This talk will focus on the factors that are driving HTTPS adoption across the web and why it’s a good idea to secure every project. We will go over how SSL became an SEO rank factor, how it opens doors to performance optimizations through the new HTTP/2 protocol, and how it is now much more accessible with the free SSLs provided by the Let’s Encrypt initiative.
11. Client Server
private
public
RNc
Client hello, SSL session request, RNcRNc
RNc
RNs
Server hello, sends over SSL cert, Public Key, RNs
RNs
public
RNs
public
PMSc PMSc, encrypted with the Public KeyPMSc PMSc
MSMS
Each side calculates the MS, starts using it for secure communication
MS MS
13. HTTP2
• Need SSL to run http2
• Faster site performance (multiplexing,
header compression, server push)
• Easy implementation when web host
supports it
https = http over SSL/TLS, encrypted web connection
yes, please = something you say after awesome things
will talk about encryption and the latest benefits for projects
Kiril Hristov, PM at SiteGround
What I do at SiteGround
Personal story
Encryption in all 3 circles
UX - privacy, speed
Tech - how it works, basic implementation in a Joomla! site
Business - higher search ranking
How the industry views encryption
SSL absolutely necessary on left side of spectrum
Skepticism at the right side of spectrum
Purpose of the talk - Secure by Default bcs of added benefits
Several reasons to use SSL
Privacy is first, it’s Scary, so it’s a great Motivator
Freely downloadable software that can sniff networks (Debooke for Mac)
Connected to the same network
Scan and get a list of all the devices connected
Target any device on the network and monitor it’s http traffic
Unencrypted - see all websites a person visits (scary), pick up session cookies, login into sites as them (even scarier)
Joomla! admin example
Encrypted - only see the domain
Skepticism - Connected to the same wifi requirement - they have passwords they’re secure
We use networks that don’t have passwords (out of town esp)
Passwords are crackable
SSL fixes these issues (we saw in the demo). Everything between client and server is encrypted.
User data and privacy
Your own admin data
See these in buildings, why?
As Site owners we have responsibility to protect user privacy
Even if it’s just what they are reading, that info may be revealing
If we have users logging in and interacting, responsibility is even bigger
Show how/why SSL is secure (Technology)
Useful to convince self/others is to know how something works
Privacy - UX circle on the user side, Business circle
Technology - how ssl works
Done with traditional application of SSL, not much new
Now we get into the added benefits
Need SSL - browsers only run http2 w/ SSL
Concerns that SSL slowed down sites
The web has evolved, handshake and encryption are not resource intensive
HTTP2 actually makes sites faster, mainly multiplexing
Super easy to start using it when web host supports (just need SSL)
What better way than to see it
How do I know I am running http2?
Network tab shows protocol
Browser extension - HTTP/2 and SPDY indicator
About a year ago Google announced it
How much of a ranking factor?
Not a major one
There are 200 other factors
Rule of thumb - What’s good for users will be good for rankings
One more thing to add to your SEO best practices
And why not when it’s now free?
- Relatively new, open certificate authority, provides free SSL certificates
2,000,000 certificates
adopted by many hosts with easy installation ~75
Dedicated IP - as a whole is no longer needed with SSL, many integrate Let’s encrypt in this way, so no added cost here
90 day auto renewable certs
Get free or buy SSL
Config should be taken care of by host (most cases)
Forces SSL across the site.
Can be done with .htaccess and configuration.php files
Extra setting of the login form to use SSL for credentials
Set to NO by default even after forcing SSL on site
Have not tested if it continues sending in plain text, maybe address this during Make it Happen
- Very detailed SSL checker
Mixed content when migrating http -> https
Due to http requests to resources(.css), http links to other pages on the site, http content on pages (e.g. images)
Recap before the Q & A
The image - privacy, traditional SSL application
Added benefits
Speed
Search engine rankings
Now free and easy to get SSL through LE