Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.
How to Safeguard Your Site
from Chrome's New
Security Updates
22nd January 2020
Patrick Hathaway
@HathawayP
@HathawayP
What this presentation covers
1. What is changing in Chrome and why.
2. Mixed content - what does it mean?
3. I...
@HathawayP
Google care about security
1. In 2011 they adopted HTTPS.
2. In 2014 HTTPS became a ranking
factor in search.
3...
Why do they care so
much???
@HathawayP
Because Google need
their users (searchers)
to TRUST them
@HathawayP
@HathawayP
Why you should also care about security
• Visitors might start seeing warnings
when they arrive at your site.
•...
@HathawayP
Chrome security updates Q1 2020
1. Chrome will gradually start blocking
mixed content by default.
2. Chrome (an...
@HathawayP
#1 Mixed Content – what is it?
When a web page is loaded over HTTPS
and some of the page resources load
over HT...
@HathawayP
Example – image loaded over HTTP
This page loads over https:// but
contains an image that loads over http://
@HathawayP
This could be any page resource URL
• Image
• Video
• Audio
• JavaScript
• CSS
• IFrame
• Etc…
@HathawayP
Current mixed content warning
@HathawayP
Chrome ‘mixed content timeline’
1. Chrome 80 (February 4th 2020) -
mixed audio and video resources will
be auto...
@HathawayP
What does ‘autoupgrade’ mean?
If they find a resource URL on http://,
behind the scenes they will just try to
l...
@HathawayP
Not loaded = not actually on the page
If product images can’t be loaded over
https:// they will not be displaye...
@HathawayP
You’ll still get the padlock
Chrome will show the padlock to say the
page is secure, even if some of the
conten...
@HathawayP
How to audit mixed content
In Sitebulb, navigate to the Security report:
@HathawayP
List of URLs with mixed content issues
Click Hint Details to dig into each one:
@HathawayP
HTML highlighter picks out http://
Scroll through HTML to find issues:
@HathawayP
Or list the insecure resources
Hit the ‘Insecure Resources’ tab for list:
@HathawayP
How to fix mixed content issues
You must only use https:// URLs when
loading resources on your page.
For each U...
@HathawayP
If resources are not available on https://
• Include the resource from a different
host, if possible(over HTTPS...
@HathawayP
#2 TLS – what is it?
TLS is the encryption used in order to
make HTTPS secure. Any website that
uses HTTPS is e...
@HathawayP
HTTP is the protocol for data transfer
HTTP request from browser to server
HTTP response from server to browser
@HathawayP
HTTPS = (HTTP + an encryption layer)
Password = sandwich1
Password = $665fdvzs_/$^*rt5
HTTP – data is not encry...
@HathawayP
TLS = Transport Layer Security
TLS is the encryption layer that makes
the HTTP data transfer secure.
However, s...
@HathawayP
TLS release timeline
• TLS 1.0 – released 1999
• TLS 1.1 – released 2006
• TLS 1.2 – released 2008
• TLS 1.3 – ...
@HathawayP
TLS release timeline
• TLS 1.0 – released 1999
• TLS 1.1 – released 2006
• TLS 1.2 – released 2008
• TLS 1.3 – ...
@HathawayP
Chrome ‘TLS timeline’
1. Chrome 79 (out now!) - Chrome will
give sites a "not secure" label if TLS
1.2 is not e...
@HathawayP
Full page warning = no content
@HathawayP
Full page warning -> Implications
• Users will most likely bounce.
• Organic and paid channels will
suffer.
• G...
@HathawayP
GSC already sending warning emails
@HathawayP
All the major browsers are united
All dropping TLS 1.0 & 1.1 in March:
• Google
• Microsoft
• Apple
• Mozilla
@HathawayP
Auditing TLS -> Sitebulb Security report
@HathawayP
Ok but not perfect example
TLS 1.2 enabled, so no full page Chrome
warning, BUT site is still accessible over T...
@HathawayP
Particularly important for certain sites
• Ecommerce sites that handles
transaction data (the above site
would ...
@HathawayP
Perfect example
TLS 1.2 enabled AND TLS 1.1, TLS 1.0 and
SSL all DISABLED. This is what you want.
@HathawayP
How to fix TLS issues
In order to ensure your site has no
issues with TLS, you need the following
setup:
• Disa...
@HathawayP
This is a job for the ‘server guy’
This is a task for whoever runs your
website server:
• In house developer/Sy...
@HathawayP
Bonus tip
Hit the ‘Printable PDF’ button in the
Sitebulb Security report, to get a PDF
report you can forward o...
@HathawayP
Takeaways -> Take security seriously!
If you don’t you could be subject to:
• Users and search engines unable t...
@HathawayP
Takeaways -> Action points
• Regularly audit your website and pay
attention to security warnings.
• Check Googl...
Sitebulb free 14 day trial:
-> sitebulb.com/download/
Blog post contains full, up to date
explanation of these issues
-> b...
Upcoming SlideShare
Loading in …5
×

2

Share

Download to read offline

How to Safeguard Your Site from Chrome's New Security Updates

Download to read offline

In early 2020 Google;s Chrome browser is releasing a number of updates that focus on improving security for website visitors.
The imminent updates don't just have user experience implications; in some cases users could be completely blocked from visiting your website.

Find out what is changing, why it's changing, and what you can do about it - in order to protect your website from potentially catastrophic issues.

Related Books

Free with a 30 day trial from Scribd

See all

How to Safeguard Your Site from Chrome's New Security Updates

  1. 1. How to Safeguard Your Site from Chrome's New Security Updates 22nd January 2020 Patrick Hathaway @HathawayP
  2. 2. @HathawayP What this presentation covers 1. What is changing in Chrome and why. 2. Mixed content - what does it mean? 3. Insecure TLS - what does it mean? 4. How to audit security issues.
  3. 3. @HathawayP Google care about security 1. In 2011 they adopted HTTPS. 2. In 2014 HTTPS became a ranking factor in search. 3. In 2018 Chrome began marking HTTP sites as ‘not secure’. 4. In 2020….plenty more to come.
  4. 4. Why do they care so much??? @HathawayP
  5. 5. Because Google need their users (searchers) to TRUST them @HathawayP
  6. 6. @HathawayP Why you should also care about security • Visitors might start seeing warnings when they arrive at your site. • Your pages might have missing elements. • Worst case scenario is that browsers might start blocking your content from displaying at all.
  7. 7. @HathawayP Chrome security updates Q1 2020 1. Chrome will gradually start blocking mixed content by default. 2. Chrome (and the other major browsers) will stop supporting depreciated TLS protocols.
  8. 8. @HathawayP #1 Mixed Content – what is it? When a web page is loaded over HTTPS and some of the page resources load over HTTP. So there is a mix of HTTPS and HTTP, picked up at the URL level.
  9. 9. @HathawayP Example – image loaded over HTTP This page loads over https:// but contains an image that loads over http://
  10. 10. @HathawayP This could be any page resource URL • Image • Video • Audio • JavaScript • CSS • IFrame • Etc…
  11. 11. @HathawayP Current mixed content warning
  12. 12. @HathawayP Chrome ‘mixed content timeline’ 1. Chrome 80 (February 4th 2020) - mixed audio and video resources will be autoupgraded or blocked if they don’t load over https://. 2. Chrome 81 (March 17th 2020) - mixed images will be autoupgraded or blocked if they don’t load over https://.
  13. 13. @HathawayP What does ‘autoupgrade’ mean? If they find a resource URL on http://, behind the scenes they will just try to load it over https:// instead. The issue is if these resources are not accessible over https://, in which case they simply will not be loaded.
  14. 14. @HathawayP Not loaded = not actually on the page If product images can’t be loaded over https:// they will not be displayed.
  15. 15. @HathawayP You’ll still get the padlock Chrome will show the padlock to say the page is secure, even if some of the content is being blocked. -> You need to audit this stuff
  16. 16. @HathawayP How to audit mixed content In Sitebulb, navigate to the Security report:
  17. 17. @HathawayP List of URLs with mixed content issues Click Hint Details to dig into each one:
  18. 18. @HathawayP HTML highlighter picks out http:// Scroll through HTML to find issues:
  19. 19. @HathawayP Or list the insecure resources Hit the ‘Insecure Resources’ tab for list:
  20. 20. @HathawayP How to fix mixed content issues You must only use https:// URLs when loading resources on your page. For each URL that loads HTTP resources, update the link references to point to the HTTPS counterparts. Much more important to do for resource types that Chrome will not autoupgrade.
  21. 21. @HathawayP If resources are not available on https:// • Include the resource from a different host, if possible(over HTTPS, obvs). • Download and host the content on your site directly, if you are legally allowed to do so. • Exclude the resource from your site altogether (which may mean you need to find an alternative solution).
  22. 22. @HathawayP #2 TLS – what is it? TLS is the encryption used in order to make HTTPS secure. Any website that uses HTTPS is employing TLS encryption. If the encryption is weak, it is more vulnerable to attack, and this exists at the domain/website level.
  23. 23. @HathawayP HTTP is the protocol for data transfer HTTP request from browser to server HTTP response from server to browser
  24. 24. @HathawayP HTTPS = (HTTP + an encryption layer) Password = sandwich1 Password = $665fdvzs_/$^*rt5 HTTP – data is not encrypted HTTPS – data is encrypted, using TLS
  25. 25. @HathawayP TLS = Transport Layer Security TLS is the encryption layer that makes the HTTP data transfer secure. However, some versions of TLS are very OLD, and no longer as secure as we need them to be.
  26. 26. @HathawayP TLS release timeline • TLS 1.0 – released 1999 • TLS 1.1 – released 2006 • TLS 1.2 – released 2008 • TLS 1.3 – released 2018
  27. 27. @HathawayP TLS release timeline • TLS 1.0 – released 1999 • TLS 1.1 – released 2006 • TLS 1.2 – released 2008 • TLS 1.3 – released 2018 RED = DEPRECIATED = SECURITY RISK
  28. 28. @HathawayP Chrome ‘TLS timeline’ 1. Chrome 79 (out now!) - Chrome will give sites a "not secure" label if TLS 1.2 is not enabled. 2. Chrome 81 (March 17th 2020) - Chrome will show a full page warning if TLS 1.2 is not enabled.
  29. 29. @HathawayP Full page warning = no content
  30. 30. @HathawayP Full page warning -> Implications • Users will most likely bounce. • Organic and paid channels will suffer. • Googlebot may not be able to access your content.
  31. 31. @HathawayP GSC already sending warning emails
  32. 32. @HathawayP All the major browsers are united All dropping TLS 1.0 & 1.1 in March: • Google • Microsoft • Apple • Mozilla
  33. 33. @HathawayP Auditing TLS -> Sitebulb Security report
  34. 34. @HathawayP Ok but not perfect example TLS 1.2 enabled, so no full page Chrome warning, BUT site is still accessible over TLS 1.0 and TLS 1.1, and therefore not secure:
  35. 35. @HathawayP Particularly important for certain sites • Ecommerce sites that handles transaction data (the above site would not pass PCI compliance) • Websites that handle sensitive data (e.g. medical data) • Websites that store personal data (e.g. names and addresses)
  36. 36. @HathawayP Perfect example TLS 1.2 enabled AND TLS 1.1, TLS 1.0 and SSL all DISABLED. This is what you want.
  37. 37. @HathawayP How to fix TLS issues In order to ensure your site has no issues with TLS, you need the following setup: • Disable: SSL, TLS 1.0, TLS 1.1. • TLS 1.2 should be enabled. • TL3 1.3 can optionally also be enabled.
  38. 38. @HathawayP This is a job for the ‘server guy’ This is a task for whoever runs your website server: • In house developer/SysAdmin • 3rd party website hosting company • Ecommerce software provider
  39. 39. @HathawayP Bonus tip Hit the ‘Printable PDF’ button in the Sitebulb Security report, to get a PDF report you can forward on.
  40. 40. @HathawayP Takeaways -> Take security seriously! If you don’t you could be subject to: • Users and search engines unable to access content. • Users seeing warnings and losing trust in your site. • Important content not being displayed on your web pages.
  41. 41. @HathawayP Takeaways -> Action points • Regularly audit your website and pay attention to security warnings. • Check Google Search Console for existing messages. • Make sure you are signed up to GSC email notifications. • Start to practice ‘secure as standard.’
  42. 42. Sitebulb free 14 day trial: -> sitebulb.com/download/ Blog post contains full, up to date explanation of these issues -> bit.ly/security-2020 Patrick Hathaway @HathawayP
  • berto_s

    Jan. 23, 2020
  • GeoffKennedy5

    Jan. 22, 2020

In early 2020 Google;s Chrome browser is releasing a number of updates that focus on improving security for website visitors. The imminent updates don't just have user experience implications; in some cases users could be completely blocked from visiting your website. Find out what is changing, why it's changing, and what you can do about it - in order to protect your website from potentially catastrophic issues.

Views

Total views

1,281

On Slideshare

0

From embeds

0

Number of embeds

12

Actions

Downloads

0

Shares

0

Comments

0

Likes

2

×