everyone screws up https
Post on 17-Jan-2017
8.682 Views
Preview:
TRANSCRIPT
PATRICK STOX/in/patrickstox@patrickstox
http://www.TheeDesign.com
EVERYONE SCREWS UP
WHAT IS HTTPSA PROTOCOL MADE TO SECURE COMMUNICATIONS BETWEEN YOUR BROWSER AND A WEBSITE BY ENCRYPTING THE DATA, ENSURING THE DATA HAS NOT BEEN MODIFIED, AND AUTHENTICATING THE RECIPIENT.
WHY YOU SHOULD BE SECURE•IDENTITY VERIFICATION•ENCRYPTED COMMUNICATION•HELPS PREVENT TAMPERING AND MAN-IN-THE-MIDDLE ATTACKS•TRUST•NO LOSS OF REFERRAL DATA•GOOGLE RANKINGS BOOST?
USES HTTPS AS A RANKING SIGNAL
http://googlewebmastercentral.blogspot.com/2014/08/https-as-ranking-signal.html
*MAY STRENGTHEN OVER TIME
GARY ILLYES, GOOGLE WEBMASTER TRENDS ANALYST SAID:
“If you're an SEO and you're recommending against going HTTPS, you're wrong and you should feel bad.”https://twitter.com/methode/status/633541668403310593
MORE RECENTLY, GARY STATED HTTPS IS MORE OF A TIE-BREAKERhttp://searchengineland.com/googles-gary-illyes-https-may-break-ties-between-two-equal-search-results-230691
REASONS NOT TO GO SECURE•DOES NOT PREVENT HACKS•COST•EXPERTISE/RISKS
HTTPS DOES NOT SECURE YOUR WEBSITE
•DOWNGRADE ATTACKS•SSL/TLS VULNERABILITIES
HEARTBLEED, POODLE, LOGJAM, OH MY!•HACKS OF A WEBSITE, SERVER, OR NETWORK•SOFTWARE VULNERABILITIES•BRUTE FORCE ATTACKS•DDOS ATTACKS
SECURING
•FORCE STRONG PASSWORDS•KEEP CORE AND PLUGINS UPDATED•SCAN FOR MALWARE•SFTP•FILE PERMISSIONS•STOP BOTNET ATTACKS
http://codex.wordpress.org/Hardening_WordPress
COST?THE COST OF A CERTIFICATE DEPENDS ON THE LEVEL OF PROTECTION AND PROVIDER
FREE:https://www.startssl.com/https://letsencrypt.org/ Arriving Q4 2015
EXPERTISE: HTTPS AT THE SERVER LEVEL
•MOD_SSL NEEDS TO BE ENABLED•PORT 443 OPENED•PROPERLY CONFIGURED VIRTUAL HOST•SPDY (SPEED IMPROVEMENTS)•OCSP STAPLING (CUTS DOWN ON CHECKS)•SO MUCH MORE
EXPERTISE: HTTPS FOR WORDPRESS
SETTINGS » GENERALCHANGE WORDPRESS ADDRESS AND SITE ADDRESS TO USE HTTPS:
THIS IS NOT ENOUGH AS IT ALLOWS LOADING OF BOTH HTTP AND HTTPS
PLUGIN:https://wordpress.org/plugins/wordpress-https/
EXPERTISE: COMMON WORDPRESS PROBLEMS
•NOT USING RELATIVE URLS•FAILING TO CLEAN UP HARD CODED LINKS•DUPLICATION (HTTP AND HTTPS)•DEPRECATED FUNCTIONS THAT DON’T WORK WITH HTTPS•MIXED CONTENT (CONTENT LOADED FROM HTTP AND HTTPS)•CANONICAL TAG ISSUES
EXPERTISE: REDIRECTS
SHOULD BE DONE AT THE SERVER LEVEL IN THE SERVER CONFIG FILE HTTPD.CONFhttps://wiki.apache.org/httpd/RedirectSSL
MORE OFTEN THAN NOT REDIRECTS EITHER DON’T GET DONE OR GETPLACED IN .HTACCESS
EXPERTISE: REDIRECTS IN .HTACCESS
https://wiki.apache.org/httpd/RewriteHTTPToHTTPS
RewriteEngine OnRewriteCond %{HTTPS} !=onRewriteRule ^/?(.*) https://%{SERVER_NAME}/$1 [R,L]
WRONG!!! NOT A 301
EXPERTISE: REDIRECTS IN .HTACCESS CORRECTED# Force HTTPS<IfModule mod_rewrite.c>RewriteEngine OnRewriteCond %{HTTPS} !=onRewriteRule ^(.*)$ https://www.yourdomain.com/$1 [R=301,L]</IfModule>
EXPERTISE: OTHER .HTACCESS ISSUES
•APACHE DEFAULTS TO 302•CODE NOT PROPERLY PLACED•REDIRECT CHAINS•NOT TESTED
RISKS
“Moved from HTTP to HTTPS, now SEO is in the ditch.”
“switched to the https version...After that the ranking on Google dropped for almost every keyword.”
“Huge drop [50%] in traffic after HTTPS move”
BUFFER SAW A 90% DROP
TAKE THESE STORIES WITH A GRAIN OF SALT
THEY LIKELY DIDN’T HAVE THE EXPERTISE TO IMPLEMENT HTTPS AND LIKELY WEREN’T SETUP TO TRACK PROPERLY
EVEN THE BEST OF US FAIL SOMETIMES
TRUST, BUT VERIFY
https://chrome.google.com/webstore/detail/redirect-path/aomidfkchockcldhbkggjokdkkebmdll?hl=en
THANKS
PATRICK STOX/in/patrickstox@patrickstox
top related