Moving your website to HTTPS / SSL: tips & tricks

No Comments »
http://www.xseo.com.au/wp-content/plugins/sociofluid/images/digg_48.png http://www.xseo.com.au/wp-content/plugins/sociofluid/images/reddit_48.png http://www.xseo.com.au/wp-content/plugins/sociofluid/images/stumbleupon_48.png http://www.xseo.com.au/wp-content/plugins/sociofluid/images/delicious_48.png http://www.xseo.com.au/wp-content/plugins/sociofluid/images/google_48.png http://www.xseo.com.au/wp-content/plugins/sociofluid/images/facebook_48.png http://www.xseo.com.au/wp-content/plugins/sociofluid/images/sphinn_48.png http://www.xseo.com.au/wp-content/plugins/sociofluid/images/twitter_48.png

In 2014, we decided to switch over to the (now) commonly-used HTTPS to encrypt sensitive data that’s being sent across our website. This post describes some useful tips based on our own experiences that might come in handy if you’re considering switching. 

Optimize your site for search & social media and keep it optimized with Yoast SEO Premium »

Yoast SEO for WordPress pluginBuy now » Info

A little backstory

Back in 2014 HTTPS became a hot-topic after the Heartbleed bug became public. This bug allowed people with ill intent to listen in on traffic being transferred over SSL/TLS. It also gave them the ability to hijack and/or read the data. Luckily, this bug got patched quickly after its discovery. This incident was a wake-up call that properly encrypting user information over the internet is a necessity and shouldn’t be an optional thing.

To emphasize the importance of encrypting sensitive data, Google Chrome (since January, 2017) displays a clear warning next to the address bar whenever you visit a website that doesn’t encrypt – potential – sensitive data, such as forms.

How do I switch?

Because it’s important that your data is safe, we took steps in 2014 to ensure that we have SSL-certificates across our own websites. If you decide to switch (you really should!), there are a few things that you need to take into account to ensure your website fully works as intended once you’re done.

  • You need to change all your internal links. This also means updating links to assets (where necessary). Make sure to go through your theme and alter references to CSS, images and JavaScript files. Additionally, you can change all your links to start with // instead of https:// which will result in protocol-relative URLs.
  • Ensure your CDN supports SSL as well. We make use of MaxCDN, which allows you to easily set up SSL on your CDN subdomain.
  • There are various levels of SSL that you can choose from, each with their own pros and cons. You will find more information about that later on.
  • Ensure you have a canonical link present in the <head> section of your website to properly redirect all traffic coming in from http:// to https://.

Google also published a handy guide on how to move to HTTPS without massively impacting your ranking, which can be found here.

How does this influence my rankings?

Like stated in the previous section, moving from HTTP to HTTPS can influence your rankings slightly if you don’t plan accordingly. However, after you switch over to HTTPS, your rankings will actually improve over time. Google announced in 2014 that having an SSL certificate will be considered a positive ranking factor, so it’s worth the investment.

To make sure Googlebot can re-index your website more rapidly after the move, make sure you migrate to https:// during low-traffic hours. This way Googlebot can use more of your server’s resources. Just take into account that a medium-sized website might take a while to regain rankings. Have a sitemap? Then Googlebot might be able to recalculate and re-index your website even faster.

Setting up HTTPS & SSL on your server

Generally speaking, hosting providers have a service to allow you to enable HTTPS/order a certificate. There are a few types of certificates you can choose from, which differ in a few ways. Every variant also has their own price tag, so before purchasing one, make sure that you go with a certificate that fits your needs and budget!

If you’re a bit strapped for cash and tech-savvy, go take a look at Let’s Encrypt to acquire a free(!) certificate.

If you run and manage your own web server, there are a few things that you’ll have to enable in your server configuration before being able to use SSL certificates. This tutorial explains what steps to take to get a certificate running on your server.

OCSP stapling

Having to check the validity of an SSL certificate can result in a small hit in loading speed. To overcome this, you can make use of OCSP stapling. OCSP stapling is a feature that enables the server to download a copy of the certificate vendor’s response when checking the SSL certificate. This means that once a browser connects to the server, it checks the validity of the certificate based on the copy on the server instead of having to query the certificate vendor itself, resulting in a significant performance improvement.

Apache

Before enabling OCSP stapling on your Apache server, please check that you’re running version 2.3.3+ of Apache by running the command apache2 -v (or httpd -v) on your server. Lower versions of Apache do not support this feature.

If you went through the process of setting up HTTPS on your server as described in the ‘Setting up HTTPS & SSL on your server’ section, then you should have come into contact with a VirtualHost configuration specifically made for usage with HTTPS/SSL.

In that file, take the following steps:

  1. Inside the <VirtualHost></VirtualHost> section, you should add SSLUseStapling on.
  2. Just above the <VirtualHost></VirtualHost> section, add SSLStaplingCache shmcb:/tmp/stapling_cache(128000)
  3. Check that the configuration is still valid by running apachectl -t. If so, reload Apache by running service apache2 reload.

Nginx

Nginx also supports OCSP stapling. Before editing the server configuration, please check that you’re running version 1.3.7+ of Nginx by running the command nginx -v on your server. Lower versions of Nginx do not support this feature.

If you went through the process of setting up HTTPS on your server as described in the ‘Setting up HTTPS & SSL on your server’ section, then you should have come into contact with an Nginx configuration specifically made for usage with HTTPS/SSL.

In that file, add the following lines in the server {} section:

ssl_stapling on;
ssl_stapling_verify on;
ssl_trusted_certificate /etc/ssl/private/ca-certs.pem;

The last line references a file that contains a list of trusted CA certificates. This file is used to verify client certificates when using OCSP.

After adding these lines to the file, check that the configuration is still valid by running service nginx configtest. If so, reload Nginx by running service nginx reload

Become a technical SEO expert with our Technical SEO 1 training! »

Technical SEO 1 training$ 199 – Buy now » Info

Strict Transport Security header

The Strict Transport Security Header (HSTS) is another handy feature that basically enforces browsers to use the HTTPS request instead of the HTTP equivalent. Enabling this feature is relatively painless.

Apache

If you’re running Apache, first enable the Apache Headers module by running a2enmod headers. After this, it’s only a matter of adding the following line to your VirtualHost configuration (in the <VirtualHost></VirtualHost> section) that you set up earlier for HTTPS:

Header always set Strict-Transport-Security "max-age=31536000; includeSubDomains"

Reload the Apache service and you’re good to go!

Nginx

Nginx requires you to add the following line in the server{} section of your server configuration file:

add_header Strict-Transport-Security max-age=31536000;

Testing

To see if your SSL certificate is working properly, head over to SSL Labs, fill in your domain name and see what kind of score you get.

Redirecting URLs

To ensure requests are properly redirected to the HTTPS URL, you need to add an extra line to you configuration. This way, traffic that tries to visit your website over HTTP, will automatically be redirected to HTTPS.

Apache

In your default VirtualHost configuration (so the one that’s used for HTTP requests), add the following to ensure URLs get properly redirected:

RewriteEngine On
RewriteCond %{HTTPS} off
RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI} [R=301,L]

As with the other changes we made before, don’t forget to reload Apache!

Nginx

In Nginx, change the default configuration file that was used for HTTP requests and alter it as such:

server {
    listen 80;
    server_name your-site.com www.your-site.com;
    return 301 https://your-site.com$request_uri;
}

Don’t forget to reload Nginx before testing these changes.

Conclusion

“Should I switch over to HTTPS?” Short answer: Yes. Using HTTPS ensures that private (user) information is being sent across the web in a more secure manner. Especially if you’re dealing with monetary transactions, HTTPS is a must.

What type of certificate you end up going with, depends on your specific use case and budget. Make sure to properly research your options beforehand.

Read more: ‘WordPress security in a few easy steps’ »

July 12th 2017 security

Europe eyeing direct access to cloud services for police data requests

Comments Off on Europe eyeing direct access to cloud services for police data requests
http://www.xseo.com.au/wp-content/plugins/sociofluid/images/digg_48.png http://www.xseo.com.au/wp-content/plugins/sociofluid/images/reddit_48.png http://www.xseo.com.au/wp-content/plugins/sociofluid/images/stumbleupon_48.png http://www.xseo.com.au/wp-content/plugins/sociofluid/images/delicious_48.png http://www.xseo.com.au/wp-content/plugins/sociofluid/images/google_48.png http://www.xseo.com.au/wp-content/plugins/sociofluid/images/facebook_48.png http://www.xseo.com.au/wp-content/plugins/sociofluid/images/sphinn_48.png http://www.xseo.com.au/wp-content/plugins/sociofluid/images/twitter_48.png

servers In the wake of a spate of terror attacks across Europe, regional interior ministers have been talking tough on tech. Encryption is one technology that’s been under fire from certain quarters. There has also been renewed discussion about ways to speed up how law enforcement agencies request data from tech companies — so called e-evidence. Read More

June 10th 2017 security

Sources: Yahoo CISO Bob Lord out after AOL-Yahoo merger

Comments Off on Sources: Yahoo CISO Bob Lord out after AOL-Yahoo merger
http://www.xseo.com.au/wp-content/plugins/sociofluid/images/digg_48.png http://www.xseo.com.au/wp-content/plugins/sociofluid/images/reddit_48.png http://www.xseo.com.au/wp-content/plugins/sociofluid/images/stumbleupon_48.png http://www.xseo.com.au/wp-content/plugins/sociofluid/images/delicious_48.png http://www.xseo.com.au/wp-content/plugins/sociofluid/images/google_48.png http://www.xseo.com.au/wp-content/plugins/sociofluid/images/facebook_48.png http://www.xseo.com.au/wp-content/plugins/sociofluid/images/sphinn_48.png http://www.xseo.com.au/wp-content/plugins/sociofluid/images/twitter_48.png

 According to our sources, Yahoo’s chief information security officer, Bob Lord, is losing out to AOL’s Chris Nims for the security chief’s chair of new umbrella entity, Oath. Read More

June 10th 2017 security, yahoo

Dabbling in Home Automation and The Internet of Things

Comments Off on Dabbling in Home Automation and The Internet of Things
http://www.xseo.com.au/wp-content/plugins/sociofluid/images/digg_48.png http://www.xseo.com.au/wp-content/plugins/sociofluid/images/reddit_48.png http://www.xseo.com.au/wp-content/plugins/sociofluid/images/stumbleupon_48.png http://www.xseo.com.au/wp-content/plugins/sociofluid/images/delicious_48.png http://www.xseo.com.au/wp-content/plugins/sociofluid/images/google_48.png http://www.xseo.com.au/wp-content/plugins/sociofluid/images/facebook_48.png http://www.xseo.com.au/wp-content/plugins/sociofluid/images/sphinn_48.png http://www.xseo.com.au/wp-content/plugins/sociofluid/images/twitter_48.png

Now that I own my own house, and some of the technologies involved are a bit more stable, I’ve gotten into the idea of home automation a bit more. Here’s a quick run down of my current configuration.

At the center of most things, I have a wink hub (first generation). I configure as much as possible through that, since it simplifies interacting with them if they’re all available in one place.

BE468CAM716.jpg

From there, I have 2 Schlage Connect deadbolts (house and garage doors), which are both programmed with the same set of user codes (has to be done manually). It’s nice to be able to control codes from within the wink app, vs using the on-pad controls.

41s8w2udgiL.jpg

To control lights, we have 3 rooms converted over to Lutron Caseta light switches (so far, I’d like to do a few more). This makes it easy to control an entire circuit (all 3 rooms are controlling either 3 or 6 bulbs, so they’d be expensive to convert using individual smart bulbs). They’re super easy to install, and you don’t need their hub thing if you have the wink, which is compatible. I also have 3 iHome Smartplugs, which plug into an outlet, and then let you plug in any standard lamp/appliance, and control it. I don’t love the Smartplugs, and have had some trouble with them dropping their connections, but when they work they’re fine.

Separately, I also have 2 LIFX bulbs, which can be controlled directly, so they are in a couple of lamps that could otherwise be controlled via Smartplugs (I got these bulbs from their Kickstarter way back).

To control all of the above, I actually have everything configured in both an Amazon Echo, and a Google Home. Redundancy FTW, and it’s fun to experiment with each platform.

Technically, also connected to the wink hub, we have some Nest Outdoor security cameras, which have been really fun to play with. I’ve even hooked up a system to automatically take snapshots, which is interesting for comparing seasonal shade profiles for gardening purposes.

Apart from those power/control/security devices, we’ve also current got an Apple TV, a Chromecast (integrates really nicely with the Google Home), and I use Automatic in my truck.

I’ve played around a bit with configuring shortcuts and “robots” (automations), but really haven’t found many that are that useful to be honest. Probably the best one is one that just turns on our kitchen light when we open the back door (which opens basically into the kitchen). I think one of the biggest problems is that I don’t have a great system for handling “presence”, which needs to take me and Erika into account. Without that, anything I automate based on my presence is likely to just be an annoyance for her if she happens to be at home when I’m not (or vice versa).

Areas that I’d be curious to look into automating would be thermostat control (long story as to why I haven’t done this already), external temperature/precipitation, combined with irrigation, and possibly window coverings.

April 13th 2017 personal, security

Trump signs resolution nullifying privacy requirements for internet providers

Comments Off on Trump signs resolution nullifying privacy requirements for internet providers
http://www.xseo.com.au/wp-content/plugins/sociofluid/images/digg_48.png http://www.xseo.com.au/wp-content/plugins/sociofluid/images/reddit_48.png http://www.xseo.com.au/wp-content/plugins/sociofluid/images/stumbleupon_48.png http://www.xseo.com.au/wp-content/plugins/sociofluid/images/delicious_48.png http://www.xseo.com.au/wp-content/plugins/sociofluid/images/google_48.png http://www.xseo.com.au/wp-content/plugins/sociofluid/images/facebook_48.png http://www.xseo.com.au/wp-content/plugins/sociofluid/images/sphinn_48.png http://www.xseo.com.au/wp-content/plugins/sociofluid/images/twitter_48.png

 It’s official: the president has signed a resolution reversing rules passed last year that would have, among other things, provided strong protections against internet providers collecting and selling your browsing history. Read More

April 4th 2017 security

WikiLeaks will give tech giants CIA zero-day exploits after they meet mystery demands

Comments Off on WikiLeaks will give tech giants CIA zero-day exploits after they meet mystery demands
http://www.xseo.com.au/wp-content/plugins/sociofluid/images/digg_48.png http://www.xseo.com.au/wp-content/plugins/sociofluid/images/reddit_48.png http://www.xseo.com.au/wp-content/plugins/sociofluid/images/stumbleupon_48.png http://www.xseo.com.au/wp-content/plugins/sociofluid/images/delicious_48.png http://www.xseo.com.au/wp-content/plugins/sociofluid/images/google_48.png http://www.xseo.com.au/wp-content/plugins/sociofluid/images/facebook_48.png http://www.xseo.com.au/wp-content/plugins/sociofluid/images/sphinn_48.png http://www.xseo.com.au/wp-content/plugins/sociofluid/images/twitter_48.png

 WikiLeaks doesn’t ever make things easy. When it became clear that the organization possessed documents that detail exploits affecting a handful of major tech companies, it looked like Julian Assange would play nice. Now, a week has passed since Assange said he would disclose information about those vulnerabilities to the companies affected — standard practice for the discovery… Read More

March 18th 2017 security

How to secure your data after the Cloudflare leak

Comments Off on How to secure your data after the Cloudflare leak
http://www.xseo.com.au/wp-content/plugins/sociofluid/images/digg_48.png http://www.xseo.com.au/wp-content/plugins/sociofluid/images/reddit_48.png http://www.xseo.com.au/wp-content/plugins/sociofluid/images/stumbleupon_48.png http://www.xseo.com.au/wp-content/plugins/sociofluid/images/delicious_48.png http://www.xseo.com.au/wp-content/plugins/sociofluid/images/google_48.png http://www.xseo.com.au/wp-content/plugins/sociofluid/images/facebook_48.png http://www.xseo.com.au/wp-content/plugins/sociofluid/images/sphinn_48.png http://www.xseo.com.au/wp-content/plugins/sociofluid/images/twitter_48.png

securityhall Cloudflare revealed yesterday that a bug in its code caused sensitive data to leak from some of the major websites that use its performance enhancement and security services. Uber, Fitbit, OkCupid and 1Password are among Cloudflare’s millions of clients, and it’s possible that personal data such as passwords and cookies leaked from many client websites during the five months… Read More

February 25th 2017 Google, security

Why a cybersecurity solution for driverless cars may be found under the hood

Comments Off on Why a cybersecurity solution for driverless cars may be found under the hood
http://www.xseo.com.au/wp-content/plugins/sociofluid/images/digg_48.png http://www.xseo.com.au/wp-content/plugins/sociofluid/images/reddit_48.png http://www.xseo.com.au/wp-content/plugins/sociofluid/images/stumbleupon_48.png http://www.xseo.com.au/wp-content/plugins/sociofluid/images/delicious_48.png http://www.xseo.com.au/wp-content/plugins/sociofluid/images/google_48.png http://www.xseo.com.au/wp-content/plugins/sociofluid/images/facebook_48.png http://www.xseo.com.au/wp-content/plugins/sociofluid/images/sphinn_48.png http://www.xseo.com.au/wp-content/plugins/sociofluid/images/twitter_48.png

spiral-road1 Autonomous vehicles were one of the most talked about technologies in 2016. Ever since Tesla, Google and Uber put these vehicles on the consumer trend map, I’ve been daydreaming of the day I might own one. Unfortunately for me, and the auto industry, that day might not be coming too soon — if they can’t keep the cars and their drivers safe, I’ll never have one sitting in… Read More

February 19th 2017 security

California congressman proposes an investigation into Trump’s unsecured Android phone

Comments Off on California congressman proposes an investigation into Trump’s unsecured Android phone
http://www.xseo.com.au/wp-content/plugins/sociofluid/images/digg_48.png http://www.xseo.com.au/wp-content/plugins/sociofluid/images/reddit_48.png http://www.xseo.com.au/wp-content/plugins/sociofluid/images/stumbleupon_48.png http://www.xseo.com.au/wp-content/plugins/sociofluid/images/delicious_48.png http://www.xseo.com.au/wp-content/plugins/sociofluid/images/google_48.png http://www.xseo.com.au/wp-content/plugins/sociofluid/images/facebook_48.png http://www.xseo.com.au/wp-content/plugins/sociofluid/images/sphinn_48.png http://www.xseo.com.au/wp-content/plugins/sociofluid/images/twitter_48.png

CHARLESTON, SC - FEBRUARY 18: Republican presidential candidate Donald Trump talks talks on the phone while making a stop for lunch between campaign events at Fratello's Italian Tavern in North Charleston, SC on Thursday Feb. 18, 2016. (Photo by Jabin Botsford/The Washington Post via Getty Images) Remember the unsecured Android handset that newly minted President Trump gave up, but then apparently didn’t actually give up? Things had seemingly gone silent on that front as the world took some time out to focus on the rest of the deluge of insanity that is politics in 2017.
Today, however, the story is rearing its head yet again, as California Congressman Ted Lieu has proposed an… Read More

February 18th 2017 Android, security

Attack of the apps

Comments Off on Attack of the apps
http://www.xseo.com.au/wp-content/plugins/sociofluid/images/digg_48.png http://www.xseo.com.au/wp-content/plugins/sociofluid/images/reddit_48.png http://www.xseo.com.au/wp-content/plugins/sociofluid/images/stumbleupon_48.png http://www.xseo.com.au/wp-content/plugins/sociofluid/images/delicious_48.png http://www.xseo.com.au/wp-content/plugins/sociofluid/images/google_48.png http://www.xseo.com.au/wp-content/plugins/sociofluid/images/facebook_48.png http://www.xseo.com.au/wp-content/plugins/sociofluid/images/sphinn_48.png http://www.xseo.com.au/wp-content/plugins/sociofluid/images/twitter_48.png

too-many-apps-fb Mobile surveillance by ad-sponsored smartphone apps is intrusive and creepy — and it can easily compromise your enterprise’s data. Read More

February 12th 2017 security