Upload File

everyone screws up https

22
PATRICK STOX /in/patrickstox @ patrickstox http://www.TheeDesign.com EVERYONE SCREWS UP

Upload: patrickstox

Post on 17-Jan-2017

8.682 views

Category:

Marketing


0 download

Report

TRANSCRIPT

Page 1: Everyone Screws Up HTTPS

PATRICK STOX/in/patrickstox@patrickstox

http://www.TheeDesign.com

EVERYONE SCREWS UP

https://www.linkedin.com/in/patrickstox
https://twitter.com/patrickstox
https://twitter.com/patrickstox
http://www.theedesign.com/
Page 2: Everyone Screws Up HTTPS

WHAT IS HTTPSA PROTOCOL MADE TO SECURE COMMUNICATIONS BETWEEN YOUR BROWSER AND A WEBSITE BY ENCRYPTING THE DATA, ENSURING THE DATA HAS NOT BEEN MODIFIED, AND AUTHENTICATING THE RECIPIENT.

Page 3: Everyone Screws Up HTTPS

WHY YOU SHOULD BE SECURE•IDENTITY VERIFICATION•ENCRYPTED COMMUNICATION•HELPS PREVENT TAMPERING AND MAN-IN-THE-MIDDLE ATTACKS•TRUST•NO LOSS OF REFERRAL DATA•GOOGLE RANKINGS BOOST?

Page 4: Everyone Screws Up HTTPS

USES HTTPS AS A RANKING SIGNAL

http://googlewebmastercentral.blogspot.com/2014/08/https-as-ranking-signal.html

*MAY STRENGTHEN OVER TIME

http://googlewebmastercentral.blogspot.com/2014/08/https-as-ranking-signal.html
http://googlewebmastercentral.blogspot.com/2014/08/https-as-ranking-signal.html
Page 5: Everyone Screws Up HTTPS

GARY ILLYES, GOOGLE WEBMASTER TRENDS ANALYST SAID:

“If you're an SEO and you're recommending against going HTTPS, you're wrong and you should feel bad.”https://twitter.com/methode/status/633541668403310593

MORE RECENTLY, GARY STATED HTTPS IS MORE OF A TIE-BREAKERhttp://searchengineland.com/googles-gary-illyes-https-may-break-ties-between-two-equal-search-results-230691

https://twitter.com/methode/status/633541668403310593
https://twitter.com/methode/status/633541668403310593
http://searchengineland.com/googles-gary-illyes-https-may-break-ties-between-two-equal-search-results-230691
http://searchengineland.com/googles-gary-illyes-https-may-break-ties-between-two-equal-search-results-230691
http://searchengineland.com/googles-gary-illyes-https-may-break-ties-between-two-equal-search-results-230691
Page 6: Everyone Screws Up HTTPS

REASONS NOT TO GO SECURE•DOES NOT PREVENT HACKS•COST•EXPERTISE/RISKS

Page 7: Everyone Screws Up HTTPS

HTTPS DOES NOT SECURE YOUR WEBSITE

•DOWNGRADE ATTACKS•SSL/TLS VULNERABILITIES

HEARTBLEED, POODLE, LOGJAM, OH MY!•HACKS OF A WEBSITE, SERVER, OR NETWORK•SOFTWARE VULNERABILITIES•BRUTE FORCE ATTACKS•DDOS ATTACKS

Page 8: Everyone Screws Up HTTPS

SECURING

•FORCE STRONG PASSWORDS•KEEP CORE AND PLUGINS UPDATED•SCAN FOR MALWARE•SFTP•FILE PERMISSIONS•STOP BOTNET ATTACKS

http://codex.wordpress.org/Hardening_WordPress

http://codex.wordpress.org/Hardening_WordPress
http://codex.wordpress.org/Hardening_WordPress
Page 9: Everyone Screws Up HTTPS

COST?THE COST OF A CERTIFICATE DEPENDS ON THE LEVEL OF PROTECTION AND PROVIDER

FREE:https://www.startssl.com/https://letsencrypt.org/ Arriving Q4 2015

https://www.startssl.com/
https://letsencrypt.org/
Page 10: Everyone Screws Up HTTPS

EXPERTISE: HTTPS AT THE SERVER LEVEL

•MOD_SSL NEEDS TO BE ENABLED•PORT 443 OPENED•PROPERLY CONFIGURED VIRTUAL HOST•SPDY (SPEED IMPROVEMENTS)•OCSP STAPLING (CUTS DOWN ON CHECKS)•SO MUCH MORE

Page 11: Everyone Screws Up HTTPS

EXPERTISE: HTTPS FOR WORDPRESS

SETTINGS » GENERALCHANGE WORDPRESS ADDRESS AND SITE ADDRESS TO USE HTTPS:

THIS IS NOT ENOUGH AS IT ALLOWS LOADING OF BOTH HTTP AND HTTPS

PLUGIN:https://wordpress.org/plugins/wordpress-https/

https://wordpress.org/plugins/wordpress-https/
https://wordpress.org/plugins/wordpress-https/
Page 12: Everyone Screws Up HTTPS

EXPERTISE: COMMON WORDPRESS PROBLEMS

•NOT USING RELATIVE URLS•FAILING TO CLEAN UP HARD CODED LINKS•DUPLICATION (HTTP AND HTTPS)•DEPRECATED FUNCTIONS THAT DON’T WORK WITH HTTPS•MIXED CONTENT (CONTENT LOADED FROM HTTP AND HTTPS)•CANONICAL TAG ISSUES

Page 13: Everyone Screws Up HTTPS

EXPERTISE: REDIRECTS

SHOULD BE DONE AT THE SERVER LEVEL IN THE SERVER CONFIG FILE HTTPD.CONFhttps://wiki.apache.org/httpd/RedirectSSL

MORE OFTEN THAN NOT REDIRECTS EITHER DON’T GET DONE OR GETPLACED IN .HTACCESS

https://wiki.apache.org/httpd/RedirectSSL
Page 14: Everyone Screws Up HTTPS

EXPERTISE: REDIRECTS IN .HTACCESS

https://wiki.apache.org/httpd/RewriteHTTPToHTTPS

RewriteEngine OnRewriteCond %{HTTPS} !=onRewriteRule ^/?(.*) https://%{SERVER_NAME}/$1 [R,L]

WRONG!!! NOT A 301

https://wiki.apache.org/httpd/RewriteHTTPToHTTPS
Page 15: Everyone Screws Up HTTPS

EXPERTISE: REDIRECTS IN .HTACCESS CORRECTED# Force HTTPS<IfModule mod_rewrite.c>RewriteEngine OnRewriteCond %{HTTPS} !=onRewriteRule ^(.*)$ https://www.yourdomain.com/$1 [R=301,L]</IfModule>

Page 16: Everyone Screws Up HTTPS

EXPERTISE: OTHER .HTACCESS ISSUES

•APACHE DEFAULTS TO 302•CODE NOT PROPERLY PLACED•REDIRECT CHAINS•NOT TESTED

Page 17: Everyone Screws Up HTTPS

RISKS

“Moved from HTTP to HTTPS, now SEO is in the ditch.”

“switched to the https version...After that the ranking on Google dropped for almost every keyword.”

“Huge drop [50%] in traffic after HTTPS move”

Page 18: Everyone Screws Up HTTPS

BUFFER SAW A 90% DROP

Page 19: Everyone Screws Up HTTPS

TAKE THESE STORIES WITH A GRAIN OF SALT

THEY LIKELY DIDN’T HAVE THE EXPERTISE TO IMPLEMENT HTTPS AND LIKELY WEREN’T SETUP TO TRACK PROPERLY

Page 20: Everyone Screws Up HTTPS

EVEN THE BEST OF US FAIL SOMETIMES

Page 21: Everyone Screws Up HTTPS

TRUST, BUT VERIFY

https://chrome.google.com/webstore/detail/redirect-path/aomidfkchockcldhbkggjokdkkebmdll?hl=en

https://chrome.google.com/webstore/detail/redirect-path/aomidfkchockcldhbkggjokdkkebmdll?hl=en
https://chrome.google.com/webstore/detail/redirect-path/aomidfkchockcldhbkggjokdkkebmdll?hl=en
Page 22: Everyone Screws Up HTTPS

THANKS

PATRICK STOX/in/patrickstox@patrickstox

https://www.linkedin.com/in/patrickstox
https://www.linkedin.com/in/patrickstox
https://twitter.com/patrickstox
https://twitter.com/patrickstox

Clinical Screws, Abutment Screws, and Prosthetic Screws ... · Clinical screws, abutment screws and prosthetic screws are part of a multi-component system that replaces teeth and

Precision Ball Screws and Lead Screws Catalog (A4) · Precision Screws Ball screws, trapezoidal and lead screws – highest level of performance and quality

Lead Screws / Slide Screws - MISUMI

Wt https

HQSMS https

WILLIE VELASQUEZ DAY HTTPS:// HTTPS://

Brass screws Pan head Screws CSK Screws Machine Screws Cold forged fasteners anchors india

Https Store.finewoodworking2

Https _qp.digialm.com_online_touchstone_cbse1414_cbse1414_d1363_74201822_cbse1414d1363e1

Https Www.emthemes

Https Myaccountportal.sprint

UNIT 5 DESIGN OF SCREWS, FASTENERS Design of Screws, AND POWER SCREWS

Screws - NEIA NFCneiafasteners.com/catalog/Screws.pdf · Plated Wood Screws 18 Rapid Penetrating Screws and Floor Screws 5 SCREWS 1-20 Self Drilling Screws 6-8 Sems Flush Phillips

Https Www.eagle

Https Www.emedical.immi.Gov

Websense Content Gateway HTTPS ConfigurationGoals and Objectives 3 SSL Overview –General SSL information HTTPS Module Overview –WCG‟s HTTPS HTTPS Configuration –Configuration

HTTP & HTTPS

Https Support.oracle

[MS-IPHTTPS]: IP over HTTPS (IP-HTTPS) Tunneling Protocol

https:// in.driftwatch

BALL SCREWS, PLANETARY AND INVERTED ROLLER SCREWS … · what moves your world ball screws, planetary and inverted roller screws

Precision Ball Screws and Lead Screws Catalog (A4)na_i_trapezna_navojna_vretena.pdf · Precision Screws Ball screws, trapezoidal and lead screws – highest level of performance and

Https Communities.bentley

Https://

Https dWww.onepetro

Decrypt HTTPS

Https Www.jstage.jst.Go

Lead Screws Ball Screws BallSplines Cten

HTTPS:// DQYS6PE

ExamView - MECH 1200 Final Review - Edl...74. Define Low Head Cap Screws, Flat Head Cap Screws, Button Head Cap Screws, Socket Shoulder Screws, Machine Screws, Set Screws. 75. Be able

SSL, X.509, HTTPS - How to configure your HTTPS server

HTTPS @Scale

Https Www.unicauca

Https:// 6_thermal.cfm

MASONRY SCREWS, CONCRETE SCREWS & · PDF fileMasonry Screws – Countersunk Head 4 Masonry Screws – Slotted Head 5 Masonry Screws – Stainless Steel 5 Concrete Screws 6-7 Light