HTTPS — this time it is not optional! Drupal Camp Aarhus 2017 

Arne Jørgensen Senior Developer, Systems Architect, Partner Reload! A/S https://reload.dk 

HTTPS — what is it? 

HTTPS marked explicitly “Secure” 

What happend? https://www.wired.com/2016/11/googles-chrome-hackers-flip-webs-security-model/ 

Secure or purse? https://twitter.com/__apf__/status/843809511441743873 

Secure or Not secure? That is the question! 

Warnings on login and credit cards 

Warnings on login and credit cards 

Future warnings / “Not Secure” - Incognito mode - Pages containing downloads - Everything HTTP http:// 

Future browser features only HTTPS - Geolocation - Device motion / orientation - Encrypted Media Extensions (EME) - getUserMedia - AppCache - Notifications https://sites.google.com/a/chromium.org/dev/Home/chromium-security/deprecating-powerful-features-on-insecure-origins 

HTTPS — this time it is not optional! 

Oh … and better SEO! ‘nuff said? 

Misconceptions about HTTPS - My page is HTTP but the form posts to HTTPS - My page is HTTP but the form is in a HTTPS iframe 

HTTP but the form posts to HTTPS 

HTTP but form is a HTTPS iframe 

Certificates expire 

Free, short lived certificates - Let’s Encrypt - Free - Only lasts 3 months - Automated - Open Standard 

Drupal & HTTPS: Usual Suspects - Mixed content — images, CSS, javascript, etc. via HTTP: - Developers - Editors - Drupal behind a proxy thinks it is running HTTP - Cronjobs think it is running HTTP 

Connoisseur - Extended Validation (EV) certificates - HSTS - Browser preloading - DNS CAA and TLSA records - ... 

HTTPS — this time it is not optional! Questions? Comments?