Slide 1

Slide 1 text

HTTPS — this time it is not optional! Drupal Camp Aarhus 2017

Slide 2

Slide 2 text

Arne Jørgensen Senior Developer, Systems Architect, Partner Reload! A/S https://reload.dk

Slide 3

Slide 3 text

HTTPS — what is it?

Slide 4

Slide 4 text

HTTPS marked explicitly “Secure”

Slide 5

Slide 5 text

What happend? https://www.wired.com/2016/11/googles-chrome-hackers-flip-webs-security-model/

Slide 6

Slide 6 text

Secure or purse? https://twitter.com/__apf__/status/843809511441743873

Slide 7

Slide 7 text

Secure or Not secure? That is the question!

Slide 8

Slide 8 text

Warnings on login and credit cards

Slide 9

Slide 9 text

Warnings on login and credit cards

Slide 10

Slide 10 text

Future warnings / “Not Secure” - Incognito mode - Pages containing downloads - Everything HTTP http://

Slide 11

Slide 11 text

Future browser features only HTTPS - Geolocation - Device motion / orientation - Encrypted Media Extensions (EME) - getUserMedia - AppCache - Notifications https://sites.google.com/a/chromium.org/dev/Home/chromium-security/deprecating-powerful-features-on-insecure-origins

Slide 12

Slide 12 text

HTTPS — this time it is not optional!

Slide 13

Slide 13 text

Oh … and better SEO! ‘nuff said?

Slide 14

Slide 14 text

Misconceptions about HTTPS - My page is HTTP but the form posts to HTTPS - My page is HTTP but the form is in a HTTPS iframe

Slide 15

Slide 15 text

HTTP but the form posts to HTTPS

Slide 16

Slide 16 text

HTTP but form is a HTTPS iframe

Slide 17

Slide 17 text

Certificates expire

Slide 18

Slide 18 text

Free, short lived certificates - Let’s Encrypt - Free - Only lasts 3 months - Automated - Open Standard

Slide 19

Slide 19 text

Drupal & HTTPS: Usual Suspects - Mixed content — images, CSS, javascript, etc. via HTTP: - Developers - Editors - Drupal behind a proxy thinks it is running HTTP - Cronjobs think it is running HTTP

Slide 20

Slide 20 text

Connoisseur - Extended Validation (EV) certificates - HSTS - Browser preloading - DNS CAA and TLSA records - ...

Slide 21

Slide 21 text

HTTPS — this time it is not optional! Questions? Comments?