Many websites — from Wikipedia to Reddit to the Washington Post — are encrypting all of their web traffic to protect their readers' privacy by using SSL certificates are directing their traffic over HTTPS. Besides the obvious security advantages, webmasters have another reason: Google is using HTTPS as a ranking signal. At this meetup, we'll talk about what this all means (benefits, downsides) and problems encountered moving to HTTPS (and how they solved them).

1. Moving your site
to HTTPS

2. Paul Schreiberpaulschreiber@gmail.com
@paulschreiber

15. 15%

21. http://www.bbc.co.uk/
http://www.bbc.co.uk/persian/
✔

23. HTTP1991–2016

25. Marking HTTP As Non-Secure
We, the Chrome Security Team, propose that user
agents (UAs) gradually change their UX to
display non-secure origins as affirmatively
non-secure. We intend to devise and begin
deploying a transition plan for Chrome in 2015.
The goal of this proposal is to more clearly display
to users that HTTP provides no data security.

27. Deprecating Non-Secure HTTP
Today we are announcing our intent to phase out
non-secure HTTP.
There are two broad elements of this plan:
1. Setting a date after which all new features will be
available only to secure websites
2. Gradually phasing out access to browser
features for non-secure websites, especially
features that pose risks to users’ security and
privacy.

29. The HTTPS-Only Standard
All browsing activity should be considered
private and sensitive.
—https.cio.gov

40. HTTPS

43. HTTP

44. HTTPS

48. 2008 HTTPS is slow
2016 HTTPS is fast

59. HTTP 2.0

60. HTTPS

66. SHA-1

71. $ sslmate mkconfig

72. https://mozilla.github.io/
server-side-tls/
ssl-config-generator/

73. https://wordpress.org/
plugins/wp-encrypt/

77. HTTPS enabled
HTTPS default
HSTS
HSTS preload

79. content

80. content

81. comments

82. ads

83. social

84. analytics

85. CDNs

86. fonts

94. $ mixed-content-scan

95. Content-Security-Policy:
upgrade-insecure-requests

96. Content-Security-Policy-
Report-Only: default-src
https: data: 'self'
'unsafe-inline' 'unsafe-
eval'; report-uri:
https://myserver.com/log-
tool/

97. <script src="//google.com/…
<script src="https://googl…

98. NoHTTPS?
ask
nicely.

99. NoHTTPS?
SoundCite
placehold.it

100. mixedcontent
Akamai
http://hostname.com →
https://a248.e.akamai.net/f/
12/621/60d/hostname.com

102. moarTLS
Analyzer

103. HTTPS
Everywhere

105. Chrome

111. ssllabs.com/
ssltest/

112. observatory.
mozilla.org

113. hstspreload.
appspot.com

114. badssl.com

115. securityheaders.io

116. report-uri.io

117. cspisawesome.com

118. httpswatch.com

119. google.com/
transparencyreport/
https/grid/

121. Many graphics from The Noun Project
Mountains by Chris Cole; Statue of Liberty by John Melven; Tombstone by Jakob
Wells; Congress by Martha Ormiston; Shield by Wayne Thayer; Books by Ashley
van Dyck; Snail by aLf; carrot by Creative Stall; Geolocation by Alexander Smith;
Notification by vijay sekhar; Microphone by Edward Boatman; Video camera by
Pham Thi Dieu Linh; Full screen by Garrett Knoll; Rotation by Lemon Liu;
speedmeter by Michal Beno; layers by Muhamad Ulum; arrow by Maurizio
Pedrazzoli; stick by Blaise Sewell; Server by Yazmin Alanis; SEO by Azis; Money
by Nick Levesque; Shopping cart by Patrizia Daidone; Lock with keyhole by
Brennan Novak; Scribble by Michael Chanover; Network by Stephen Boak; Hat
based on work by Blake Kimmel. ; Warning by Icomatic; Error by Anas Ramadan.