peter la fond
At 11:00am on 4/23/2017, Move from HTTP to HTTPS… or Become Irrelevant, presented by Peter La Fond, at the 2017 Wordcamp Conference in Raleigh, NC
Move from HTTP to HTTPS… or Become Irrelevant
Internet isn’t as secure as we wish. CloudBleed, Wikilieaks’ Vault7, Wordfence disclosed home router hack (57,000 homes confirmed). Cisco March 13th advisory noted that there is no workaround, and that anyone could possibly hack any cisco device and that you’ll have to wait until a patch comew out.
Last year, google came out with a 2-prong plan to move everyone to https. Reward SEO mojo to pages having HTTPS, and place a “Site not secure” alert in chrome browsers.
Difference between the two
Http is the protocol of the web. Https is SECURE. Migration requires a SSL/TLS certificate installed on a webserver followed by a series of steps to configure the website.
Http lacks security. It creates a MiTM (man in the middle) setup in which someone monitoring the
traffic can grab the information as it passes through. There are many people who’d love to get your information
Currently over 50% of google SERP is shoiwng HTTPS. Currently a small message appears. Phase 2 will be an information tab AND a message. Soon you’ll receive a phase 3 RED Triangle and message. Many other browsers will be following suit, and firefox already has.
All “ssl” certificates issued today are TLS.
What does it cost?
The real cost is the certificate cost (and possibly other costs) + server / WP installation time + Onsite Correction time + offsite adjustment time with analytics.
This might only takes hours to set up, and then a few weeks to get things set up. Using Let’s Encrypt is a much faster way to build, but the host must work with Let’s Encrypt.
Its only secure if you see the padlock. a little plugin called really simple SSL, and Why no padlock? to track down issues. Hardcoded CSS will not be found.
SSL is another item to manage, it is a certificate which will expire and need to be updated every year. Moving to a new host? Your certificate will also need to migrate
NOt all certs are created equal
Chrome may flag Symantec certs as Untrustworthy. They are considered to be built very sloppily. Let’s encrypt is a great service. Its free, and the host should have a script running which updates the SSL every 90 days.
Don’t be caught flat-footed! It’s time to get migrate to HTTPS. Google Search is actively pushing non-HTTPS websites to the second and third results pages. Additionally, the Google Chrome browser has started to show “Not Secure” notices when a webpage isn’t HTTPS compliant. An overwhelming percentage of WordPress websites are not HTTPS compliant.
This talk will touch upon the hazards of not migrating to HTTPS and the various steps required to get HTTPS up on your WordPress website.