HTTPS is Hard

HTTPS is Hard
Steve Workman

View Slide

“We’re a business directory, why
do we need to be secure?”
Me, to Dan Applequist, January 2015
@steveworkman HTTPS is Hard #fstoco

View Slide

“Think about what queries your users put through
that every day, legal counsel, family planning clinics,
as well as the regular plumbers and hairdressers.
They search for it locally, and that is all personally
identifiable.
If I were a hacker intercepting this traffic I could work
out some pretty interesting stuff about you”
Dan Applequist, correcting me, January 2015

View Slide

“Google is pushing hard on this, they made it a
ranking factor to encourage the big guys to change.
If you’re selling this to your boss, that’s what you’ll
major on”
Dan Applequist, selling it, January 2015

View Slide


View Slide

Engineering
Security Operations
Product
Jan Feb Mar Apr May Jun Jul Aug Sep Oct Nov Dec

View Slide


View Slide

http ://www.yell.com
S

View Slide

See what breaks
q Some internal URLs, including the canonical URLs
q All adverts
q Adobe Analytics
q The entire reviews section

View Slide

Fixing things
ü Some internal URLs, including the canonical URLs
q All adverts
q Adobe Analytics

View Slide

Securing Adverts:
• AOL/Yahoo’s Advertising network
• Can easily serve their scripts over HTTPS
• Adverts will then be served over HTTPS
• Or at least they should be
• You can be your own worst enemy here

View Slide

IAB are changing their ways
• 80% of the industry supports HTTPS
• In October 2015, they admitted they messed up
• http://www.iab.com/news/lean/
• Light
• Encrypted
• Ad Choice Supported
• Non-Invasive

View Slide

Advertising
Adtech
Ad Sales
team
Engineering
Security Operations
Product

View Slide

Fixing things
ü All adverts
q Adobe Analytics

View Slide

Third Party 2: Adobe Analytics
• Checked our implementation – no joy
• Contact Adobe
• Enabled first-party domains
• Supply certificates
• Very cautiously updated to the latest version

View Slide

Advertising
Adtech
Ad Sales
team
Engineering
Security Operations
Product
Analytics
Team
Adobe

View Slide

Fixing things
ü All adverts
ü Adobe Analytics

View Slide

“What’s in that shadowy place over
there?”
That’s the reviews system,
you must never go there

View Slide

Fixing things
ü All adverts
ü Adobe Analytics
ü The entire reviews section

View Slide

Acquire Certificates
• Self-signed
• Domain Validated
• Extended Validation

View Slide

Why EV Certificates?
• It’s a mark of trust in the organisation
• It’s not much more expensive than a regular certificate
• It’s the only type of certificate that turns the padlock green in
Edge
• Important for the perception of security

View Slide

EV certification isn’t hard, it takes time
• More levels of scrutiny and manual steps takes the time
• Had to update our domain records due to corporate name
changes
• Took a total of 4 weeks

View Slide

Advertising
Adtech
Ad Sales
team
Engineering
Security Operations
Product
Analytics
Team
Adobe
Legal
Companies
House

View Slide

Other third parties
• Anti-scraping tool
• Costs money to do with EV cert for a private IP
• Video hosting CDN
• Costs money – host didn’t support SNI
• Cross-region agreement means this is still in progress

View Slide

The Business Case
• Capital Expenditure (spending money) isn’t easy for many
developers
• Lots will have never written a business case before
• Depending on your organisation, this may not be trivial and
can take time and effort to push it through

View Slide

Pre-live performance concerns
• Is TLS Fast Yet?
• Yes, it is: www.Istlsfastyet.com
• Monitor our performance with RUM tools
• Terminate the connection at load balancer (closer to user)
• Ensure it is up to date

View Slide

Advertising
Adtech
Ad Sales
team
Engineering
Security Operations
Product
Analytics
Team
Adobe
Legal
Companies
House
Anti-scrape
CDN
CDO
CEO

View Slide

The Big Day
• Sitemaps (~10M links)
• Robots.txt
• Google Search Console
• 301 redirects for HTTP
traffic at the network
edge (the flip)

View Slide

The aftermath

View Slide

Java silently stopped sending requests
• Java only has some standard Root CA certificates by default
• Without these, requests over HTTPS will fail silently
• Upgrading Java wholesale is full of risk, simpler to install
missing CAs
• Pro tip: Always have an internal non-HTTPS route

View Slide

What does HTTPS do to your
Google search ranking?

View Slide

• HTTPS is 1 factor out of 200+ and is a “tie-break” factor
• It correlates +0.04 to ranking - not strong
• https://moz.com/search-ranking-factors/correlations

View Slide

Search ranking can be affected
• Wired chose to use 302 redirects initially, causing drops in
search ranking
• Once they switched to 301 redirects, ranking losses stopped
Source: https://www.wired.com/2016/09/wired-completely-encrypted/

View Slide

Google re-indexing took over 6 months
21/06/2015 21/07/2015 21/08/2015 21/09/2015 21/10/2015 21/11/2015 21/12/2015 21/01/2016
% of pages indexed on Google
%HTTP
% HTTPS

View Slide

TLS Performance
Desktop devices Mobile devices

View Slide

HTTPS is Fast, but it is
not Free
Un-tuned HTTPS will add 100-200ms to your first render time, and more
than that at the extremes of connectivity

View Slide

What’s wrong here?
• Anti-scrape server isn’t as optimised as it could be – Window
Scaling, OCSP stapling, TLS False Start all off
• Together they add 2 round-trips to each handshake
• So, the impact should theoretically be 30-60ms, not 100-
200ms
Anti-scrape Origin

View Slide

“I’ve stopped receiving traffic
from your site”

View Slide

HTTP Referrer
• 99% of our customer’s websites are served over HTTP, and of
that 1%, a quarter of those are Facebook pages.
From / To HTTP HTTPS
HTTP Pass Pass
HTTPS Do not pass Pass

View Slide

Referrer Policy


View Slide

Content Security Policy Level 2

View Slide

We chose to educate our customers instead

View Slide

Advertising
Adtech
Ad Sales
team
Engineering
Security Operations
Product
Analytics
Team
Adobe
Legal
Companies
House
Anti-scrape
CDN
CDO
CEO
Sales
Marketing
Customer
Services
Telesales

View Slide

HTTPS is not a technology
problem, it is a people problem,
and that problem is incentives

View Slide

Good News Everyone!
The internet has listened and is changing
for the better

View Slide

Problem
Certificates aren’t free
There’s a performance impact
CDNs should offer TLS for free
Solution
HTTP/2
Most do for DV certificates

View Slide

The migration cost is too high
Without HTTPS you can’t have
Privileged Features
Geolocation
Webcam
Microphone
Notifications
Device motion & orientation
Progressive Web Apps
Service Worker
AMP

View Slide


View Slide

What’s next for Yell?
• Work with third-party providers to improve TCP performance
• HTTP/2
• HTTP Strict Transport Security (HSTS)
• Create a Content Security Policy (CSP)
• Ensure server Cookies set with httpsOnly flag
• Complete the transition and update our CDN

View Slide

https://observatory.mozilla.org

View Slide

Thank you
Twitter: @steveworkman
Slides: https://speakerdeck.com/steveworkman/https-is-hard
Epic Blog post: https://blog.yell.com/2016/03/https-is-hard/

View Slide

HTTPS is Hard

HTTPS is Hard

Steve Workman

More Decks by Steve Workman

Other Decks in Technology

Featured

Transcript