Upload
chris-burgess
View
175
Download
1
Embed Size (px)
Citation preview
SSL/HTTPSWhat,WhenandHow!ChrisBurgess– MelbourneWordPressMeetup2017
@chrisburgess chrisburgess.com.au
Overview• WhatisSSL?• SSLgrowth• WhenshouldyouuseSSL?• CostofanSSLcertificate• EnablingSSLinWordPress• Commonpitfalls• Benefits• SSLtools• Furtherreading
https://wptavern.com/more-than-50-of-web-traffic-is-now-encrypted
HTTPRequests2011-2017
http://httparchive.org/
SSLbyDefault2016-2017
https://trends.builtwith.com
WhatisSSL?(viaWikipedia)• HTTPS (alsocalled HTTPover TLS,[1][2] HTTPoverSSL,[3] and HTTPSecure[4][5])isa protocol for securecommunication overa computernetwork whichiswidelyusedonthe Internet.HTTPSconsistsofcommunicationover HypertextTransferProtocol (HTTP)withinaconnectionencryptedby TransportLayerSecurity,oritspredecessor,SecureSocketsLayer.ThemainmotivationforHTTPSis authentication ofthevisited website andprotectionofthe privacy and integrity oftheexchangeddata.
TheDifferenceBetweenHTTPandHTTPSTraffic
http://stackoverflow.com/questions/33934408/intercept-html-form-post-data
WhenShouldYouUseSSL?
• Ecommercesites• Wheneverdealingwithsensitivedata• Whenusertrustmatters
WhenShouldYouUseSSL?
EnablingSSL
• Intheory,changingyourhomeandsiteURLinWordPressshouldbeenough:
define('WP_HOME','http://example.com');define('WP_SITEURL','http://example.com');
• Inpractice,wesometimesneedsomeextrahelp
ForcingSSLforLogins
// Force SSL all WordPressdefine( 'FORCE_SSL_LOGIN', true ); define( 'FORCE_SSL_ADMIN', true );
MixedContent
WooCommerce
cPanel SSLManagement
cPanel SSLManagement
CostofanSSLCertificate
• $10to$10,000• Averagecost$50- $150forsingledomain• Wildcard(formultiplesubdomains)cancostalittlemore
• Let’sEncryptisfree!
WPForceSSL
EasyHTTPSRedirection
ReallySimpleSSL
MixedContentReport@WhyNoPadlock
https://www.whynopadlock.com/
SSLChecker@SSLShopper
https://www.sslshopper.com/ssl-checker.html/
SSLServerTest@Qualsys SSLLabs
https://www.ssllabs.com/ssltest/
MozillaSSLConfigurationGenerator
https://mozilla.github.io/server-side-tls/ssl-config-generator/
OpenSSLTesting
• YoucanalsouseOpenSSLfortesting,example:
> openssl s_client -connect example.com.au:443 -servernameexample.com.au -status
Let’sEncrypt
https://letsencrypt.org/
RankingBoost(2014)
http://searchengineland.com/google-starts-giving-ranking-boost-secure-httpsssl-sites-199446
RankingBoost(2014)
ABasicSEO-friendlySSLMigrationChecklist
• AddhttpsvariantsinGoogleSearchConsole• Checkandfixanyhardcodedresourcesthatwouldcause
mixedcontentwarnings,ideallyuserelativeratherthanabsoluteURLs
• Updateinternallinkstohttpsvariant• Ensure301redirectsareinplaceforallhttpURLs• Updatesitemaplinks(butdonotreplaceoldsitemapuntil
301sareindexed)androbots.txt (ifused)• TestallURLsareaccessible,fetchandrenderwith
Googlebot• ConfigurethewebservertosendSSLheaders(optional)
FurtherReading
https://www.feistyduck.com/books/bulletproof-ssl-and-tls/
FurtherReading
• https://wptavern.com/more-than-50-of-web-traffic-is-now-encrypted
• http://www.wpbeginner.com/wp-tutorials/how-to-add-ssl-and-https-in-wordpress/
• https://moz.com/blog/seo-tips-https-ssl• https://chrislanauze.com/design-development/wordpress-meetup/how-to-configure-https-on-wordpress-683/
Thanks!ChrisBurgess– MelbourneWordPressMeetup2017
@chrisburgess
@chrisburgess chrisburgess.com.au