Put an "S" on it: Moving a Large Publishing Site to HTTPS

Put an "S" on it: Moving a Large Publishing Site to HTTPS

The internet is abuzz HTTPS everywhere. Unfortunately, getting there is major undertaking. Join me as I discuss the process of implementing HTTPS by default on wired.com. I will walk through selling the idea internally, preparing the site for HTTPS, and monitoring it after the launch. I will outline an approach for an HTTPS transition that anyone can use.

980df66b142b2a067b3f8b67b04352de?s=128

Zack Tollman

February 07, 2017
Tweet

Transcript

  1. PUT AN “S” on it Zack Tollman @tollmanz

  2. I set up HTTPS in 15 minutes “

  3. SSL is easy to use but also very easy to

    use incorrectly Ivan Ristic (https://www.ssllabs.com/projects/ssl-threat-model/) “
  4. MIXED CONTENT

  5. PASSIVE aka display

  6. ACTIVE

  7. None
  8. None
  9. None
  10. None
  11. None
  12. None
  13. None
  14. STRATEGY for a migration

  15. HTTPS EVERYWHERE

  16. HTTPS SOMEWHERE

  17. HTTPS WITH HTTP

  18. RISK SECURITY HTTPS EVERYWHERE HTTPS SOMEWHERE HTTPS WITH HTTP

  19. Assess Risk

  20. HTTPS SOMEWHERE

  21. Ad Risk

  22. SEO Risk

  23. APPLICATION preparation

  24. s/http:/https:/

  25. None
  26. None
  27. HTTP

  28. HTTPS HTTP

  29. HTTP

  30. HTTP HTTPS

  31. HTTPS EVERYWHERE

  32. 301

  33. Sitemaps

  34. OLD NEW https://support.google.com/webmasters/answer/6033049#https-faqs

  35. CONTENT POLICY SECURITY

  36. Location

  37. script-src: ‘self’ https:;

  38. Type

  39. frame-src: ‘none’

  40. Loading Behavior

  41. block-all-mixed-content

  42. Tame The Locks

  43. default-src: https:; upgrade-insecure-requests

  44. Reporting

  45. default-src: https:; upgrade-insecure-requests report-uri https:// report-domain.com/receive

  46. { "csp-report": { "document-uri": "https://www.wired.com/ 2016/10/geeks-guide-westworld/", "referrer": "https://www.wired.com/", "violated-directive": "media-src

    https:", "effective-directive": "media-src", "original-policy": …, "blocked-uri": "http://www.wired.com", "status-code": 0 } }
  47. https://www.podtrac.com/pts/ redirect.mp3/www.wired.com/wp- content/uploads/2016/09/ geeksguide223final.mp3

  48. http://www.wired.com/wp- content/uploads/2016/09/ geeksguide223final.mp3

  49. None
  50. Webkit

  51. HTTPS is Hard

  52. Chase the Green

  53. Monitor Progress

  54. https://speakerdeck.com/tollmanz