Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Put an "S" on it: Moving a Large Publishing Site to HTTPS

Zack Tollman
February 07, 2017
Technology
1
110

Put an "S" on it: Moving a Large Publishing Site to HTTPS

The internet is abuzz HTTPS everywhere. Unfortunately, getting there is major undertaking. Join me as I discuss the process of implementing HTTPS by default on wired.com. I will walk through selling the idea internally, preparing the site for HTTPS, and monitoring it after the launch. I will outline an approach for an HTTPS transition that anyone can use.

Zack Tollman

February 07, 2017
Tweet

More Decks by Zack Tollman

See All by Zack Tollman
Defining Fast: The Hardest Problem in Performance Engineering
tollmanz
0
73
Defining Fast: The Hardest Problem in Performance Engineering
tollmanz
0
99
ReWIRED: Moving WIRED.com from WordPress to Node
tollmanz
0
190
Building Custom User Experiences from the Edge
tollmanz
0
94
HTTPS Migrations: The Hard Parts
tollmanz
0
220
HTTPS is Coming: Are You Prepared? (Velocity 2016)
tollmanz
0
160
Understanding HTTPS and TLS
tollmanz
0
180
HTTPS Is Coming - WP SFO
tollmanz
0
92
The Many Challenges of Object Caching in WordPress
tollmanz
0
94

Other Decks in Technology

See All in Technology
検証を通して見えてきたTiDBの性能特性
lycorptech_jp
PRO
6
3.7k
Azure Container Apps + Bicep 〜 こんな感じで運用しています
kaz29
2
440
アクセス制御にまつわる改善 / Improving access control
itkq
0
510
エンジニア候補者向け資料2024.04.24.pdf
macloud
0
3.3k
開発パフォーマンスを最大化するための開発体制
ham0215
2
180
Google Cloud Next '24でブログを10本書いた方法と勉強会を沸かせた方法
yasumuusan
0
290
Vertex AI を中心に 生成AIのアップデートを共有します
kaz1437
0
290
web-application-security
matsuihidetoshi
0
140
開発生産性大幅アップ!Postman VS Code拡張機能
nagix
2
360
ユーザーストーリーのレビューを自動化したみたの
bun913
1
410
ここが嬉しいABAC ここが辛いよABAC #再解説+補足編
masahirokawahara
1
270
データベース02: データベースの概念
trycycle
0
150

Featured

See All Featured
The Cost Of JavaScript in 2023
addyosmani
16
3.8k
Designing with Data
zakiwarfel
96
4.8k
GraphQLとの向き合い方2022年版
quramy
32
12k
Bash Introduction
62gerente
604
210k
How to name files
jennybc
65
93k
VelocityConf: Rendering Performance Case Studies
addyosmani
320
23k
The Cult of Friendly URLs
andyhume
74
5.7k
It's Worth the Effort
3n
180
27k
Refactoring Trust on Your Teams (GOTO; Chicago 2020)
rmw
25
2.3k
ReactJS: Keep Simple. Everything can be a component!
pedronauck
659
120k
How to Create Impact in a Changing Tech Landscape [PerfNow 2023]
tammyeverts
14
1.5k
The Art of Programming - Codeland 2020
erikaheidi
42
12k

Transcript

  1. PUT AN “S” on it Zack Tollman @tollmanz

  2. I set up HTTPS in 15 minutes “

  3. SSL is easy to use but also very easy to

    use incorrectly Ivan Ristic (https://www.ssllabs.com/projects/ssl-threat-model/) “

  4. MIXED CONTENT

  5. PASSIVE aka display

  6. ACTIVE

  7. None
  8. None
  9. None
  10. None
  11. None
  12. None
  13. None

  14. STRATEGY for a migration

  15. HTTPS EVERYWHERE

  16. HTTPS SOMEWHERE

  17. HTTPS WITH HTTP

  18. RISK SECURITY HTTPS EVERYWHERE HTTPS SOMEWHERE HTTPS WITH HTTP

  19. Assess Risk

  20. HTTPS SOMEWHERE

  21. Ad Risk

  22. SEO Risk

  23. APPLICATION preparation

  24. s/http:/https:/

  25. None
  26. None

  27. HTTP

  28. HTTPS HTTP

  29. HTTP

  30. HTTP HTTPS

  31. HTTPS EVERYWHERE

  32. 301

  33. Sitemaps

  34. OLD NEW https://support.google.com/webmasters/answer/6033049#https-faqs

  35. CONTENT POLICY SECURITY

  36. Location

  37. script-src: ‘self’ https:;

  38. Type

  39. frame-src: ‘none’

  40. Loading Behavior

  41. block-all-mixed-content

  42. Tame The Locks

  43. default-src: https:; upgrade-insecure-requests

  44. Reporting

  45. default-src: https:; upgrade-insecure-requests report-uri https:// report-domain.com/receive

  46. { "csp-report": { "document-uri": "https://www.wired.com/ 2016/10/geeks-guide-westworld/", "referrer": "https://www.wired.com/", "violated-directive": "media-src

    https:", "effective-directive": "media-src", "original-policy": …, "blocked-uri": "http://www.wired.com", "status-code": 0 } }

  47. https://www.podtrac.com/pts/ redirect.mp3/www.wired.com/wp- content/uploads/2016/09/ geeksguide223final.mp3

  48. http://www.wired.com/wp- content/uploads/2016/09/ geeksguide223final.mp3

  49. None

  50. Webkit

  51. HTTPS is Hard

  52. Chase the Green

  53. Monitor Progress

  54. https://speakerdeck.com/tollmanz