Keeping communication between your visitors and your website secure and confidential has never been more important. Data can be vulnerable to theft as it’s transferred to and from your website. One simple solution to this security threat is to encrypt your traffic with SSL (Secure Sockets Layer).
SSL encryption ensures the data transferred between your visitors and your site is safe from data theft, and having SSL enabled can also boost your Google search rankings.
CloudFlare has made it simple and easy to add SSL to your site: you don’t have to purchase a separate certificate or install anything. In this webinar CloudFlare’s solution engineer Peter Griffin explains the key features of SSL, and walks you through the simple process of getting SSL running on your site.
4. CloudFlare Overview
● Global: 28 locations, and growing
● Anycast Routing: BGP routes to CloudFlare IP ranges are
announced from each location, traffic is handled regionally
● Robust: Each node performs all tasks: DNS requests,
security checks, performance transformations, and caching
● Reliable: Built-in redundancy, load balancing, and high
availability.
● Intelligence: over 1 million sites using CloudFlare,
unparalleled view into “Layer 7” / HTTP-based attacks
● Capacity: CloudFlare has mitigated the largest disclosed
DDoS attacks to-date
5. How CloudFlare protection works
● Protected hostname resolves to
CloudFlare IPs via DNS
● Back-end IP address hidden,
locked-down to allow only
CloudFlare IPs
● HTTP/S requests, UDP attack
traffic goes first to CloudFlare
● CloudFlare only proxies valid,
acceptable HTTP requests.
Everything else is dropped
7. What is SSL / HTTPS? (briefly)
1. HTTP over encrypted SSL/TLS session
2. Uses public key cryptography
3. Verifies identity (of websites)
4. Encrypts communications
8. Google looking at HTTPS for ranking
“...over the past few months we’ve been running tests taking into
account whether sites use secure, encrypted connections as a
signal in our search ranking algorithms. We've seen positive
results, so we're starting to use HTTPS as a ranking signal. For
now it's only a very lightweight signal — affecting fewer than 1% of
global queries, and carrying less weight than other signals such as
high-quality content — while we give webmasters time to switch to
HTTPS. But over time, we may decide to strengthen it, because
we’d like to encourage all website owners to switch from HTTP
to HTTPS to keep everyone safe on the web.”
http://googlewebmastercentral.blogspot.com/2014/08/https-as-ranking-
signal.html
11. SSL Provisioning Options
Upload your own key pair
● CloudFlare can present your existing SSL cert to your users
● Keys are never stored on-disc, only decrypted on demand
● Uploaded via web interface
Have CloudFlare provide a GlobalSign SSL cert
● Valid for *.example.com, and the root (example.com)
● *.*.example.com (subdomain of subdomain) NOT supported
● Ownership of your domain must be verified by GlobalSign
before they will provision the certificate.
12. GlobalSign domain verification
GlobalSign needs to know you own the domain!
Verify via HTML <meta/> tag
● HTML <meta/> tag provided by CloudFlare must be placed within
the <head/> section of the landing page at either your root, or your
www.
● GlobalSign will check that verification code is valid, and add *.
example.com and example.com on the SSL certificate
Verify via proxying
● Cert provisioned once CloudFlare-proxying is observed on either
the root domain, or the www. subdomain
● 10 to 15 minutes of SSL browser warnings until the presented
cert is updated
15. Switching to HTTPS:// URLs!
CloudFlare “Always Use HTTPS” Page Rule
● Automatically redirects requests for all subdomains AND the
root to the corresponding HTTPS URL
16. Switching to HTTPS:// URLs!
Stop using HTTP:// in your HTML!
● Search engines will follow the links it finds -- you don’t want the
search engine crawlers dealing with redirects for every page
they read on your site!
● Relative URLs are good!
17. Switching to HTTPS:// URLs!
Google’s webmaster guidelines
● Google has good resources and HOWTOs, and making
sure that the Google Bot can crawl+index your HTTPS
site: http://www.google.com/webmasters/
Recommended viewing!
● “Google I/O 2014: HTTPS Everywhere” -- goes into
much more https://www.youtube.com/watch?
v=cBhZ6S0PFCY