Upgrade to Pro — share decks privately, control downloads, hide ads and more …

HTTPS Migrations: The Hard Parts

Zack Tollman
July 09, 2016
Technology
0
150

HTTPS Migrations: The Hard Parts

You’ve decided to move your website to HTTPS. What now? In this session, you will learn how to manage the difficult aspects of an HTTPS migration using techniques that work for small to large sites. We will focus on practical, actionable tasks to ensure that your site is properly configured for a secure HTTPS delivery.

Zack Tollman

July 09, 2016
Tweet

More Decks by Zack Tollman

See All by Zack Tollman
Defining Fast: The Hardest Problem in Performance Engineering
tollmanz
0
61
Defining Fast: The Hardest Problem in Performance Engineering
tollmanz
0
87
ReWIRED: Moving WIRED.com from WordPress to Node
tollmanz
0
160
Put an "S" on it: Moving a Large Publishing Site to HTTPS
tollmanz
1
87
Building Custom User Experiences from the Edge
tollmanz
0
79
HTTPS is Coming: Are You Prepared? (Velocity 2016)
tollmanz
0
150
Understanding HTTPS and TLS
tollmanz
0
160
HTTPS Is Coming - WP SFO
tollmanz
0
79
The Many Challenges of Object Caching in WordPress
tollmanz
0
89

Other Decks in Technology

See All in Technology
Oracle Cloud Infrastructure:2023年3月度サービス・アップデート
oracle4engineer
PRO
0
160
スマート東京実施戦略_2023(令和5)年度の取組
tokyo_metropolitan_gov_smart_tokyo_strat
0
500
エンジニアのためのドキュメントライティング / Docs for Developers and Paragraph Writing
nttcom
4
700
関数型で表現するイベントソーシングの実装とその教育
tomohisa
0
200
Lookerから、dbtと相性のよいLightdashに移行してみた話
hirokiigeta
0
130
エンジニアのためのマネジメント入門/Introduction to Management for Software Engineers
dskst
1
370
Webアプリケーション設計の第一歩は
ディレクトリの整理から / Encraft 1
okunokentaro
24
6.8k
シゴトをジモトに運び込め〜大企業でCCoEやってた私が地元に事業所を作るまで〜
mamohacy
2
130
PM同士のレトロスペクティブのすゝめ
bengo4com
0
100
Cloudflare WorkersとKVで キャッシュを非同期に更新する | Cloudflare Meetup Nagoya
aiji42
0
130
PHPマジックメソッドクイズ!/PHP Magic Method Quiz
ykanoh
0
260
Cloudflare 基本のキ
katzueno
0
160

Featured

See All Featured
Web Components: a chance to create the future
zenorocha
304
41k
Imperfection Machines: The Place of Print at Facebook
scottboms
255
12k
I Don’t Have Time: Getting Over the Fear to Launch Your Podcast
jcasabona
14
1.2k
Become a Pro
speakerdeck
PRO
6
3.3k
Music & Morning Musume
bryan
37
4.7k
No one is an island. Learnings from fostering a developers community.
thoeni
12
1.6k
Visualization
eitanlees
129
12k
It's Worth the Effort
3n
177
26k
How GitHub (no longer) Works
holman
299
140k
Automating Front-end Workflow
addyosmani
1351
200k
Reflections from 52 weeks, 52 projects
jeffersonlam
340
18k
A better future with KSS
kneath
230
16k

Transcript

  1. HTTPS Migrations:

    The Hard Parts
    Zack Tollman @tollmanz

    View Slide

  2. Credit: Mike Licht (https://flic.kr/p/apNRjZ); Creative Commons 2.0 (https://creativecommons.org/licenses/by/2.0/)

    View Slide

  3. Credit: Mike Licht (https://flic.kr/p/apRx6y); Creative Commons 2.0 (https://creativecommons.org/licenses/by/2.0/)

    View Slide

  4. Mozilla: https://dxr.mozilla.org/mozilla-central/raw/browser/themes/shared/identity-block/

    View Slide

  5. Protections

    View Slide

  6. Identity

    View Slide

  7. Integrity

    View Slide

  8. Confidentiality

    View Slide

  9. There are ways to attack
    HTTPS

    View Slide

  10. Let’s focus on what you
    control

    View Slide

  11. DO NOT

    View Slide

  12. SERVE

    View Slide

  13. HTTP

    View Slide

  14. CONTENT

    View Slide

  15. HTTPS Everywhere

    View Slide

  16. Mixed Content Issues

    View Slide

  17. Serving insecure content
    in a secure context

    View Slide

  18. HTTPS HTML document
    load HTTP image

    View Slide

  19. View Slide

  20. View Slide

  21. View Slide

  22. View Slide

  23. Passive - images, video,
    etc.

    View Slide

  24. View Slide

  25. View Slide

  26. Active - JS, iFrame, etc.

    View Slide

  27. One insecure asset may
    render your whole site
    insecure

    View Slide

  28. Handling Mixed
    Content

    View Slide

  29. Content Security Policy

    View Slide

  30. Define subresource rules
    for a protected resource

    View Slide

  31. Protected

    Resource Subresource

    View Slide

  32. default-src ‘self’;
    script-src https://ssl.google-
    analytics.com

    View Slide

  33. CSP to disallow all
    mixed content

    View Slide

  34. default-src https:;
    img-src https: data:

    View Slide

  35. CSP to upgrade all
    mixed content

    View Slide

  36. default-src https:;
    img-src https: data:;
    upgrade-insecure-requests

    View Slide

  37. CSP to report all mixed
    content

    View Slide

  38. default-src https:;
    img-src https: data:;
    upgrade-insecure-requests;
    report-uri https://
    collector.com

    View Slide

  39. "body": {
    "csp-report": {
    "document-uri": “https://www.wired.com”,
    "referrer": "",
    "violated-directive": "img-src https:
    data:”,
    "effective-directive": "img-src",
    "original-policy": “…”,
    "blocked-uri": “http://picsite.com",
    "status-code": 200
    }
    }

    View Slide

  40. Report URI

    https://report-uri.io

    View Slide

  41. “To measure is to know”

    “If you cannot measure it
    you cannot improve it.”

    - Lord Kelvin

    View Slide

  42. May July
    400 k
    300 k
    100 k
    200 k

    View Slide

  43. 5%
    2%
    4%
    14%
    76%
    Webkit
    Chrome
    Firefox
    Edge
    Other

    View Slide

  44. Mobile
    Safari
    Safari Chrome Firefox Facebook IE
    Events
    (left axis)
    Violations
    (right axis)
    300 M
    150 M
    200 K
    100 K

    View Slide

  45. WordPress Concerns

    View Slide

  46. WP is good about mixed
    content

    View Slide

  47. Migrating old content is
    tricky

    View Slide

  48. https://github.com/ryanmarkel/https-
    all-the-things/

    View Slide

  49. DO NOT

    View Slide

  50. SERVE

    View Slide

  51. HTTP

    View Slide

  52. CONTENT

    View Slide

  53. https://speakerdeck.com/tollmanz/
    https-migrations-the-hard-parts
    @tollmanz

    View Slide