HTTPS - this time it is not optional!

Transcript

1. HTTPS — this time it is not optional! Drupal Camp

   Aarhus 2017

2. Arne Jørgensen Senior Developer, Systems Architect, Partner Reload! A/S https://reload.dk

3. HTTPS — what is it?

4. HTTPS marked explicitly “Secure”

5. What happend? https://www.wired.com/2016/11/googles-chrome-hackers-flip-webs-security-model/

6. Secure or purse? https://twitter.com/__apf__/status/843809511441743873

7. Secure or Not secure? That is the question!

8. Warnings on login and credit cards

9. Warnings on login and credit cards

10. Future warnings / “Not Secure” - Incognito mode - Pages

    containing downloads - Everything HTTP http://

11. Future browser features only HTTPS - Geolocation - Device motion

    / orientation - Encrypted Media Extensions (EME) - getUserMedia - AppCache - Notifications https://sites.google.com/a/chromium.org/dev/Home/chromium-security/deprecating-powerful-features-on-insecure-origins

12. HTTPS — this time it is not optional!

13. Oh … and better SEO! ‘nuff said?

14. Misconceptions about HTTPS - My page is HTTP but the

    form posts to HTTPS - My page is HTTP but the form is in a HTTPS iframe

15. HTTP but the form posts to HTTPS

16. HTTP but form is a HTTPS iframe

17. Certificates expire

18. Free, short lived certificates - Let’s Encrypt - Free -

    Only lasts 3 months - Automated - Open Standard

19. Drupal & HTTPS: Usual Suspects - Mixed content — images,

    CSS, javascript, etc. via HTTP: - Developers - Editors - Drupal behind a proxy thinks it is running HTTP - Cronjobs think it is running HTTP

20. Connoisseur - Extended Validation (EV) certificates - HSTS - Browser

    preloading - DNS CAA and TLSA records - ...

21. HTTPS — this time it is not optional! Questions? Comments?