Embed Size (px)
Citation preview
Progressive Web App Roadshow
HTTPS
“ .”
HTTPS ?
Secure https://www.google.com
?
HTTPS ?
Secure https://www.google.com
HTTPS ?
? ?
Secure https://www.google.com
HTTPS ?
? ?
?
Secure https://www.google.com
…
$¯\_( )_/¯
…
$¯\_( )_/¯
(Man-in-the-Middle Attacks)
HTTP
HTTPS
• Service Workers• getUserMedia• Push Notifications• App Cache
• Encrypted Media Extensions
• Geo Location• HTTPS/2
.https://www.chromium.org/Home/chromium-security/prefer-secure-origins-for-powerful-new-features
HTTPS API
• Service Workers• getUserMedia• Push Notifications• App Cache
• Encrypted Media Extensions
• Geo Location• HTTPS/2
For more information, see:https://www.chromium.org/Home/chromium-security/prefer-secure-origins-for-powerful-new-features
HTTPS
.
…
$¯\_( )_/¯
( ) HTTPS
Client Server
GET / HTTP 1.1
HTTP/1.1 301 Moved PermanentlyLocation: https://bob-site.com
Client Hello
Server Hello Certificate
Client Finished
Server Finished
GET / HTTP 1.1(secure connection)
TLS
Han
dsha
ke
{
{{
( ) HTTPS
Client Server
GET / HTTP 1.1
HTTP/1.1 301 Moved PermanentlyLocation: https://bob-site.com
Client Hello
Server Hello Certificate
Client Finished
Server Finished
GET / HTTP 1.1(secure connection)
TLS
Han
dsha
ke
{
{{ ( )
HTTP Strict Transport Security (HSTS)
Strict-Transport-Security: max-age=2592000; includeSubDomains
“HTTPS HTTPS .”
TLS
Client Server
GET / HTTP 1.1
HTTP/1.1 301 Moved PermanentlyLocation: https://bob-site.com
Client Hello (with session id)
Server Hello Certificate
Client Finished
Server Finished
GET / HTTP 1.1(secure connection)
TLS
Han
dsha
ke
{
{{
TLS False Start
Client Server
GET / HTTP 1.1
HTTP/1.1 301 Moved PermanentlyLocation: https://bob-site.com
Client Hello
Server Hello Certificate
Client Finished
Server Finished
GET / HTTP 1.1(secure connection)
TLS
Han
dsha
ke
{
{{
HTTP/2HTTPS ,
.
- weather.com
…
$¯\_( )_/¯
HTTPS
HTTPS
😧😱😨
HTTPS
GET / HTTP/1.1
HTTP/1.1 301 Moved PermanentlyLocation: https://charlieschats.com
GET / HTTP/1.1
<link rel=“canonical” href=“https://charlieschats.com”>
.
developers.google.com/web/fundamentals/security/encrypt-in-transit/migration-concerns
…
$¯\_( )_/¯
80% HTTPS
.
- IAB (Interactive Advertising Bureau), 2013- “Adopting Encryption: The Need for HTTPS”
3rd Party : Referrers
Chrome
HTTPS
✔
✔
✔
?
developers.google.com/web/fundamentals/security/encrypt-in-transit/
(CSP) developers.google.com/web/fundamentals/security/csp/
(Mixed) developers.google.com/web/fundamentals/security/prevent-mixed-content/
