8. Future
All HTTP sites will be
specifically marked as insecure!
Marking HTTP As Non-Secure
https://www.chromium.org/Home/chromium-security/marking-http-as-non-secure
9. The new normal
“Google estimates 25% of sites now use secure
connections. Google will work with some of the
non-secure top 100 sites on the web to help them
migrate to HTTPS.” -- March 2016
http://marketingland.com/google-estimates-25-sites-now-use-
secure-connections-168763
10.
11. • 301 redirects must be done right
• Dedicated IP means small hosting cost bump
• HTTPS over HTTP/1.1 is marginally slower
• One more thing to set up and pay for / screw up
12. HTTPS migrations lose PageRank (?)
301 redirects result in around a 15% loss of PageRank
No PageRank loss redirect HTTP -> HTTPS
301 Redirects Rules Change: WhatYou Need to Know for SEO, Moz Blog, 1 August 2016.
https://moz.com/blog/301-redirection-rules-for-seo
13.
14. Set up your dev environment for certs
One time setup
sudo a2enmod ssl
sudo a2enmod headers
sudo vim /etc/apache2/apache2.conf
And add NameVirtualHost *:443 near the bottom.
sudo service apache2 restart
sudo mkdir /etc/apache2/ssl
15. Self-signed certs
Create a cert
sudo openssl req -x509 -nodes -days 365 -newkey rsa:2048 -
keyout /etc/apache2/ssl/[newsite].key -out
/etc/apache2/ssl/[newsite].crt
[note fill common name in with the domain]
cd /etc/apache2/sites-available
sudo vim [newsite]
Duplicate the entireVirtualHost block and label as <VirtualHost *:443>
Put this at the bottom
SSLEngine on
SSLCertificateFile /etc/apache2/ssl/[newsite].crt
SSLCertificateKeyFile /etc/apache2/ssl/[newsite].key
19. Phase 1
Search for http:// //
Check canonical links have full https:// url
Check your sitemap and robots.txt
New property in Google Search Console
21. UseTLS 1.0 / 1.1 / 1.2 only:
Test your setup
https://www.ssllabs.com/ssltest/index.html
How to disable SSL:
https://www.digicert.com/ssl-support/apache-
disabling-ssl-v3.htm
23. HTTP HTTPS
RewriteEngine On
RewriteCond %{HTTPS} off
RewriteRule . https://%{HTTP_HOST}%{REQUEST_URI} [L,R=301]
. is a regular expression, but we just want to match anything
L flag: stop processing further rules
R flag: redirect
24. If you already have domain name redirects….
RewriteEngine On
# Redirect to canonical
RewriteCond %{HTTP_HOST} ^domain.com$ [NC]
RewriteRule . https://canonical.com%{REQUEST_URI} [L,R=301]
# Redirect to HTTPS
RewriteCond %{HTTPS} off
RewriteRule . https://%{HTTP_HOST}%{REQUEST_URI} [L,R=301]
NC flag: case-insensitive
25. Secure your cookies:
<ifModule mod_headers.c>
Header always edit Set-Cookie (.*)
"$1; HTTPOnly; Secure"
</ifModule>
HTTPOnly option locks out JavaScript.
Secure refuses cookie over HTTP
26. HTTPS link to HTTP loses referrer by default
<meta name="referrer" content="origin-when-crossorigin">
The Meta ReferrerTag: An Advancement for SEO and the Internet.
https://moz.com/blog/meta-referrer-tag
29. HSTS -- not done lightly!
<ifModule mod_headers.c>
Header set Strict-Transport-Security "max-
age=31536000; includeSubDomains" env=HTTPS
</ifModule>
30. • https://www.httpvshttps.com/
• HTTPS unlocks HTTP/2
• 70% of websites using HTTP/2 are served via CloudFlare
• https://www.cloudflare.com/http2/
• Why Everyone Should Be MovingTo HTTP/2
http://searchengineland.com/everyone-
moving-http2-236716
32. If you have https redirects, don’t use flexible!
33. HTTP/1.1 optimisations you don’t need anymore
• Domain sharding
• Image sprites
• Combined CSS and JS files
34. What aboutTTFB?
“I heard that the HTTP/2 TTFB (Time to First Byte) which is a measured metric in SEO and
FEO, is sometimes see higher than HTTP/1.1. What can be done to again have the TTFB
measure be seen as on-par with HTTP/1.1?”
CatchpointAMA on HTTP/2 with staff from Google,Akamai, CloudFlare, Catchpoint
http://pages.catchpoint.com/HTTP2-AMA-Registration.html
“I think that's a very good and important point. TTFB is important as a metric. If
you can make it faster, do so. That's just a good thing to optimize. You're right in
that just watching the TTFB is not indicative of when the content is painted to the
screen, which is ultimately what the user cares about. Not when they receive the
first byte, but when is the text showing up on the screen? I can show you plenty
of traces where I can see that, even if I compare the unencrypted version with
encrypted over HTTP/2, the time to first byte may be slower, but the page renders
faster, because we're able to leverage other features in HTTP/2 to fetch other
things faster, maybe using server push, so we don't have to do extra round trips.
One metric regresses, but the metric that you care about actually improves.”
-- Ilya Grigorik, Google
35. IsTLS FastYet?
https://istlsfastyet.com/
Mythbusting HTTPS: Squashing security’s urban legends - Google I/O 2016
https://www.youtube.com/watch?v=YMfW1bfyGSY
Mozilla SSL Configuration Generator
Mozilla SSL ConfigurationGenerator
https://mozilla.github.io/server-side-tls/ssl-config-generator/
evelopers
HTTP/2 ForWeb Developers
https://blog.cloudflare.com/http-2-for-web-developers/
7Tips for Faster HTTP/2 Performance
https://www.nginx.com/blog/7-tips-for-faster-http2-performance/
Secure browsing by default
https://www.facebook.com/notes/facebook-engineering/secure-browsing-by-
default/10151590414803920/
Websites Must Use HSTS in Order to Be Secure
https://www.eff.org/deeplinks/2014/02/websites-hsts