Migrating to HTTPS
For now, a collection of relevant links. More to come.
Tools and Demos
Articles of interest
Migrations in the News
Deprecations and Removals
As a part of the plan to require secure contexts (HTTPS) for Powerful features, Chrome and other browsers are deprecating or removing use of certain powerful features over HTTP connections.
- HTML5 Geolocation was disabled on HTTP sites in Chrome 50
- HTML5 Notifications will be blocked on HTTP sites
- Support TLS 1.2 or later.
- Prefer an ECDHE + AEAD cipher suite. For most sites, this will be ECDHE_RSA_WITH_AES_128_GCM_SHA256. (ECDSA, AES_256_GCM, and CHACHA20_POLY1305 are good too). Supporting legacy cipher suites is reasonable for compatibility with older clients, but for modern clients, this is the only acceptable family of suites.
- Don't use SHA-1 certificates
- Do not support Export ciphers
- Sending a proper certificate chains, including intermediates
Can I use compression? Should I worry about the BREACH attack?
It is only a concern when secret information and information from the request is contained in a single resource. So static information is fine, so are resources with secret data but no request-derived data, and so are resources that don't contain secret data.
Ivan Ristic's post on BREACH is a good summary of the mitigations against breach. Same-Site cookies are one interesting approach, although they're not supported broadly enough yet.