Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Put an "S" on it: Moving a Large Publishing Site to HTTPS

Zack Tollman
February 07, 2017
Technology
1
96

Put an "S" on it: Moving a Large Publishing Site to HTTPS

The internet is abuzz HTTPS everywhere. Unfortunately, getting there is major undertaking. Join me as I discuss the process of implementing HTTPS by default on wired.com. I will walk through selling the idea internally, preparing the site for HTTPS, and monitoring it after the launch. I will outline an approach for an HTTPS transition that anyone can use.

Zack Tollman

February 07, 2017
Tweet

More Decks by Zack Tollman

See All by Zack Tollman
Defining Fast: The Hardest Problem in Performance Engineering
tollmanz
0
64
Defining Fast: The Hardest Problem in Performance Engineering
tollmanz
0
92
ReWIRED: Moving WIRED.com from WordPress to Node
tollmanz
0
160
Building Custom User Experiences from the Edge
tollmanz
0
84
HTTPS Migrations: The Hard Parts
tollmanz
0
170
HTTPS is Coming: Are You Prepared? (Velocity 2016)
tollmanz
0
160
Understanding HTTPS and TLS
tollmanz
0
170
HTTPS Is Coming - WP SFO
tollmanz
0
85
The Many Challenges of Object Caching in WordPress
tollmanz
0
90

Other Decks in Technology

See All in Technology
ChatGPTを前に頭が真っ白を乗り越え人が答えることが困難な認知負荷MAXなタフクエスチョンをどんどん回答させてプロダクト価値を爆速探求するぞ/cognitive_load_question_and_chatgpt
moriyuya
2
370
SREの組織類型におけるリーダーシップの考察
kenta_hi
3
270
Fivetranでデータ移動を自動化する
hankehly
0
150
dbt_ベストプラクティス_完全に理解した.pdf
dach
2
120
DMM.com プラットフォーム事業本部 採用案内資料 /PF Business Division Recruitment
pf_businessdivision
0
160
ログから学ぶgo build
nasa_desu
2
390
マネージャーのためのスクラムマスターのパフォーマンスを高めるTips集
kawagoi
0
310
那些年我們做過的 DevOps Pipeline @ DevOpsDays Taipei 2023
cheng_wei_chen
1
110
SIEMを用いて、セキュリティログ分析の可視化と分析を実現し、 PDCAサイクルを回してみた
coconala_engineer
0
130
よりよいペアローテーションを求めて
nakasho
0
260
上流工程に挑戦!「俺の考えた最強サーバレス構成」が一瞬で敗北した件
kentosuzuki
2
140
TechNight#71 - Oracle Database 23c 新機能#1 JSON関連新機能
oracle4engineer
PRO
0
160

Featured

See All Featured
Designing for humans not robots
tammielis
246
24k
From Idea to $5000 a Month in 5 Months
shpigford
376
45k
Intergalactic Javascript Robots from Outer Space
tanoku
263
26k
The Web Native Designer (August 2011)
paulrobertlloyd
78
2.6k
Let's Do A Bunch of Simple Stuff to Make Websites Faster
chriscoyier
500
130k
Web development in the modern age
philhawksworth
200
9.8k
Responsive Adventures: Dirty Tricks From The Dark Corners of Front-End
smashingmag
239
20k
How GitHub Uses GitHub to Build GitHub
holman
467
280k
A Tale of Four Properties
chriscoyier
150
21k
Pencils Down: Stop Designing & Start Developing
hursman
115
10k
Raft: Consensus for Rubyists
vanstee
130
5.9k
CSS Pre-Processors: Stylus, Less & Sass
bermonpainter
351
28k

Transcript

  1. PUT AN “S”
    on it
    Zack Tollman @tollmanz

    View Slide

  2. I set up HTTPS in 15
    minutes

    View Slide

  3. SSL is easy to use but
    also very easy to use
    incorrectly
    Ivan Ristic (https://www.ssllabs.com/projects/ssl-threat-model/)

    View Slide

  4. MIXED
    CONTENT

    View Slide

  5. PASSIVE
    aka display

    View Slide

  6. ACTIVE

    View Slide

  7. View Slide

  8. View Slide

  9. View Slide

  10. View Slide

  11. View Slide

  12. View Slide

  13. View Slide

  14. STRATEGY
    for a migration

    View Slide

  15. HTTPS
    EVERYWHERE

    View Slide

  16. HTTPS
    SOMEWHERE

    View Slide

  17. HTTPS
    WITH HTTP

    View Slide

  18. RISK
    SECURITY
    HTTPS
    EVERYWHERE
    HTTPS
    SOMEWHERE
    HTTPS
    WITH HTTP

    View Slide

  19. Assess Risk

    View Slide

  20. HTTPS
    SOMEWHERE

    View Slide

  21. Ad Risk

    View Slide

  22. SEO Risk

    View Slide

  23. APPLICATION
    preparation

    View Slide

  24. s/http:/https:/

    View Slide

  25. View Slide

  26. View Slide

  27. HTTP

    View Slide

  28. HTTPS
    HTTP

    View Slide

  29. HTTP

    View Slide

  30. HTTP HTTPS

    View Slide

  31. HTTPS
    EVERYWHERE

    View Slide

  32. 301

    View Slide

  33. Sitemaps

    View Slide

  34. OLD NEW
    https://support.google.com/webmasters/answer/6033049#https-faqs

    View Slide

  35. CONTENT
    POLICY
    SECURITY

    View Slide

  36. Location

    View Slide

  37. script-src:
    ‘self’ https:;

    View Slide

  38. Type

    View Slide

  39. frame-src: ‘none’

    View Slide

  40. Loading
    Behavior

    View Slide

  41. block-all-mixed-content

    View Slide

  42. Tame
    The Locks

    View Slide

  43. default-src: https:;
    upgrade-insecure-requests

    View Slide

  44. Reporting

    View Slide

  45. default-src: https:;
    upgrade-insecure-requests
    report-uri https://
    report-domain.com/receive

    View Slide

  46. {
    "csp-report": {
    "document-uri": "https://www.wired.com/
    2016/10/geeks-guide-westworld/",
    "referrer": "https://www.wired.com/",
    "violated-directive": "media-src https:",
    "effective-directive": "media-src",
    "original-policy": …,
    "blocked-uri": "http://www.wired.com",
    "status-code": 0
    }
    }

    View Slide

  47. https://www.podtrac.com/pts/
    redirect.mp3/www.wired.com/wp-
    content/uploads/2016/09/
    geeksguide223final.mp3

    View Slide

  48. http://www.wired.com/wp-
    content/uploads/2016/09/
    geeksguide223final.mp3

    View Slide

  49. View Slide

  50. Webkit

    View Slide

  51. HTTPS is
    Hard

    View Slide

  52. Chase the
    Green

    View Slide

  53. Monitor
    Progress

    View Slide

  54. https://speakerdeck.com/tollmanz

    View Slide