nicar delivering the news over https

Delivering the news over HTTPS

Paul [email protected] @paulschreiber

http://www.bbc.co.uk/ http://www.bbc.co.uk/persian/

✔

HTTP1991–2016

Marking HTTP As Non-SecureWe, the Chrome Security Team, propose that user agents (UAs) gradually change their UX to display non-secure origins as affirmatively non-secure. We intend to devise and begin deploying a transition plan for Chrome in 2015.

The goal of this proposal is to more clearly display to users that HTTP provides no data security.

Deprecating Non-Secure HTTPToday we are announcing our intent to phase out non-secure HTTP.

There are two broad elements of this plan: 1. Setting a date after which all new features will be

available only to secure websites 2. Gradually phasing out access to browser

features for non-secure websites, especially features that pose risks to users’ security and privacy.

The HTTPS-Only StandardAll browsing activity should be considered private and sensitive.

—https.cio.gov

A Call to ActionIf you run a news site, or any site at all, we’d like to issue a friendly challenge to you. Make a commitment to have your site fully on HTTPS by the end of 2015 and pledge your support with the hashtag #https2015.

—Eitan Konigsburg, Rajiv Pant and Elena Kvochko “Embracing HTTPS” November 13, 2014

HTT

P

HTT

PS

2008 HTTPS is slow

2008 HTTPS is slow2015 HTTPS is fast

HTTP 2.0

$sslmatemkconfig

https://mozilla.github.io/server-side-tls/

ssl-config-generator/

HTTPS enabled

HTTPS enabledHTTPS default

HTTPS enabledHTTPS defaultHSTS

HTTPS enabledHTTPS defaultHSTSHSTS preload

cont

ent

cont

ent

😕

cont

ent

🤔

com

men

ts

soci

al

anal

ytic

s

CD

Ns

font

s

mix

ed c

onte

nt

mix

ed c

onte

nt

$mixed-content-scan

mix

ed c

onte

nt

Content-Security-Policy:upgrade-insecure-requests

mix

ed c

onte

nt Content-Security-Policy-Report-Only:default-srchttps:data:'self''unsafe-inline''unsafe-eval';report-uri:https://myserver.com/log-tool/

No

HTT

PS?

ask nicely.

No

HTT

PS?

SoundCiteplacehold.it

mix

ed c

onte

nt

Akamai http://hostname.com→https://a248.e.akamai.net/f/12/621/60d/hostname.com

<scriptsrc="//google.com/…<scriptsrc="https://googl…

mix

ed c

onte

nt

mix

ed c

onte

nt

Many graphics from The Noun ProjectMountains by Chris Cole; Statue of Liberty by John Melven; Tombstone by Jakob Wells; Congress by Martha Ormiston; Shield by Wayne Thayer; Books by Ashley van Dyck; Snail by aLf; carrot by Creative Stall; Geolocation by Alexander Smith; Notification by vijay sekhar; Microphone by Edward Boatman; Video camera by Pham Thi Dieu Linh; Full screen by Garrett Knoll; Rotation by Lemon Liu; speedmeter by Michal Beno; layers by Muhamad Ulum; arrow by Maurizio Pedrazzoli; stick by Blaise Sewell; Server by Yazmin Alanis; SEO by Azis; Money by Nick Levesque; Shopping cart by Patrizia Daidone; Lock with keyhole by Brennan Novak; Scribble by Michael Chanover; Network by Stephen Boak; Hat based on work by Blake Kimmel. ; Warning by Icomatic; Error by Anas Ramadan.

nicar delivering the news over https

Technology