HTTPS Migrations: The Hard Parts

HTTPS Migrations: The Hard Parts

You’ve decided to move your website to HTTPS. What now? In this session, you will learn how to manage the difficult aspects of an HTTPS migration using techniques that work for small to large sites. We will focus on practical, actionable tasks to ensure that your site is properly configured for a secure HTTPS delivery.

980df66b142b2a067b3f8b67b04352de?s=128

Zack Tollman

July 09, 2016
Tweet

Transcript

  1. HTTPS Migrations: The Hard Parts Zack Tollman @tollmanz

  2. Credit: Mike Licht (https://flic.kr/p/apNRjZ); Creative Commons 2.0 (https://creativecommons.org/licenses/by/2.0/)

  3. Credit: Mike Licht (https://flic.kr/p/apRx6y); Creative Commons 2.0 (https://creativecommons.org/licenses/by/2.0/)

  4. Mozilla: https://dxr.mozilla.org/mozilla-central/raw/browser/themes/shared/identity-block/

  5. Protections

  6. Identity

  7. Integrity

  8. Confidentiality

  9. There are ways to attack HTTPS

  10. Let’s focus on what you control

  11. DO NOT

  12. SERVE

  13. HTTP

  14. CONTENT

  15. HTTPS Everywhere

  16. Mixed Content Issues

  17. Serving insecure content in a secure context

  18. HTTPS HTML document load HTTP image

  19. None
  20. None
  21. None
  22. None
  23. Passive - images, video, etc.

  24. None
  25. None
  26. Active - JS, iFrame, etc.

  27. One insecure asset may render your whole site insecure

  28. Handling Mixed Content

  29. Content Security Policy

  30. Define subresource rules for a protected resource

  31. Protected Resource Subresource

  32. default-src ‘self’; script-src https://ssl.google- analytics.com

  33. CSP to disallow all mixed content

  34. default-src https:; img-src https: data:

  35. CSP to upgrade all mixed content

  36. default-src https:; img-src https: data:; upgrade-insecure-requests

  37. CSP to report all mixed content

  38. default-src https:; img-src https: data:; upgrade-insecure-requests; report-uri https:// collector.com

  39. "body": { "csp-report": { "document-uri": “https://www.wired.com”, "referrer": "", "violated-directive": "img-src

    https: data:”, "effective-directive": "img-src", "original-policy": “…”, "blocked-uri": “http://picsite.com", "status-code": 200 } }
  40. Report URI https://report-uri.io

  41. “To measure is to know” “If you cannot measure it

    you cannot improve it.” - Lord Kelvin
  42. May July 400 k 300 k 100 k 200 k

  43. 5% 2% 4% 14% 76% Webkit Chrome Firefox Edge Other

  44. Mobile Safari Safari Chrome Firefox Facebook IE Events (left axis)

    Violations (right axis) 300 M 150 M 200 K 100 K
  45. WordPress Concerns

  46. WP is good about mixed content

  47. Migrating old content is tricky

  48. https://github.com/ryanmarkel/https- all-the-things/

  49. DO NOT

  50. SERVE

  51. HTTP

  52. CONTENT

  53. https://speakerdeck.com/tollmanz/ https-migrations-the-hard-parts @tollmanz