Se ha denunciado esta presentación.
Utilizamos tu perfil de LinkedIn y tus datos de actividad para personalizar los anuncios y mostrarte publicidad más relevante. Puedes cambiar tus preferencias de publicidad en cualquier momento.

Everyone Screws Up HTTPS

19.226 visualizaciones

Publicado el

From redirects to insecure content to duplicate content, everyone screws up https. Even top-tier developers get this wrong, and the results can be devastating.

Learn how to secure your website without losing your rankings and become more trustworthy in the eyes of your visitors.

Publicado en: Marketing
  • Sé el primero en comentar

  • Sé el primero en recomendar esto

Everyone Screws Up HTTPS

  1. 1. PATRICK STOX /in/patrickstox @patrickstox http://www.TheeDesign.com EVERYONE SCREWS UP
  2. 2. WHAT IS HTTPS A PROTOCOL MADE TO SECURE COMMUNICATIONS BETWEEN YOUR BROWSER AND A WEBSITE BY ENCRYPTING THE DATA, ENSURING THE DATA HAS NOT BEEN MODIFIED, AND AUTHENTICATING THE RECIPIENT.
  3. 3. WHY YOU SHOULD BE SECURE •IDENTITY VERIFICATION •ENCRYPTED COMMUNICATION •HELPS PREVENT TAMPERING AND MAN-IN-THE-MIDDLE ATTACKS •TRUST •NO LOSS OF REFERRAL DATA •GOOGLE RANKINGS BOOST?
  4. 4. USES HTTPS AS A RANKING SIGNAL http://googlewebmastercentral.blogspot.com/2014/ 08/https-as-ranking-signal.html *MAY STRENGTHEN OVER TIME
  5. 5. GARY ILLYES, GOOGLE WEBMASTER TRENDS ANALYST SAID: “If you're an SEO and you're recommending against going HTTPS, you're wrong and you should feel bad.” https://twitter.com/methode/status/633541668403 310593 MORE RECENTLY, GARY STATED HTTPS IS MORE OF A TIE-BREAKER http://searchengineland.com/googles-gary-illyes- https-may-break-ties-between-two-equal-search- results-230691
  6. 6. REASONS NOT TO GO SECURE •DOES NOT PREVENT HACKS •COST •EXPERTISE/RISKS
  7. 7. HTTPS DOES NOT SECURE YOUR WEBSITE •DOWNGRADE ATTACKS •SSL/TLS VULNERABILITIES HEARTBLEED, POODLE, LOGJAM, OH MY! •HACKS OF A WEBSITE, SERVER, OR NETWORK •SOFTWARE VULNERABILITIES •BRUTE FORCE ATTACKS •DDOS ATTACKS
  8. 8. SECURING •FORCE STRONG PASSWORDS •KEEP CORE AND PLUGINS UPDATED •SCAN FOR MALWARE •SFTP •FILE PERMISSIONS •STOP BOTNET ATTACKS http://codex.wordpress.org/Hardening _WordPress
  9. 9. COST? THE COST OF A CERTIFICATE DEPENDS ON THE LEVEL OF PROTECTION AND PROVIDER FREE: https://www.startssl.com/ https://letsencrypt.org/ Arriving Q4 2015
  10. 10. EXPERTISE: HTTPS AT THE SERVER LEVEL •MOD_SSL NEEDS TO BE ENABLED •PORT 443 OPENED •PROPERLY CONFIGURED VIRTUAL HOST •SPDY (SPEED IMPROVEMENTS) •OCSP STAPLING (CUTS DOWN ON CHECKS) •SO MUCH MORE
  11. 11. EXPERTISE: HTTPS FOR WORDPRESS SETTINGS » GENERAL CHANGE WORDPRESS ADDRESS AND SITE ADDRESS TO USE HTTPS: THIS IS NOT ENOUGH AS IT ALLOWS LOADING OF BOTH HTTP AND HTTPS PLUGIN: https://wordpress.org/plugins/wordpress- https/
  12. 12. EXPERTISE: COMMON WORDPRESS PROBLEMS •NOT USING RELATIVE URLS •FAILING TO CLEAN UP HARD CODED LINKS •DUPLICATION (HTTP AND HTTPS) •DEPRECATED FUNCTIONS THAT DON’T WORK WITH HTTPS •MIXED CONTENT (CONTENT LOADED FROM HTTP AND HTTPS) •CANONICAL TAG ISSUES
  13. 13. EXPERTISE: REDIRECTS SHOULD BE DONE AT THE SERVER LEVEL IN THE SERVER CONFIG FILE HTTPD.CONF https://wiki.apache.org/httpd/RedirectSSL MORE OFTEN THAN NOT REDIRECTS EITHER DON’T GET DONE OR GET PLACED IN .HTACCESS
  14. 14. EXPERTISE: REDIRECTS IN .HTACCESS https://wiki.apache.org/httpd/RewriteHTTPToHTTPS RewriteEngine On RewriteCond %{HTTPS} !=on RewriteRule ^/?(.*) https://%{SERVER_NAME}/$1 [R,L] WRONG!!! NOT A 301
  15. 15. EXPERTISE: REDIRECTS IN .HTACCESS CORRECTED # Force HTTPS <IfModule mod_rewrite.c> RewriteEngine On RewriteCond %{HTTPS} !=on RewriteRule ^(.*)$ https://www.yourdomain.com/$1 [R=301,L] </IfModule>
  16. 16. EXPERTISE: OTHER .HTACCESS ISSUES •APACHE DEFAULTS TO 302 •CODE NOT PROPERLY PLACED •REDIRECT CHAINS •NOT TESTED
  17. 17. RISKS “Moved from HTTP to HTTPS, now SEO is in the ditch.” “switched to the https version...After that the ranking on Google dropped for almost every keyword.” “Huge drop [50%] in traffic after HTTPS move”
  18. 18. BUFFER SAW A 90% DROP
  19. 19. TAKE THESE STORIES WITH A GRAIN OF SALT THEY LIKELY DIDN’T HAVE THE EXPERTISE TO IMPLEMENT HTTPS AND LIKELY WEREN’T SETUP TO TRACK PROPERLY
  20. 20. EVEN THE BEST OF US FAIL SOMETIMES
  21. 21. TRUST, BUT VERIFY https://chrome.google.com/webstore/detail/redirec t-path/aomidfkchockcldhbkggjokdkkebmdll?hl=en
  22. 22. THANKS PATRICK STOX /in/patrickstox @patrickstox

×