SlideShare a Scribd company logo

HTTPS and HTTP/2

Download as PPTX, PDF
MatthewWalker9
MatthewWalker9

HTTPS & HTTP/2 This document discusses securing websites with HTTPS and migrating to HTTP/2. It provides guidance on setting up HTTPS with self-signed or free certificates. HTTP/2 improves performance over HTTPS compared to HTTP/1.1 by enabling features like server push and multiplexing. The document recommends securing all website content and resources with HTTPS to future-proof sites and unlock new browser capabilities. It also discusses optimizing for HTTPS and HTTP/2 by redirecting HTTP to HTTPS, enabling HTTP/2 via a CDN, and using HSTS.

1 of 36
HTTPS & HTTP/2 M a t t h e w W a l ke r A u g u s t 20 1 6
HTTPS and HTTP/2
Identity confirmation Confidentiality Integrity
Unlock new browser features Small PageRank boost HTTP/2
Geolocation HTTP/2 getUserMedia() Push notifications Device motion / orientation Encrypted media extensions AppCache Deprecating Non-Secure HTTP, Mozilla Security Blog, 20 April 2015. https://blog.mozilla.org/security/2015/04/30/deprecating-non-secure-http/ Deprecating Powerful Features on Insecure Origins,The Chromium Projects https://www.chromium.org/Home/chromium-security/deprecating-powerful-features-on-insecure-origins
Past • Hard to set up • Expensive • Only for ecommerce   
Present • Relatively easy to set up • Certs start at $0 • All websites, all pages   
Future All HTTP sites will be specifically marked as insecure! Marking HTTP As Non-Secure https://www.chromium.org/Home/chromium-security/marking-http-as-non-secure
The new normal “Google estimates 25% of sites now use secure connections. Google will work with some of the non-secure top 100 sites on the web to help them migrate to HTTPS.” -- March 2016 http://marketingland.com/google-estimates-25-sites-now-use- secure-connections-168763
HTTPS and HTTP/2
• 301 redirects must be done right • Dedicated IP means small hosting cost bump • HTTPS over HTTP/1.1 is marginally slower • One more thing to set up and pay for / screw up
HTTPS migrations lose PageRank (?) 301 redirects result in around a 15% loss of PageRank No PageRank loss redirect HTTP -> HTTPS 301 Redirects Rules Change: WhatYou Need to Know for SEO, Moz Blog, 1 August 2016. https://moz.com/blog/301-redirection-rules-for-seo  
HTTPS and HTTP/2
Set up your dev environment for certs One time setup sudo a2enmod ssl sudo a2enmod headers sudo vim /etc/apache2/apache2.conf And add NameVirtualHost *:443 near the bottom. sudo service apache2 restart sudo mkdir /etc/apache2/ssl
Self-signed certs Create a cert sudo openssl req -x509 -nodes -days 365 -newkey rsa:2048 - keyout /etc/apache2/ssl/[newsite].key -out /etc/apache2/ssl/[newsite].crt [note fill common name in with the domain] cd /etc/apache2/sites-available sudo vim [newsite] Duplicate the entireVirtualHost block and label as <VirtualHost *:443> Put this at the bottom SSLEngine on SSLCertificateFile /etc/apache2/ssl/[newsite].crt SSLCertificateKeyFile /etc/apache2/ssl/[newsite].key
Free certs https://letsencrypt.org/ https://www.startssl.com/
HTTPS and HTTP/2
Secure all the things. Every page. Every resource.
Phase 1  Search for http://  //  Check canonical links have full https:// url  Check your sitemap and robots.txt  New property in Google Search Console
robots.txt Sitemap: https://domain.com/sitemap.xml
UseTLS 1.0 / 1.1 / 1.2 only: Test your setup https://www.ssllabs.com/ssltest/index.html How to disable SSL: https://www.digicert.com/ssl-support/apache- disabling-ssl-v3.htm
Phase 2  301 redirects http  https
HTTP  HTTPS RewriteEngine On RewriteCond %{HTTPS} off RewriteRule . https://%{HTTP_HOST}%{REQUEST_URI} [L,R=301] . is a regular expression, but we just want to match anything L flag: stop processing further rules R flag: redirect
If you already have domain name redirects…. RewriteEngine On # Redirect to canonical RewriteCond %{HTTP_HOST} ^domain.com$ [NC] RewriteRule . https://canonical.com%{REQUEST_URI} [L,R=301] # Redirect to HTTPS RewriteCond %{HTTPS} off RewriteRule . https://%{HTTP_HOST}%{REQUEST_URI} [L,R=301] NC flag: case-insensitive
Secure your cookies: <ifModule mod_headers.c> Header always edit Set-Cookie (.*) "$1; HTTPOnly; Secure" </ifModule> HTTPOnly option locks out JavaScript. Secure refuses cookie over HTTP
HTTPS link to HTTP loses referrer by default <meta name="referrer" content="origin-when-crossorigin"> The Meta ReferrerTag: An Advancement for SEO and the Internet. https://moz.com/blog/meta-referrer-tag
Phase 3  HSTS saves a round trip  HTTP/2 via a CDN
HTTPS and HTTP/2
HSTS -- not done lightly! <ifModule mod_headers.c> Header set Strict-Transport-Security "max- age=31536000; includeSubDomains" env=HTTPS </ifModule>
• https://www.httpvshttps.com/ • HTTPS unlocks HTTP/2 • 70% of websites using HTTP/2 are served via CloudFlare • https://www.cloudflare.com/http2/ • Why Everyone Should Be MovingTo HTTP/2 http://searchengineland.com/everyone- moving-http2-236716
CloudFlare
If you have https redirects, don’t use flexible!
HTTP/1.1 optimisations you don’t need anymore • Domain sharding • Image sprites • Combined CSS and JS files
What aboutTTFB? “I heard that the HTTP/2 TTFB (Time to First Byte) which is a measured metric in SEO and FEO, is sometimes see higher than HTTP/1.1. What can be done to again have the TTFB measure be seen as on-par with HTTP/1.1?” CatchpointAMA on HTTP/2 with staff from Google,Akamai, CloudFlare, Catchpoint http://pages.catchpoint.com/HTTP2-AMA-Registration.html “I think that's a very good and important point. TTFB is important as a metric. If you can make it faster, do so. That's just a good thing to optimize. You're right in that just watching the TTFB is not indicative of when the content is painted to the screen, which is ultimately what the user cares about. Not when they receive the first byte, but when is the text showing up on the screen? I can show you plenty of traces where I can see that, even if I compare the unencrypted version with encrypted over HTTP/2, the time to first byte may be slower, but the page renders faster, because we're able to leverage other features in HTTP/2 to fetch other things faster, maybe using server push, so we don't have to do extra round trips. One metric regresses, but the metric that you care about actually improves.” -- Ilya Grigorik, Google
IsTLS FastYet? https://istlsfastyet.com/ Mythbusting HTTPS: Squashing security’s urban legends - Google I/O 2016 https://www.youtube.com/watch?v=YMfW1bfyGSY Mozilla SSL Configuration Generator Mozilla SSL ConfigurationGenerator https://mozilla.github.io/server-side-tls/ssl-config-generator/ evelopers HTTP/2 ForWeb Developers https://blog.cloudflare.com/http-2-for-web-developers/ 7Tips for Faster HTTP/2 Performance https://www.nginx.com/blog/7-tips-for-faster-http2-performance/ Secure browsing by default https://www.facebook.com/notes/facebook-engineering/secure-browsing-by- default/10151590414803920/ Websites Must Use HSTS in Order to Be Secure https://www.eff.org/deeplinks/2014/02/websites-hsts
HTTPS and HTTP/2

More Related Content

What's hot

Websockets at tossug
Websockets at tossugWebsockets at tossug
Websockets at tossug
clkao
 
The 5 most common reasons for a slow WordPress site and how to fix them – ext...
The 5 most common reasons for a slow WordPress site and how to fix them – ext...The 5 most common reasons for a slow WordPress site and how to fix them – ext...
The 5 most common reasons for a slow WordPress site and how to fix them – ext...
Otto Kekäläinen
 
Making the web faster
Making the web fasterMaking the web faster
Making the web faster
Patrick Meenan
 
Measuring web performance
Measuring web performanceMeasuring web performance
Measuring web performance
Patrick Meenan
 
HTTP2 is Here!
HTTP2 is Here!HTTP2 is Here!
HTTP2 is Here!
Andy Davies
 
WebPagetest - Good, Bad & Ugly
WebPagetest - Good, Bad & UglyWebPagetest - Good, Bad & Ugly
WebPagetest - Good, Bad & Ugly
Aaron Peters
 
Pushing the web — WebSockets
Pushing the web — WebSocketsPushing the web — WebSockets
Pushing the web — WebSockets
Roland M
 
The Case for HTTP/2 - EpicFEL Sept 2015
The Case for HTTP/2 - EpicFEL Sept 2015The Case for HTTP/2 - EpicFEL Sept 2015
The Case for HTTP/2 - EpicFEL Sept 2015
Andy Davies
 
Measuring the visual experience of website performance
Measuring the visual experience of website performanceMeasuring the visual experience of website performance
Measuring the visual experience of website performance
Patrick Meenan
 
WebSockets: The Current State of the Most Valuable HTML5 API for Java Developers
WebSockets: The Current State of the Most Valuable HTML5 API for Java DevelopersWebSockets: The Current State of the Most Valuable HTML5 API for Java Developers
WebSockets: The Current State of the Most Valuable HTML5 API for Java Developers
Viktor Gamov
 
how to use fiddler (Ver eng)
how to use fiddler (Ver eng)how to use fiddler (Ver eng)
how to use fiddler (Ver eng)
용진 조
 
Front-End Single Point of Failure - Velocity 2016 Training
Front-End Single Point of Failure - Velocity 2016 TrainingFront-End Single Point of Failure - Velocity 2016 Training
Front-End Single Point of Failure - Velocity 2016 Training
Patrick Meenan
 
V2 peter-lubbers-sf-jug-websocket
V2 peter-lubbers-sf-jug-websocketV2 peter-lubbers-sf-jug-websocket
V2 peter-lubbers-sf-jug-websocket
brent bucci
 
Getting the most out of WebPageTest
Getting the most out of WebPageTestGetting the most out of WebPageTest
Getting the most out of WebPageTest
Patrick Meenan
 
HTTP Basic - PHP
HTTP Basic - PHPHTTP Basic - PHP
HTTP Basic - PHP
Sulaeman .
 
Browser Wars Episode 1: The Phantom Menace
Browser Wars Episode 1: The Phantom MenaceBrowser Wars Episode 1: The Phantom Menace
Browser Wars Episode 1: The Phantom Menace
Nicholas Zakas
 
Web Page Test - Beyond the Basics
Web Page Test - Beyond the BasicsWeb Page Test - Beyond the Basics
Web Page Test - Beyond the Basics
Andy Davies
 
Xdebug, KCacheGrind and Webgrind with WampServer
Xdebug, KCacheGrind and Webgrind with WampServer Xdebug, KCacheGrind and Webgrind with WampServer
Xdebug, KCacheGrind and Webgrind with WampServer
Mediovski Technology
 
eCommerce performance, what is it costing you and what can you do about it?
eCommerce performance, what is it costing you and what can you do about it?eCommerce performance, what is it costing you and what can you do about it?
eCommerce performance, what is it costing you and what can you do about it?
Peter Holditch
 
Hands on performance testing and analysis with web pagetest
Hands on performance testing and analysis with web pagetestHands on performance testing and analysis with web pagetest
Hands on performance testing and analysis with web pagetest
Patrick Meenan
 

What's hot (20)

Websockets at tossug
Websockets at tossugWebsockets at tossug
Websockets at tossug
 
The 5 most common reasons for a slow WordPress site and how to fix them – ext...
The 5 most common reasons for a slow WordPress site and how to fix them – ext...The 5 most common reasons for a slow WordPress site and how to fix them – ext...
The 5 most common reasons for a slow WordPress site and how to fix them – ext...
 
Making the web faster
Making the web fasterMaking the web faster
Making the web faster
 
Measuring web performance
Measuring web performanceMeasuring web performance
Measuring web performance
 
HTTP2 is Here!
HTTP2 is Here!HTTP2 is Here!
HTTP2 is Here!
 
WebPagetest - Good, Bad & Ugly
WebPagetest - Good, Bad & UglyWebPagetest - Good, Bad & Ugly
WebPagetest - Good, Bad & Ugly
 
Pushing the web — WebSockets
Pushing the web — WebSocketsPushing the web — WebSockets
Pushing the web — WebSockets
 
The Case for HTTP/2 - EpicFEL Sept 2015
The Case for HTTP/2 - EpicFEL Sept 2015The Case for HTTP/2 - EpicFEL Sept 2015
The Case for HTTP/2 - EpicFEL Sept 2015
 
Measuring the visual experience of website performance
Measuring the visual experience of website performanceMeasuring the visual experience of website performance
Measuring the visual experience of website performance
 
WebSockets: The Current State of the Most Valuable HTML5 API for Java Developers
WebSockets: The Current State of the Most Valuable HTML5 API for Java DevelopersWebSockets: The Current State of the Most Valuable HTML5 API for Java Developers
WebSockets: The Current State of the Most Valuable HTML5 API for Java Developers
 
how to use fiddler (Ver eng)
how to use fiddler (Ver eng)how to use fiddler (Ver eng)
how to use fiddler (Ver eng)
 
Front-End Single Point of Failure - Velocity 2016 Training
Front-End Single Point of Failure - Velocity 2016 TrainingFront-End Single Point of Failure - Velocity 2016 Training
Front-End Single Point of Failure - Velocity 2016 Training
 
V2 peter-lubbers-sf-jug-websocket
V2 peter-lubbers-sf-jug-websocketV2 peter-lubbers-sf-jug-websocket
V2 peter-lubbers-sf-jug-websocket
 
Getting the most out of WebPageTest
Getting the most out of WebPageTestGetting the most out of WebPageTest
Getting the most out of WebPageTest
 
HTTP Basic - PHP
HTTP Basic - PHPHTTP Basic - PHP
HTTP Basic - PHP
 
Browser Wars Episode 1: The Phantom Menace
Browser Wars Episode 1: The Phantom MenaceBrowser Wars Episode 1: The Phantom Menace
Browser Wars Episode 1: The Phantom Menace
 
Web Page Test - Beyond the Basics
Web Page Test - Beyond the BasicsWeb Page Test - Beyond the Basics
Web Page Test - Beyond the Basics
 
Xdebug, KCacheGrind and Webgrind with WampServer
Xdebug, KCacheGrind and Webgrind with WampServer Xdebug, KCacheGrind and Webgrind with WampServer
Xdebug, KCacheGrind and Webgrind with WampServer
 
eCommerce performance, what is it costing you and what can you do about it?
eCommerce performance, what is it costing you and what can you do about it?eCommerce performance, what is it costing you and what can you do about it?
eCommerce performance, what is it costing you and what can you do about it?
 
Hands on performance testing and analysis with web pagetest
Hands on performance testing and analysis with web pagetestHands on performance testing and analysis with web pagetest
Hands on performance testing and analysis with web pagetest
 

Similar to HTTPS and HTTP/2

gofortution
gofortutiongofortution
gofortution
gofortution
 
SearchLove San Diego 2018 | Mat Clayton | Site Speed for Digital Marketers
SearchLove San Diego 2018 | Mat Clayton | Site Speed for Digital MarketersSearchLove San Diego 2018 | Mat Clayton | Site Speed for Digital Marketers
SearchLove San Diego 2018 | Mat Clayton | Site Speed for Digital Marketers
Distilled
 
20190516 web security-basic
20190516 web security-basic20190516 web security-basic
20190516 web security-basic
MksYi
 
Fundamentals of HTML5
Fundamentals of HTML5Fundamentals of HTML5
Fundamentals of HTML5
St. Petersburg College
 
HTTP 2.0 - Web Unleashed 2015
HTTP 2.0 - Web Unleashed 2015HTTP 2.0 - Web Unleashed 2015
HTTP 2.0 - Web Unleashed 2015
dmethvin
 
How HTTP/2 will change the web as we know it
How HTTP/2 will change the web as we know itHow HTTP/2 will change the web as we know it
How HTTP/2 will change the web as we know it
Nils De Moor
 
How HTTP/2 will change the web as we know it
How HTTP/2 will change the web as we know itHow HTTP/2 will change the web as we know it
How HTTP/2 will change the web as we know it
Woorank
 
1 Web Page Foundations Overview This lab walk.docx
1 Web Page Foundations Overview This lab walk.docx1 Web Page Foundations Overview This lab walk.docx
1 Web Page Foundations Overview This lab walk.docx
honey725342
 
Front End Website Optimization
Front End Website OptimizationFront End Website Optimization
Front End Website Optimization
Gerard Sychay
 
HTTP colon slash slash: end of the road? @ CakeFest 2013 in San Francisco
HTTP colon slash slash: end of the road? @ CakeFest 2013 in San FranciscoHTTP colon slash slash: end of the road? @ CakeFest 2013 in San Francisco
HTTP colon slash slash: end of the road? @ CakeFest 2013 in San Francisco
Alessandro Nadalin
 
Speed = $$$
Speed = $$$Speed = $$$
Speed = $$$
Peter Gfader
 
High-Speed HTML5
High-Speed HTML5High-Speed HTML5
High-Speed HTML5
Peter Lubbers
 
Check Yourself Before You Wreck Yourself: Auditing and Improving the Performa...
Check Yourself Before You Wreck Yourself: Auditing and Improving the Performa...Check Yourself Before You Wreck Yourself: Auditing and Improving the Performa...
Check Yourself Before You Wreck Yourself: Auditing and Improving the Performa...
Nicholas Jansma
 
Future of Search Engine Factors, AMP, On-Page Key to Success
Future of Search Engine Factors, AMP, On-Page Key to SuccessFuture of Search Engine Factors, AMP, On-Page Key to Success
Future of Search Engine Factors, AMP, On-Page Key to Success
Anetwork
 
Presentation (PPT)
Presentation (PPT)Presentation (PPT)
Presentation (PPT)
webhostingguy
 
Movable Type Seminar 2011
Movable Type Seminar 2011Movable Type Seminar 2011
Movable Type Seminar 2011
Six Apart KK
 
Optimising Web Application Frontend
Optimising Web Application FrontendOptimising Web Application Frontend
Optimising Web Application Frontend
tkramar
 
High Performance Websites
High Performance WebsitesHigh Performance Websites
High Performance Websites
Parham
 
The Case for HTTP/2 - Internetdagarna 2015 - Stockholm
The Case for HTTP/2 - Internetdagarna 2015 - StockholmThe Case for HTTP/2 - Internetdagarna 2015 - Stockholm
The Case for HTTP/2 - Internetdagarna 2015 - Stockholm
Andy Davies
 
Google are pushing HTTPS hard. Why? And​,​ when should you act? by Mark Thoma...
Google are pushing HTTPS hard. Why? And​,​ when should you act? by Mark Thoma...Google are pushing HTTPS hard. Why? And​,​ when should you act? by Mark Thoma...
Google are pushing HTTPS hard. Why? And​,​ when should you act? by Mark Thoma...
SEO monitor
 

Similar to HTTPS and HTTP/2 (20)

gofortution
gofortutiongofortution
gofortution
 
SearchLove San Diego 2018 | Mat Clayton | Site Speed for Digital Marketers
SearchLove San Diego 2018 | Mat Clayton | Site Speed for Digital MarketersSearchLove San Diego 2018 | Mat Clayton | Site Speed for Digital Marketers
SearchLove San Diego 2018 | Mat Clayton | Site Speed for Digital Marketers
 
20190516 web security-basic
20190516 web security-basic20190516 web security-basic
20190516 web security-basic
 
Fundamentals of HTML5
Fundamentals of HTML5Fundamentals of HTML5
Fundamentals of HTML5
 
HTTP 2.0 - Web Unleashed 2015
HTTP 2.0 - Web Unleashed 2015HTTP 2.0 - Web Unleashed 2015
HTTP 2.0 - Web Unleashed 2015
 
How HTTP/2 will change the web as we know it
How HTTP/2 will change the web as we know itHow HTTP/2 will change the web as we know it
How HTTP/2 will change the web as we know it
 
How HTTP/2 will change the web as we know it
How HTTP/2 will change the web as we know itHow HTTP/2 will change the web as we know it
How HTTP/2 will change the web as we know it
 
1 Web Page Foundations Overview This lab walk.docx
1 Web Page Foundations Overview This lab walk.docx1 Web Page Foundations Overview This lab walk.docx
1 Web Page Foundations Overview This lab walk.docx
 
Front End Website Optimization
Front End Website OptimizationFront End Website Optimization
Front End Website Optimization
 
HTTP colon slash slash: end of the road? @ CakeFest 2013 in San Francisco
HTTP colon slash slash: end of the road? @ CakeFest 2013 in San FranciscoHTTP colon slash slash: end of the road? @ CakeFest 2013 in San Francisco
HTTP colon slash slash: end of the road? @ CakeFest 2013 in San Francisco
 
Speed = $$$
Speed = $$$Speed = $$$
Speed = $$$
 
High-Speed HTML5
High-Speed HTML5High-Speed HTML5
High-Speed HTML5
 
Check Yourself Before You Wreck Yourself: Auditing and Improving the Performa...
Check Yourself Before You Wreck Yourself: Auditing and Improving the Performa...Check Yourself Before You Wreck Yourself: Auditing and Improving the Performa...
Check Yourself Before You Wreck Yourself: Auditing and Improving the Performa...
 
Future of Search Engine Factors, AMP, On-Page Key to Success
Future of Search Engine Factors, AMP, On-Page Key to SuccessFuture of Search Engine Factors, AMP, On-Page Key to Success
Future of Search Engine Factors, AMP, On-Page Key to Success
 
Presentation (PPT)
Presentation (PPT)Presentation (PPT)
Presentation (PPT)
 
Movable Type Seminar 2011
Movable Type Seminar 2011Movable Type Seminar 2011
Movable Type Seminar 2011
 
Optimising Web Application Frontend
Optimising Web Application FrontendOptimising Web Application Frontend
Optimising Web Application Frontend
 
High Performance Websites
High Performance WebsitesHigh Performance Websites
High Performance Websites
 
The Case for HTTP/2 - Internetdagarna 2015 - Stockholm
The Case for HTTP/2 - Internetdagarna 2015 - StockholmThe Case for HTTP/2 - Internetdagarna 2015 - Stockholm
The Case for HTTP/2 - Internetdagarna 2015 - Stockholm
 
Google are pushing HTTPS hard. Why? And​,​ when should you act? by Mark Thoma...
Google are pushing HTTPS hard. Why? And​,​ when should you act? by Mark Thoma...Google are pushing HTTPS hard. Why? And​,​ when should you act? by Mark Thoma...
Google are pushing HTTPS hard. Why? And​,​ when should you act? by Mark Thoma...
 

Recently uploaded

Steps involved in the implementation of EDI in a company
Steps involved in the implementation of EDI in a companySteps involved in the implementation of EDI in a company
Steps involved in the implementation of EDI in a company
sivaraman163206
 
202254.com全网最高清影视香蕉影视,热门电影推荐,热门电视剧在线观看,免费电影,电影在线,在线观看。球华人在线電視劇,免费点播,免费提供最新高清的...
202254.com全网最高清影视香蕉影视,热门电影推荐,热门电视剧在线观看,免费电影,电影在线,在线观看。球华人在线電視劇,免费点播,免费提供最新高清的...202254.com全网最高清影视香蕉影视,热门电影推荐,热门电视剧在线观看,免费电影,电影在线,在线观看。球华人在线電視劇,免费点播,免费提供最新高清的...
202254.com全网最高清影视香蕉影视,热门电影推荐,热门电视剧在线观看,免费电影,电影在线,在线观看。球华人在线電視劇,免费点播,免费提供最新高清的...
ffg01100
 
一比一原版(oregon毕业证书)俄勒冈大学毕业证如何办理
一比一原版(oregon毕业证书)俄勒冈大学毕业证如何办理一比一原版(oregon毕业证书)俄勒冈大学毕业证如何办理
一比一原版(oregon毕业证书)俄勒冈大学毕业证如何办理
taqyea
 
一比一原版(bristol毕业证书)英国布里斯托大学毕业证如何办理
一比一原版(bristol毕业证书)英国布里斯托大学毕业证如何办理一比一原版(bristol毕业证书)英国布里斯托大学毕业证如何办理
一比一原版(bristol毕业证书)英国布里斯托大学毕业证如何办理
taqyea
 
About Alibaba company and brief general information regarding how to trade on...
About Alibaba company and brief general information regarding how to trade on...About Alibaba company and brief general information regarding how to trade on...
About Alibaba company and brief general information regarding how to trade on...
Erkinjon Erkinov
 
Founders Of Digital World Social Media..
Founders Of Digital World Social Media..Founders Of Digital World Social Media..
Founders Of Digital World Social Media..
jom pom
 
seo proposal | Kiyado Innovations LLP pdf
seo proposal | Kiyado Innovations LLP pdfseo proposal | Kiyado Innovations LLP pdf
seo proposal | Kiyado Innovations LLP pdf
diyakiyado
 
202254.com免费观看《长相思第二季》免费观看高清,长相思第二季线上看,《长相思第二季》最新电视剧在线观看,杨紫最新电视剧
202254.com免费观看《长相思第二季》免费观看高清,长相思第二季线上看,《长相思第二季》最新电视剧在线观看,杨紫最新电视剧202254.com免费观看《长相思第二季》免费观看高清,长相思第二季线上看,《长相思第二季》最新电视剧在线观看,杨紫最新电视剧
202254.com免费观看《长相思第二季》免费观看高清,长相思第二季线上看,《长相思第二季》最新电视剧在线观看,杨紫最新电视剧
ffg01100
 
一比一原版(city毕业证书)英国剑桥大学毕业证如何办理
一比一原版(city毕业证书)英国剑桥大学毕业证如何办理一比一原版(city毕业证书)英国剑桥大学毕业证如何办理
一比一原版(city毕业证书)英国剑桥大学毕业证如何办理
taqyea
 
PSD to Wordpress Service Providers in 2024
PSD to Wordpress Service Providers in 2024PSD to Wordpress Service Providers in 2024
PSD to Wordpress Service Providers in 2024
Bestdesign2hub
 
一比一原版(ic毕业证书)英国帝国理工学院毕业证如何办理
一比一原版(ic毕业证书)英国帝国理工学院毕业证如何办理一比一原版(ic毕业证书)英国帝国理工学院毕业证如何办理
一比一原版(ic毕业证书)英国帝国理工学院毕业证如何办理
taqyea
 
一比一原版(hull毕业证书)英国赫尔大学毕业证如何办理
一比一原版(hull毕业证书)英国赫尔大学毕业证如何办理一比一原版(hull毕业证书)英国赫尔大学毕业证如何办理
一比一原版(hull毕业证书)英国赫尔大学毕业证如何办理
taqyea
 
一比一原版(爱大毕业证书)爱丁堡大学毕业证如何办理
一比一原版(爱大毕业证书)爱丁堡大学毕业证如何办理一比一原版(爱大毕业证书)爱丁堡大学毕业证如何办理
一比一原版(爱大毕业证书)爱丁堡大学毕业证如何办理
taqyea
 
一比一原版(lu毕业证书)英国拉夫堡大学毕业证如何办理
一比一原版(lu毕业证书)英国拉夫堡大学毕业证如何办理一比一原版(lu毕业证书)英国拉夫堡大学毕业证如何办理
一比一原版(lu毕业证书)英国拉夫堡大学毕业证如何办理
taqyea
 
Bai-Tập-Tiếng-Anh-On-Tập-He lớp 1- lớp 5 hot nhất
Bai-Tập-Tiếng-Anh-On-Tập-He lớp 1- lớp 5 hot nhấtBai-Tập-Tiếng-Anh-On-Tập-He lớp 1- lớp 5 hot nhất
Bai-Tập-Tiếng-Anh-On-Tập-He lớp 1- lớp 5 hot nhất
Thiên Đường Tình Yêu
 
一比一原版(kcl毕业证书)英国伦敦国王学院毕业证如何办理
一比一原版(kcl毕业证书)英国伦敦国王学院毕业证如何办理一比一原版(kcl毕业证书)英国伦敦国王学院毕业证如何办理
一比一原版(kcl毕业证书)英国伦敦国王学院毕业证如何办理
taqyea
 
一比一原版美国休斯敦大学毕业证(uh毕业证书)如何办理
一比一原版美国休斯敦大学毕业证(uh毕业证书)如何办理一比一原版美国休斯敦大学毕业证(uh毕业证书)如何办理
一比一原版美国休斯敦大学毕业证(uh毕业证书)如何办理
taqyea
 
Tarun Gaur On Data Breaches and Privacy Fears
Tarun Gaur On Data Breaches and Privacy FearsTarun Gaur On Data Breaches and Privacy Fears
Tarun Gaur On Data Breaches and Privacy Fears
Tarun Gaur
 
Cyber Security Course & Guide. X.GI. pdf
Cyber Security Course & Guide. X.GI. pdfCyber Security Course & Guide. X.GI. pdf
Cyber Security Course & Guide. X.GI. pdf
RohitRoshanBengROHIT
 
Megalive99 Situs Betting Online Gacor Terpercaya
Megalive99 Situs Betting Online Gacor TerpercayaMegalive99 Situs Betting Online Gacor Terpercaya
Megalive99 Situs Betting Online Gacor Terpercaya
Megalive99
 

Recently uploaded (20)

Steps involved in the implementation of EDI in a company
Steps involved in the implementation of EDI in a companySteps involved in the implementation of EDI in a company
Steps involved in the implementation of EDI in a company
 
202254.com全网最高清影视香蕉影视,热门电影推荐,热门电视剧在线观看,免费电影,电影在线,在线观看。球华人在线電視劇,免费点播,免费提供最新高清的...
202254.com全网最高清影视香蕉影视,热门电影推荐,热门电视剧在线观看,免费电影,电影在线,在线观看。球华人在线電視劇,免费点播,免费提供最新高清的...202254.com全网最高清影视香蕉影视,热门电影推荐,热门电视剧在线观看,免费电影,电影在线,在线观看。球华人在线電視劇,免费点播,免费提供最新高清的...
202254.com全网最高清影视香蕉影视,热门电影推荐,热门电视剧在线观看,免费电影,电影在线,在线观看。球华人在线電視劇,免费点播,免费提供最新高清的...
 
一比一原版(oregon毕业证书)俄勒冈大学毕业证如何办理
一比一原版(oregon毕业证书)俄勒冈大学毕业证如何办理一比一原版(oregon毕业证书)俄勒冈大学毕业证如何办理
一比一原版(oregon毕业证书)俄勒冈大学毕业证如何办理
 
一比一原版(bristol毕业证书)英国布里斯托大学毕业证如何办理
一比一原版(bristol毕业证书)英国布里斯托大学毕业证如何办理一比一原版(bristol毕业证书)英国布里斯托大学毕业证如何办理
一比一原版(bristol毕业证书)英国布里斯托大学毕业证如何办理
 
About Alibaba company and brief general information regarding how to trade on...
About Alibaba company and brief general information regarding how to trade on...About Alibaba company and brief general information regarding how to trade on...
About Alibaba company and brief general information regarding how to trade on...
 
Founders Of Digital World Social Media..
Founders Of Digital World Social Media..Founders Of Digital World Social Media..
Founders Of Digital World Social Media..
 
seo proposal | Kiyado Innovations LLP pdf
seo proposal | Kiyado Innovations LLP pdfseo proposal | Kiyado Innovations LLP pdf
seo proposal | Kiyado Innovations LLP pdf
 
202254.com免费观看《长相思第二季》免费观看高清,长相思第二季线上看,《长相思第二季》最新电视剧在线观看,杨紫最新电视剧
202254.com免费观看《长相思第二季》免费观看高清,长相思第二季线上看,《长相思第二季》最新电视剧在线观看,杨紫最新电视剧202254.com免费观看《长相思第二季》免费观看高清,长相思第二季线上看,《长相思第二季》最新电视剧在线观看,杨紫最新电视剧
202254.com免费观看《长相思第二季》免费观看高清,长相思第二季线上看,《长相思第二季》最新电视剧在线观看,杨紫最新电视剧
 
一比一原版(city毕业证书)英国剑桥大学毕业证如何办理
一比一原版(city毕业证书)英国剑桥大学毕业证如何办理一比一原版(city毕业证书)英国剑桥大学毕业证如何办理
一比一原版(city毕业证书)英国剑桥大学毕业证如何办理
 
PSD to Wordpress Service Providers in 2024
PSD to Wordpress Service Providers in 2024PSD to Wordpress Service Providers in 2024
PSD to Wordpress Service Providers in 2024
 
一比一原版(ic毕业证书)英国帝国理工学院毕业证如何办理
一比一原版(ic毕业证书)英国帝国理工学院毕业证如何办理一比一原版(ic毕业证书)英国帝国理工学院毕业证如何办理
一比一原版(ic毕业证书)英国帝国理工学院毕业证如何办理
 
一比一原版(hull毕业证书)英国赫尔大学毕业证如何办理
一比一原版(hull毕业证书)英国赫尔大学毕业证如何办理一比一原版(hull毕业证书)英国赫尔大学毕业证如何办理
一比一原版(hull毕业证书)英国赫尔大学毕业证如何办理
 
一比一原版(爱大毕业证书)爱丁堡大学毕业证如何办理
一比一原版(爱大毕业证书)爱丁堡大学毕业证如何办理一比一原版(爱大毕业证书)爱丁堡大学毕业证如何办理
一比一原版(爱大毕业证书)爱丁堡大学毕业证如何办理
 
一比一原版(lu毕业证书)英国拉夫堡大学毕业证如何办理
一比一原版(lu毕业证书)英国拉夫堡大学毕业证如何办理一比一原版(lu毕业证书)英国拉夫堡大学毕业证如何办理
一比一原版(lu毕业证书)英国拉夫堡大学毕业证如何办理
 
Bai-Tập-Tiếng-Anh-On-Tập-He lớp 1- lớp 5 hot nhất
Bai-Tập-Tiếng-Anh-On-Tập-He lớp 1- lớp 5 hot nhấtBai-Tập-Tiếng-Anh-On-Tập-He lớp 1- lớp 5 hot nhất
Bai-Tập-Tiếng-Anh-On-Tập-He lớp 1- lớp 5 hot nhất
 
一比一原版(kcl毕业证书)英国伦敦国王学院毕业证如何办理
一比一原版(kcl毕业证书)英国伦敦国王学院毕业证如何办理一比一原版(kcl毕业证书)英国伦敦国王学院毕业证如何办理
一比一原版(kcl毕业证书)英国伦敦国王学院毕业证如何办理
 
一比一原版美国休斯敦大学毕业证(uh毕业证书)如何办理
一比一原版美国休斯敦大学毕业证(uh毕业证书)如何办理一比一原版美国休斯敦大学毕业证(uh毕业证书)如何办理
一比一原版美国休斯敦大学毕业证(uh毕业证书)如何办理
 
Tarun Gaur On Data Breaches and Privacy Fears
Tarun Gaur On Data Breaches and Privacy FearsTarun Gaur On Data Breaches and Privacy Fears
Tarun Gaur On Data Breaches and Privacy Fears
 
Cyber Security Course & Guide. X.GI. pdf
Cyber Security Course & Guide. X.GI. pdfCyber Security Course & Guide. X.GI. pdf
Cyber Security Course & Guide. X.GI. pdf
 
Megalive99 Situs Betting Online Gacor Terpercaya
Megalive99 Situs Betting Online Gacor TerpercayaMegalive99 Situs Betting Online Gacor Terpercaya
Megalive99 Situs Betting Online Gacor Terpercaya
 

HTTPS and HTTP/2

  • 1. HTTPS & HTTP/2 M a t t h e w W a l ke r A u g u s t 20 1 6
  • 4. Unlock new browser features Small PageRank boost HTTP/2
  • 5. Geolocation HTTP/2 getUserMedia() Push notifications Device motion / orientation Encrypted media extensions AppCache Deprecating Non-Secure HTTP, Mozilla Security Blog, 20 April 2015. https://blog.mozilla.org/security/2015/04/30/deprecating-non-secure-http/ Deprecating Powerful Features on Insecure Origins,The Chromium Projects https://www.chromium.org/Home/chromium-security/deprecating-powerful-features-on-insecure-origins
  • 6. Past • Hard to set up • Expensive • Only for ecommerce   
  • 7. Present • Relatively easy to set up • Certs start at $0 • All websites, all pages   
  • 8. Future All HTTP sites will be specifically marked as insecure! Marking HTTP As Non-Secure https://www.chromium.org/Home/chromium-security/marking-http-as-non-secure
  • 9. The new normal “Google estimates 25% of sites now use secure connections. Google will work with some of the non-secure top 100 sites on the web to help them migrate to HTTPS.” -- March 2016 http://marketingland.com/google-estimates-25-sites-now-use- secure-connections-168763
  • 11. • 301 redirects must be done right • Dedicated IP means small hosting cost bump • HTTPS over HTTP/1.1 is marginally slower • One more thing to set up and pay for / screw up
  • 12. HTTPS migrations lose PageRank (?) 301 redirects result in around a 15% loss of PageRank No PageRank loss redirect HTTP -> HTTPS 301 Redirects Rules Change: WhatYou Need to Know for SEO, Moz Blog, 1 August 2016. https://moz.com/blog/301-redirection-rules-for-seo  
  • 14. Set up your dev environment for certs One time setup sudo a2enmod ssl sudo a2enmod headers sudo vim /etc/apache2/apache2.conf And add NameVirtualHost *:443 near the bottom. sudo service apache2 restart sudo mkdir /etc/apache2/ssl
  • 15. Self-signed certs Create a cert sudo openssl req -x509 -nodes -days 365 -newkey rsa:2048 - keyout /etc/apache2/ssl/[newsite].key -out /etc/apache2/ssl/[newsite].crt [note fill common name in with the domain] cd /etc/apache2/sites-available sudo vim [newsite] Duplicate the entireVirtualHost block and label as <VirtualHost *:443> Put this at the bottom SSLEngine on SSLCertificateFile /etc/apache2/ssl/[newsite].crt SSLCertificateKeyFile /etc/apache2/ssl/[newsite].key
  • 18. Secure all the things. Every page. Every resource.
  • 19. Phase 1  Search for http://  //  Check canonical links have full https:// url  Check your sitemap and robots.txt  New property in Google Search Console
  • 21. UseTLS 1.0 / 1.1 / 1.2 only: Test your setup https://www.ssllabs.com/ssltest/index.html How to disable SSL: https://www.digicert.com/ssl-support/apache- disabling-ssl-v3.htm
  • 22. Phase 2  301 redirects http  https
  • 23. HTTP  HTTPS RewriteEngine On RewriteCond %{HTTPS} off RewriteRule . https://%{HTTP_HOST}%{REQUEST_URI} [L,R=301] . is a regular expression, but we just want to match anything L flag: stop processing further rules R flag: redirect
  • 24. If you already have domain name redirects…. RewriteEngine On # Redirect to canonical RewriteCond %{HTTP_HOST} ^domain.com$ [NC] RewriteRule . https://canonical.com%{REQUEST_URI} [L,R=301] # Redirect to HTTPS RewriteCond %{HTTPS} off RewriteRule . https://%{HTTP_HOST}%{REQUEST_URI} [L,R=301] NC flag: case-insensitive
  • 25. Secure your cookies: <ifModule mod_headers.c> Header always edit Set-Cookie (.*) "$1; HTTPOnly; Secure" </ifModule> HTTPOnly option locks out JavaScript. Secure refuses cookie over HTTP
  • 26. HTTPS link to HTTP loses referrer by default <meta name="referrer" content="origin-when-crossorigin"> The Meta ReferrerTag: An Advancement for SEO and the Internet. https://moz.com/blog/meta-referrer-tag
  • 27. Phase 3  HSTS saves a round trip  HTTP/2 via a CDN
  • 29. HSTS -- not done lightly! <ifModule mod_headers.c> Header set Strict-Transport-Security "max- age=31536000; includeSubDomains" env=HTTPS </ifModule>
  • 30. • https://www.httpvshttps.com/ • HTTPS unlocks HTTP/2 • 70% of websites using HTTP/2 are served via CloudFlare • https://www.cloudflare.com/http2/ • Why Everyone Should Be MovingTo HTTP/2 http://searchengineland.com/everyone- moving-http2-236716
  • 32. If you have https redirects, don’t use flexible!
  • 33. HTTP/1.1 optimisations you don’t need anymore • Domain sharding • Image sprites • Combined CSS and JS files
  • 34. What aboutTTFB? “I heard that the HTTP/2 TTFB (Time to First Byte) which is a measured metric in SEO and FEO, is sometimes see higher than HTTP/1.1. What can be done to again have the TTFB measure be seen as on-par with HTTP/1.1?” CatchpointAMA on HTTP/2 with staff from Google,Akamai, CloudFlare, Catchpoint http://pages.catchpoint.com/HTTP2-AMA-Registration.html “I think that's a very good and important point. TTFB is important as a metric. If you can make it faster, do so. That's just a good thing to optimize. You're right in that just watching the TTFB is not indicative of when the content is painted to the screen, which is ultimately what the user cares about. Not when they receive the first byte, but when is the text showing up on the screen? I can show you plenty of traces where I can see that, even if I compare the unencrypted version with encrypted over HTTP/2, the time to first byte may be slower, but the page renders faster, because we're able to leverage other features in HTTP/2 to fetch other things faster, maybe using server push, so we don't have to do extra round trips. One metric regresses, but the metric that you care about actually improves.” -- Ilya Grigorik, Google
  • 35. IsTLS FastYet? https://istlsfastyet.com/ Mythbusting HTTPS: Squashing security’s urban legends - Google I/O 2016 https://www.youtube.com/watch?v=YMfW1bfyGSY Mozilla SSL Configuration Generator Mozilla SSL ConfigurationGenerator https://mozilla.github.io/server-side-tls/ssl-config-generator/ evelopers HTTP/2 ForWeb Developers https://blog.cloudflare.com/http-2-for-web-developers/ 7Tips for Faster HTTP/2 Performance https://www.nginx.com/blog/7-tips-for-faster-http2-performance/ Secure browsing by default https://www.facebook.com/notes/facebook-engineering/secure-browsing-by- default/10151590414803920/ Websites Must Use HSTS in Order to Be Secure https://www.eff.org/deeplinks/2014/02/websites-hsts