Upgrade to Pro — share decks privately, control downloads, hide ads and more …

HTTPS Migrations: The Hard Parts

Zack Tollman
July 09, 2016
Technology
0
220

HTTPS Migrations: The Hard Parts

You’ve decided to move your website to HTTPS. What now? In this session, you will learn how to manage the difficult aspects of an HTTPS migration using techniques that work for small to large sites. We will focus on practical, actionable tasks to ensure that your site is properly configured for a secure HTTPS delivery.

Zack Tollman

July 09, 2016
Tweet

More Decks by Zack Tollman

See All by Zack Tollman
Defining Fast: The Hardest Problem in Performance Engineering
tollmanz
0
73
Defining Fast: The Hardest Problem in Performance Engineering
tollmanz
0
99
ReWIRED: Moving WIRED.com from WordPress to Node
tollmanz
0
190
Put an "S" on it: Moving a Large Publishing Site to HTTPS
tollmanz
1
120
Building Custom User Experiences from the Edge
tollmanz
0
95
HTTPS is Coming: Are You Prepared? (Velocity 2016)
tollmanz
0
160
Understanding HTTPS and TLS
tollmanz
0
180
HTTPS Is Coming - WP SFO
tollmanz
0
93
The Many Challenges of Object Caching in WordPress
tollmanz
0
94

Other Decks in Technology

See All in Technology
Building Dashboards as a Hobby
egmc
0
360
EM完全に理解した と思ったけど、 やっぱり何も分からなかった話 / EM Night Fukuoka #1
hirutas
0
280
一生覚えておきたい「システム開発=コミュニケーション」〜初めての実務案件振り返りLT〜
maimyyym
2
250
IPUT App Dev. Co. -Overview 2024/4
iputapp
0
120
On Your Data を超えていく!
hirotomotaguchi
2
750
20分で完全に理解するGrafanaダッシュボード
hamadakoji
5
890
非同期推論システムによるコスト削減と信頼性向上
koki_nishihara
1
360
[新卒向け研修資料] テスト文字列に「うんこ」と入れるな(2024年版)
infiniteloop_inc
4
18k
データベース02: データベースの概念
trycycle
0
180
【SORACOM UG 東海】あらゆるモノがつながる社会へ、IoT と SORACOM
soracom
PRO
1
140
Rustで「プリズモイダル法」を利用して「土量計算」をガチでやる
nokonoko1203
1
270
LangSmith入門―トレース/評価/プロンプト管理などを担うLLMアプリ開発プラットフォーム
os1ma
5
690

Featured

See All Featured
Clear Off the Table
cherdarchuk
85
310k
Debugging Ruby Performance
tmm1
70
11k
Testing 201, or: Great Expectations
jmmastey
29
6.4k
Rebuilding a faster, lazier Slack
samanthasiow
74
8.2k
Web development in the modern age
philhawksworth
203
10k
The Invisible Customer
myddelton
114
12k
The World Runs on Bad Software
bkeepers
PRO
61
6.7k
Music & Morning Musume
bryan
41
5.6k
Keith and Marios Guide to Fast Websites
keithpitt
408
22k
Sharpening the Axe: The Primacy of Toolmaking
bcantrill
21
1.4k
Building Better People: How to give real-time feedback that sticks.
wjessup
356
18k
GraphQLの誤解/rethinking-graphql
sonatard
55
9.3k

Transcript

  1. HTTPS Migrations: The Hard Parts Zack Tollman @tollmanz

  2. Credit: Mike Licht (https://flic.kr/p/apNRjZ); Creative Commons 2.0 (https://creativecommons.org/licenses/by/2.0/)

  3. Credit: Mike Licht (https://flic.kr/p/apRx6y); Creative Commons 2.0 (https://creativecommons.org/licenses/by/2.0/)

  4. Mozilla: https://dxr.mozilla.org/mozilla-central/raw/browser/themes/shared/identity-block/

  5. Protections

  6. Identity

  7. Integrity

  8. Confidentiality

  9. There are ways to attack HTTPS

  10. Let’s focus on what you control

  11. DO NOT

  12. SERVE

  13. HTTP

  14. CONTENT

  15. HTTPS Everywhere

  16. Mixed Content Issues

  17. Serving insecure content in a secure context

  18. HTTPS HTML document load HTTP image

  19. None
  20. None
  21. None
  22. None

  23. Passive - images, video, etc.

  24. None
  25. None

  26. Active - JS, iFrame, etc.

  27. One insecure asset may render your whole site insecure

  28. Handling Mixed Content

  29. Content Security Policy

  30. Define subresource rules for a protected resource

  31. Protected Resource Subresource

  32. default-src ‘self’; script-src https://ssl.google- analytics.com

  33. CSP to disallow all mixed content

  34. default-src https:; img-src https: data:

  35. CSP to upgrade all mixed content

  36. default-src https:; img-src https: data:; upgrade-insecure-requests

  37. CSP to report all mixed content

  38. default-src https:; img-src https: data:; upgrade-insecure-requests; report-uri https:// collector.com

  39. "body": { "csp-report": { "document-uri": “https://www.wired.com”, "referrer": "", "violated-directive": "img-src

    https: data:”, "effective-directive": "img-src", "original-policy": “…”, "blocked-uri": “http://picsite.com", "status-code": 200 } }

  40. Report URI https://report-uri.io

  41. “To measure is to know” “If you cannot measure it

    you cannot improve it.” - Lord Kelvin

  42. May July 400 k 300 k 100 k 200 k

  43. 5% 2% 4% 14% 76% Webkit Chrome Firefox Edge Other

  44. Mobile Safari Safari Chrome Firefox Facebook IE Events (left axis)

    Violations (right axis) 300 M 150 M 200 K 100 K

  45. WordPress Concerns

  46. WP is good about mixed content

  47. Migrating old content is tricky

  48. https://github.com/ryanmarkel/https- all-the-things/

  49. DO NOT

  50. SERVE

  51. HTTP

  52. CONTENT

  53. https://speakerdeck.com/tollmanz/ https-migrations-the-hard-parts @tollmanz