Upload
others
View
1
Download
0
Embed Size (px)
Citation preview
the_title();
HTTPSEVERYWHERE
@tiffanyakuchta
I’M TIFFANY @tiffanyakuchta
@tiffanyakuchta
@tiffanyakuchta
the_content();
Are you ready to reroute the encryption?
@tiffanyakuchta
WARNING: There will be several references to popular culture from the 80s, 90s and early 2000s in this talk...also dragons. I apologize in advance for the self-indulgence.
@tiffanyakuchta
These developers are using stand up desks in a coworking space.
WHY YOU SHOULD CARE
Security
Future facing
And, of course...
@tiffanyakuchta
@tiffanyakuchta
@tiffanyakuchta
REASONS WE DIDN’T JUST ALWAYS SSL
Speed
Complexity
IPv4 & lack of SNI support
Human error
@tiffanyakuchta
“Please turn your monitor in a direction where only you can see it.”
@tiffanyakuchta
NEW WORDPRESS PROJECTS
Implement a dev strategy that accounts for SSL.
Be mindful of SSL in code and content.
@tiffanyakuchta
EXISTING WORDPRESS PROJECTS
Our focus today.
@tiffanyakuchta
Transitioning a self-hosted WordPress install to HTTPS.
@tiffanyakuchta
BEGIN AT THE BEGINNING
You’ll need a certificate.
Through your host, or maybe through Let’s Encrypt.
@tiffanyakuchta
STEP 1: ADMIN CHANGES
define('FORCE_SSL_ADMIN', true);
@tiffanyakuchta
STEP 2: CHECK THE FRONTEND
Low user impact.
You can do this without forcing SSL.
@tiffanyakuchta
@tiffanyakuchta
Working title for this talk------------------->
Fixing mixed content.
@tiffanyakuchta
FIXING MIXED CONTENT
You’ll see images, javascript, fonts, AJAX calls.
//example.com/image.jpg || https://example.com/image.jpg
@tiffanyakuchta
//PROTOCOL.RELATIVE/URLS?
@tiffanyakuchta
@tiffanyakuchta
FIXING CONTENT: POSTS & META
Database
Code: Plugins & Filters
@tiffanyakuchta
@tiffanyakuchta
UPDATE wp_posts SET post_content = replace(post_content,'http://yourdomain.com','https://yourdomain.com');
/* * not applicable in all situations * */UPDATE wp_posts SET guid = replace(guid,'http://yourdomain.com','https://yourdomain.com');
Backup 1st!
PLUGINS FOR FIXING MIXED CONTENT
https://wordpress.org/plugins/search.php?q=mixed+content
@tiffanyakuchta
More later
FIXING CODE: THEMES & PLUGINS
grep -RIin “src=’http://” wp-content/themes/your-theme
grep -RIin “src=\”http://” wp-content/themes/your-theme
@tiffanyakuchta
SETTINGS > GENERAL
@tiffanyakuchta
FORCE SSL
RewriteEngine On
RewriteCond %{HTTPS} off
RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI} [R=301,L]
@tiffanyakuchta
“Roads? Where we’re going, we don’t need roads.” To be clear, we’re going to October 21st of last year, but this------→sorta just happened.
@tiffanyakuchta
NEW CONTENT
After Content EntryFilter on content.
During Content Entry Build a plugin to warn users in real time when they’re creating
mixed content.
@tiffanyakuchta
Idea!
NEW/UPDATED PLUGINS
Wrapper for wp_head();
Automation to notify an admin of mixed content in recently upgraded plugins. (Complex, and probably not worth the effort in the evolving landscape.)
@tiffanyakuchta
And the Trogdor comes in the niiiiiiiiiiiiiight!
@tiffanyakuchta
BEWARE, DRAGONS
Load balancers, Reverse Proxy & CDN
is_ssl();
@tiffanyakuchta
BEWARE, DRAGONS
WTF!? Errors.
Deprecated cipher suite, bad certificate chain.
https://www.ssllabs.com/ssltest/analyze.html
@tiffanyakuchta
BEWARE, DRAGONS
Don’t forget to renew!
You are a human. Be less human...or automate.
@tiffanyakuchta
BEWARE, DRAGONS
Webmaster tools will also need to be updated.
@tiffanyakuchta
Working title for this talk------------------->
Yep. Still.
@tiffanyakuchta
MOAR DRAGONS
You’re probably going to want to make provisions for dev.
And for fallbacks.
@tiffanyakuchta
EVEN MOAR DRAGONS
Once you visit the site behind SSL, Chrome will do everything in its power to push you to the SSL version of the site on future visits.
Be aware while testing.
@tiffanyakuchta
Questions?
@tiffanyakuchta
Questions?
@tiffanyakuchta
THANKS!I’M STILL TIFFANY @tiffanyakuchta
@tiffanyakuchta
CREDITS
Trogdor images from hrwiki.org
Regex humor from xkcd.com
Scenes from the epic 1995 film, Hackers, from imdb.com
Assorted gifs from giphy.com
All logos (Apple, Google, Chrome, Let’s Encrypt) property of their respective owners.
@tiffanyakuchta