HTTPS is Hard

I mean, how hard can it be?

Implementing HTTPS

The process

Who I thought I would have to talk to to make HTTPS happen at the start of the process

Adtech

Who I had to talk to after resolving the Adtech issues

Adobe Analytics

Who I had to talk to after resolving the Adobe Analytics issues

Obtaining certificates

  • It’s a mark of trust in the organisation
  • It’s not much more expensive than a regular certificate
  • It’s the only type of certificate that turns the padlock green in Microsoft’s Edge web browser, and provides larger amounts of green in other browsers, which is important for the perception of security
Who I had to talk to after I had obtained certificates

Other technology providers

Who I had to talk to to successfully get a business case through

Go-live

  • Our sitemaps, and every URL inside them (> 10M links)
  • Robots.txt file, pointing to the updated HTTPS sitemaps
  • Canonical URLs for every page, with HTTPS links
  • Register Google Search Console for HTTPS and all of the sub-properties, so we can monitor the transition
  • 301 redirects to HTTPS for HTTP traffic

The aftermath

Java

TLS Performance

Smartphone TCP Connection time at the point of redirecting traffic to HTTPS
Desktop TCP connection time at the point of redirecting traffic to HTTPS

HTTP Referrer

The final list of everyone I had to talk to to make HTTPS succeed at Yell

HTTPS is Hard

How can we make HTTPS easier

  • Eliminate the cost of standard certificates. LetsEncrypt is showing how this can be made easier and free, Dreamhost is undercutting themselves and Amazon Web Services is providing free certificates for their East-Coast data centre. All of these companies are setting the trends that others need to follow.
  • Reduce the cost of setup: I understand that private IP addresses can be costly, but this step needs to get cheaper (or become free) to be successful. The alternative to this, SNI, is not broadly available from service providers at the moment.
  • Google, Bing and Yahoo need to make HTTPS a stronger ranking factor. Having it as a tiebreaker at the moment is nice, but it doesn’t have as big an effect as it could. If Google really wants the web to go HTTPS, there needs to be a stronger signal from them on this.
  • Improve education on what HTTPS will actually do for you — especially in regards to referrers, performance and certificate issues. Google have recently created some HTTPS transition guidelines, and released their HTTPS transparency report, though currently, there’s not a lot of information out there.
  • Implement the privileged contexts spec for developers — there are plans to deprecate access to geolocation, user media and others, whilst service worker will be HTTPS-only. This is known as “privileged contexts”, or more commonly, “powerful features”. Deprecation of features may not be enough here, and this is only viable once the first few items in this list have been made a success or this may have the opposite effect. I look forward to this advancing more in the near future.
  • Finally, browser manufacturers need to be sending strong signals to the public, and online companies, that HTTP is insecure. Both Google and Mozilla have plans to action this in 2016, though to what extent it is still unknown.

--

--

--

London Web Standards Organiser, Occasional speaker, and Head of Web Engineering @Yell

Love podcasts or audiobooks? Learn on the go with our new app.

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Steve Workman

Steve Workman

London Web Standards Organiser, Occasional speaker, and Head of Web Engineering @Yell

More from Medium

Clean Code Book

Configure Self-signed Server Certificate in git bash for a Particular HTTPS Remote.

Setting up JAVA_HOME on MacOS

A Short Intro to Testing in Software Development for beginners