HTTPS - this time it is not optional!
by
Arne Jørgensen
Link
Embed
Share
Beginning
This slide
Copy link URL
Copy link URL
Copy iframe embed code
Copy iframe embed code
Copy javascript embed code
Copy javascript embed code
Share
Tweet
Share
Tweet
Slide 1
Slide 1 text
HTTPS — this time it is not optional! Drupal Camp Aarhus 2017
Slide 2
Slide 2 text
Arne Jørgensen Senior Developer, Systems Architect, Partner Reload! A/S https://reload.dk
Slide 3
Slide 3 text
HTTPS — what is it?
Slide 4
Slide 4 text
HTTPS marked explicitly “Secure”
Slide 5
Slide 5 text
What happend? https://www.wired.com/2016/11/googles-chrome-hackers-flip-webs-security-model/
Slide 6
Slide 6 text
Secure or purse? https://twitter.com/__apf__/status/843809511441743873
Slide 7
Slide 7 text
Secure or Not secure? That is the question!
Slide 8
Slide 8 text
Warnings on login and credit cards
Slide 9
Slide 9 text
Warnings on login and credit cards
Slide 10
Slide 10 text
Future warnings / “Not Secure” - Incognito mode - Pages containing downloads - Everything HTTP http://
Slide 11
Slide 11 text
Future browser features only HTTPS - Geolocation - Device motion / orientation - Encrypted Media Extensions (EME) - getUserMedia - AppCache - Notifications https://sites.google.com/a/chromium.org/dev/Home/chromium-security/deprecating-powerful-features-on-insecure-origins
Slide 12
Slide 12 text
HTTPS — this time it is not optional!
Slide 13
Slide 13 text
Oh … and better SEO! ‘nuff said?
Slide 14
Slide 14 text
Misconceptions about HTTPS - My page is HTTP but the form posts to HTTPS - My page is HTTP but the form is in a HTTPS iframe
Slide 15
Slide 15 text
HTTP but the form posts to HTTPS
Slide 16
Slide 16 text
HTTP but form is a HTTPS iframe
Slide 17
Slide 17 text
Certificates expire
Slide 18
Slide 18 text
Free, short lived certificates - Let’s Encrypt - Free - Only lasts 3 months - Automated - Open Standard
Slide 19
Slide 19 text
Drupal & HTTPS: Usual Suspects - Mixed content — images, CSS, javascript, etc. via HTTP: - Developers - Editors - Drupal behind a proxy thinks it is running HTTP - Cronjobs think it is running HTTP
Slide 20
Slide 20 text
Connoisseur - Extended Validation (EV) certificates - HSTS - Browser preloading - DNS CAA and TLSA records - ...
Slide 21
Slide 21 text
HTTPS — this time it is not optional! Questions? Comments?