Reliable and Fast Web Hosting
HTTPS for static sites to ?
This came at the right time…working on network connection on my first application.
This was a great talk. If you are a SEO, Webmaster or site owner you need to watch this.
http://www.scoop.it/t/freedomoftheinternet/p/4023831508/2014/06/30/google-i-o-2014-https-everywhere-youtube #granniegram broadcast iwth thX @Sigmund Joseph Solares
One of the most helpful and informative IO14 sessions..must watch for every web app developer..
Isn't anyone concerned about that Qualys Lab Tool and how it displays the "worst scoring" websites publicly? That sounds like a major security risk in itself.
Actually, you can get unlimited wildcard certificates from StartSSL. All it takes is paying $49 for a personal validation, and if commerciel paying $49 more for a company validation. Both keep for a year, and in that period, any number of wildcard certificates can be assigned for free.
Long time coming! Excellent!
And who are these Certificate Authorities that issue certificates? How much validation do they do of applicants, how secure are they? I have multiple personal domains, hosted locally and remotely, all with their own HTTPS certs and HSTS but it's nothing more than theatre and pretence. There is no trust model when the entities issuing certs are nameless companies staffed by people I don't know. Google should not be perpetuating the sham which is HTTPS, stop skimping on the fix and do it properly by backing the CA system with a proper PKI. People are trying, keybase.io etc…
aha, he says 'Good luck' towards the end.
at 7:20, can a hacker redirect a front-end only site?
Thank-you for saying / doing so! … It's amazing how many "security experts" miss this one. Google taking the lead yet again!
Google, you failed to supply a name and address to send the invoice of the cost of upgrading the web to https
This might affect your Adsense Revenue. According to Adsense:
The SSL-compatible ad code is designed for publishers who already have existing HTTPS-enabled sites. We don’t recommend that publishers with HTTP sites convert their sites to HTTPS unless they have a strong reason to do so. Unless you're a publisher who needs to protect important user information like credit card details, passwords, or medical records etc., you probably don't need change your site to HTTPS.
HTTPS-enabled sites require that all content on the page, including the ads, be SSL-compliant. As such, AdSense will remove all non-SSL compliant ads from competing in the auction on these pages. If you do decide to convert your HTTP site to HTTPS, please be aware that because we remove non-SSL compliant ads from the auction, thereby reducing auction pressure, ads on your HTTPS pages might earn less than those on your HTTP pages.
I do 301 redirects for any thing without www at the server config level. Do I still need to verify those in webmaster tools? There should be no actual working links on those urls.
@Ilya Grigorik Could somebody answer me about authentication in https. I cant be sure i am reaching example.com, cause i have several trusted root CA in my system. If one of them compromised (FBI/NSA) then i can't be sure: They placing MITM with valid, but not original cert, and i have no warning on browser. (Look at SSH host key change).
And if we lose one of statements, then we lose all. I cant be sure that data not changed(integrity), and not listened(encryption). So https useless. 2:20
For example cloudflare.com legaly 'hijacking" https connection even if i have my cert. Both have valid path(and different CA), and same domain name. User even dont know about my cert, he viewing only cloudflare. And i tested, i could switch them on live, and i had no notification about 'origin change'. Browser assume that cert change its OK. Its vulnerability.
Looking forward to the "Lets Encrypt" project. Totally agree with https everywhere – currently there are some problems with monetization with google ads, my revenues dropped 30% after switching but should eventually recover. Also not sure how this changes your backlink profile and whether 100% of your page rank / link juice will transfer over if you 301 redirect http to https and keep the non-https links.
A potential obstacle for those wishing to share the same IP for multiple domains/services may be the lack of SNI support for Android 2.3.7, IE running on XP, and Java6u45.
Question for @John Mueller or @Pierre Far, I just migrated my site from HTTP to HTTPS and verified the new version within WMT. This video recommends adding all 4 versions (non-www of HTTP and HTTPS) to WMT but is that really best practice if those non-www versions never were created therefore never indexed or internally linked? I can't upload the HTML verification file to the non-www version of my site unless I manually switch it over just to verify, then switch back. That seems counter intuitive. Can you confirm?
Any recommendations for a single domain SSL certification (DV) for the reasonable price? I found one for $5/year (https://www.ssls.com/comodo-ssl-certificates/positivessl.html) I see this has a 40% trusted ranking. I have a simple site showing off my web and graphic designs… is this good enough for me?
Can i get some good music on my phone please
Great information, and fun to watch because Pierre reminds me of the Rock Biter from Never Ending Story.
Awesome Idea, Security is an issue. I like to think that one could prevent lots of hacking issues, by funneling all data through say a cell phone with a thumb print scanner. Cant hack my bio-metrics. 10/10 work
awesome idea, i really appreciated this innovation and hope you will keep up going to improme more.
Most websites have absolutely no necessity in being secured via SSL.. why are they being penalized? For example, a blog (most of the content on the web) never exchanges data other than maybe an email address for a mailing list.. penalizing them for not spending the extra money for an uneccessary level of security is practically extortion… makes me wonder when you are going to start selling certs, since there is an obvious motive here..
Okay Google. You say HTTPS Everywhere, BUT you can't do that when I click Youtube Link in Google, it throws me to HTTP. So when I try to post comment web page reloads. Is it conveniently In your opinion????
security is very very important so that people will not get into people's email.
A difference than any other You tube published since I know. Wonderful. Excitant, Perfect, and good.
My Blog has been taken off of google which describes the crimes that is happening in the world today my followers would be able to to "The truth for all eyes to see" now when I go to it it doesn't appear what do I do..
Its help full Good
acount nt error noting erro
23:36 They recommend protocol relative URI's. According to Paul Irish this is actually not the best pattern anymore. Really the best pattern is to use HTTPS is the assets allows it … always. So, instead of src="//path/to/script.js" it should be src="https://path/to/script.js".
I bet if Google also offered free SSL certificates a lot more sites would switch. It would certainly make the "secure browsing" mission more sincere.
По истине все чрезвычайно много всяких условий и настроек.
These are great blogs
Roses are red as you'll read the spread I tell u think because blue is 6 ft in deep sink
I find ironic that you gave a 45 minute talk about using HTTPS everywhere, and yet in the final slide the page about the talk starts with http:// !
Slides can be found here: https://docs.google.com/presentation/d/15H8Sj-Zol1tcum0CSylhmXns5r7cvNFtzYrcwAzkTjM/
No json add words which he didnt now am live all webs 👀 am a one man on global
гугол как и америка навязывает сови правила в мире. Это плачевно сука кончится, как обычно.
I'd get a cert, but don't want to pay for it. There are free certs but GoDaddy is not having any of that currently.
It's time for Google to go….
The problem here is that HTTPS only works properly on sites which are single data sources. On sites that use third party data such as adverts, it:DOES NOT provide authentication, because the certificates of the advertisers appear nowhere in the browser. DOES NOT prevent data being modified. The recent cryptojacking scandal underlines that.DOES NOT prevent MITM eavesdropping, because an advertiser can inject a keylogger into the browser.
-and if it does these things for SOME of the data, but not the rest, what the heck use is that?
The risk of an advertiser or other third party being a malicious actor is statistically far greater than that of a data carrier being such.Thus when deployed on sites with third party content, HTTPS is not fit for the described purpose of protecting user data from infiltrators.
The issue with the present situation, created to allow the use of HTTPS on general websites, is that if my bank's website has content injected from a potentially malicious third party, the browser WON'T warn me of this. THIS IS BAD.
HTTPS should be reconfigured to display, "This site is NOT secure" unless ALL OF the data comes from the indicated source. Otherwise, it is lying to the user.
dude you're amazing i love this!
This is a fascist move by Google. Why would I need to move my blog to https, since:1- It is a blogger blog with a custom address;2- It doesn't require authentication, but if you need to leave a comment, authenticated (you have the option to leave anonymous), you are redirected to Google authentication.
My blog is only an example, but many other websites don't need https. For instance, a company's page that doesn't have a login option (most don't have). This is, perhaps, a move and a hype to make webmasters pay for an SSL certification (guess, by Google). They are promoting Lighthouse at the same time they do this.
ssl …two months free………..http://carandas.ru/nan.php
For a school project, our group made a tool where you can input a URL and check if the site has an SSL or not before visiting.
Your email address will not be published. Required fields are marked *
Save my name, email, and website in this browser for the next time I comment.