3. About Me
• Operations Team Lead at
FreshBooks
• Twitter: @blakecrosby
• E-Mail: me@blakecrosby.com
4. Why HTTPS
• August 6, 2015
– Google will rank HTTPS URLs higher in search results1
• December 17, 2015
– Google now prefers HTTPS URLs over HTTP2
• Prevents Eavesdropping.
• No longer a performance bottleneck3. (Or is it?)
1.
h%ps://webmasters.googleblog.com/2014/08/h%ps-‐as-‐ranking-‐signal.html
2.
h%ps://security.googleblog.com/2015/12/indexing-‐h%ps-‐pages-‐by-‐default.html
3.
h%ps://istlsfastyet.com/
12. Keep In Mind:
• Every domain on your page must do TLS
negotiation and associated work:
– Agree on which cipher to use
– Exchange keys
– Validate the certificate
– Encrypt data and transmit
• Don’t use domain sharding!
14. Redirecting HTTP -> HTTPS
• Can use a HTTP Redirect (301)
– Two Requests
• Use HSTS!
– One Request
15. How HSTS Works
Strict-Transport-Security: max-age=31536000;
includeSubDomains; preload
HTTP
Header
Apply
this
to
all
subdomains.
Expiry
9me
(1
year)
Allow
the
domain
to
be
preloaded
in
browser
databases.
18. OCSP Stapling
• Two ways we can check to see if a certificate has
been revoked:
– In the client (browser)
– By the server (and “stapling” the results to the
certificate bundle.
24. Putting It All Together
• Every third party script (domain) will be served
over HTTPS.
• Make sure you use a CDN that supports TLS
Optimizations.
• Only use TLS from Edge to Origin if necessary.