why HTTPS
• August 6, 2015 – Google will rank HTTPS URLs higher in search results1
• December 17, 2015
– Google now prefers HTTPS URLs over HTTP2
• Prevents Eavesdropping.
• No longer a performance bottleneck3. (Or is it?)
1. h%ps://webmasters.googleblog.com/2014/08/h%ps-‐as-‐ranking-‐signal.html 2. h%ps://security.googleblog.com/2015/12/indexing-‐h%ps-‐pages-‐by-‐default.html 3. h%ps://istlsfastyet.com/
Keep In Mind:
• Every domain on your page must do TLS negotiation and associated work:
– Agree on which cipher to use
– Exchange keys
– Validate the certificate
– Encrypt data and transmit
• Don’t use domain sharding!
How HSTS Works
Strict-Transport-Security: max-age=31536000; includeSubDomains; preload
HTTP Header
Apply this to all subdomains.
Expiry 9me (1 year)
Allow the domain to be preloaded in browser databases.
OCSP Stapling
• Two ways we can check to see if a certificate has been revoked:
– In the client (browser)
– By the server (and “stapling” the results to the certificate bundle.
Regular OCSP openssl s_client -connect blakecrosby.freshbooks.com:443 -statusCONNECTED(00000003)OCSP response: no response sent
OCSP Stapling openssl s_client -connect www.freshbooks.com:443 -statusCONNECTED(00000003)OCSP response: ======================================OCSP Response Data: OCSP Response Status: successful (0x0) Response Type: Basic OCSP Response Version: 1 (0x0) Responder Id: 61D76CA33B92B93A461053EF6CE06633503EB3E0 Produced At: Mar 15 15:57:17 2016 GMT Responses: Certificate ID: Hash Algorithm: sha1 Issuer Name Hash: 0C9E4D9C3DEDEF84D891E972C7CF8406BC197B07 Issuer Key Hash: 96DE61F1BD1C1629531CC0CC7D3B830040E61A7C Serial Number: 11218BFF0DF887065B1C2B2F6E284415D8A7 Cert Status: good This Update: Mar 15 15:57:17 2016 GMT Next Update: Mar 19 15:57:17 2016 GMT
Putting It All Together
• Every third party script (domain) will be served over HTTPS.
• Make sure you use a CDN that supports TLS Optimizations.
• Only use TLS from Edge to Origin if necessary.