Upgrade to Pro — share decks privately, control downloads, hide ads and more …

HTTPS Migrations: The Hard Parts

HTTPS Migrations: The Hard Parts

You’ve decided to move your website to HTTPS. What now? In this session, you will learn how to manage the difficult aspects of an HTTPS migration using techniques that work for small to large sites. We will focus on practical, actionable tasks to ensure that your site is properly configured for a secure HTTPS delivery.

Zack Tollman

July 09, 2016
Tweet

More Decks by Zack Tollman

Other Decks in Technology

Transcript

  1. HTTPS Migrations:

    The Hard Parts
    Zack Tollman @tollmanz

    View full-size slide

  2. Credit: Mike Licht (https://flic.kr/p/apNRjZ); Creative Commons 2.0 (https://creativecommons.org/licenses/by/2.0/)

    View full-size slide

  3. Credit: Mike Licht (https://flic.kr/p/apRx6y); Creative Commons 2.0 (https://creativecommons.org/licenses/by/2.0/)

    View full-size slide

  4. Mozilla: https://dxr.mozilla.org/mozilla-central/raw/browser/themes/shared/identity-block/

    View full-size slide

  5. Confidentiality

    View full-size slide

  6. There are ways to attack
    HTTPS

    View full-size slide

  7. Let’s focus on what you
    control

    View full-size slide

  8. HTTPS Everywhere

    View full-size slide

  9. Mixed Content Issues

    View full-size slide

  10. Serving insecure content
    in a secure context

    View full-size slide

  11. HTTPS HTML document
    load HTTP image

    View full-size slide

  12. Passive - images, video,
    etc.

    View full-size slide

  13. Active - JS, iFrame, etc.

    View full-size slide

  14. One insecure asset may
    render your whole site
    insecure

    View full-size slide

  15. Handling Mixed
    Content

    View full-size slide

  16. Content Security Policy

    View full-size slide

  17. Define subresource rules
    for a protected resource

    View full-size slide

  18. Protected

    Resource Subresource

    View full-size slide

  19. default-src ‘self’;
    script-src https://ssl.google-
    analytics.com

    View full-size slide

  20. CSP to disallow all
    mixed content

    View full-size slide

  21. default-src https:;
    img-src https: data:

    View full-size slide

  22. CSP to upgrade all
    mixed content

    View full-size slide

  23. default-src https:;
    img-src https: data:;
    upgrade-insecure-requests

    View full-size slide

  24. CSP to report all mixed
    content

    View full-size slide

  25. default-src https:;
    img-src https: data:;
    upgrade-insecure-requests;
    report-uri https://
    collector.com

    View full-size slide

  26. "body": {
    "csp-report": {
    "document-uri": “https://www.wired.com”,
    "referrer": "",
    "violated-directive": "img-src https:
    data:”,
    "effective-directive": "img-src",
    "original-policy": “…”,
    "blocked-uri": “http://picsite.com",
    "status-code": 200
    }
    }

    View full-size slide

  27. Report URI

    https://report-uri.io

    View full-size slide

  28. “To measure is to know”

    “If you cannot measure it
    you cannot improve it.”

    - Lord Kelvin

    View full-size slide

  29. May July
    400 k
    300 k
    100 k
    200 k

    View full-size slide

  30. 5%
    2%
    4%
    14%
    76%
    Webkit
    Chrome
    Firefox
    Edge
    Other

    View full-size slide

  31. Mobile
    Safari
    Safari Chrome Firefox Facebook IE
    Events
    (left axis)
    Violations
    (right axis)
    300 M
    150 M
    200 K
    100 K

    View full-size slide

  32. WordPress Concerns

    View full-size slide

  33. WP is good about mixed
    content

    View full-size slide

  34. Migrating old content is
    tricky

    View full-size slide

  35. https://github.com/ryanmarkel/https-
    all-the-things/

    View full-size slide

  36. https://speakerdeck.com/tollmanz/
    https-migrations-the-hard-parts
    @tollmanz

    View full-size slide