Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Put an "S" on it: Moving a Large Publishing Site to HTTPS

Put an "S" on it: Moving a Large Publishing Site to HTTPS

The internet is abuzz HTTPS everywhere. Unfortunately, getting there is major undertaking. Join me as I discuss the process of implementing HTTPS by default on wired.com. I will walk through selling the idea internally, preparing the site for HTTPS, and monitoring it after the launch. I will outline an approach for an HTTPS transition that anyone can use.

Zack Tollman

February 07, 2017
Tweet

More Decks by Zack Tollman

Other Decks in Technology

Transcript

  1. PUT AN “S”
    on it
    Zack Tollman @tollmanz

    View Slide

  2. I set up HTTPS in 15
    minutes

    View Slide

  3. SSL is easy to use but
    also very easy to use
    incorrectly
    Ivan Ristic (https://www.ssllabs.com/projects/ssl-threat-model/)

    View Slide

  4. MIXED
    CONTENT

    View Slide

  5. PASSIVE
    aka display

    View Slide

  6. ACTIVE

    View Slide

  7. View Slide

  8. View Slide

  9. View Slide

  10. View Slide

  11. View Slide

  12. View Slide

  13. View Slide

  14. STRATEGY
    for a migration

    View Slide

  15. HTTPS
    EVERYWHERE

    View Slide

  16. HTTPS
    SOMEWHERE

    View Slide

  17. HTTPS
    WITH HTTP

    View Slide

  18. RISK
    SECURITY
    HTTPS
    EVERYWHERE
    HTTPS
    SOMEWHERE
    HTTPS
    WITH HTTP

    View Slide

  19. Assess Risk

    View Slide

  20. HTTPS
    SOMEWHERE

    View Slide

  21. Ad Risk

    View Slide

  22. SEO Risk

    View Slide

  23. APPLICATION
    preparation

    View Slide

  24. s/http:/https:/

    View Slide

  25. View Slide

  26. View Slide

  27. HTTP

    View Slide

  28. HTTPS
    HTTP

    View Slide

  29. HTTP

    View Slide

  30. HTTP HTTPS

    View Slide

  31. HTTPS
    EVERYWHERE

    View Slide

  32. 301

    View Slide

  33. Sitemaps

    View Slide

  34. OLD NEW
    https://support.google.com/webmasters/answer/6033049#https-faqs

    View Slide

  35. CONTENT
    POLICY
    SECURITY

    View Slide

  36. Location

    View Slide

  37. script-src:
    ‘self’ https:;

    View Slide

  38. Type

    View Slide

  39. frame-src: ‘none’

    View Slide

  40. Loading
    Behavior

    View Slide

  41. block-all-mixed-content

    View Slide

  42. Tame
    The Locks

    View Slide

  43. default-src: https:;
    upgrade-insecure-requests

    View Slide

  44. Reporting

    View Slide

  45. default-src: https:;
    upgrade-insecure-requests
    report-uri https://
    report-domain.com/receive

    View Slide

  46. {
    "csp-report": {
    "document-uri": "https://www.wired.com/
    2016/10/geeks-guide-westworld/",
    "referrer": "https://www.wired.com/",
    "violated-directive": "media-src https:",
    "effective-directive": "media-src",
    "original-policy": …,
    "blocked-uri": "http://www.wired.com",
    "status-code": 0
    }
    }

    View Slide

  47. https://www.podtrac.com/pts/
    redirect.mp3/www.wired.com/wp-
    content/uploads/2016/09/
    geeksguide223final.mp3

    View Slide

  48. http://www.wired.com/wp-
    content/uploads/2016/09/
    geeksguide223final.mp3

    View Slide

  49. View Slide

  50. Webkit

    View Slide

  51. HTTPS is
    Hard

    View Slide

  52. Chase the
    Green

    View Slide

  53. Monitor
    Progress

    View Slide

  54. https://speakerdeck.com/tollmanz

    View Slide