Play by Play is a series in which top technologists work through a problem in real time, unrehearsed and unscripted. In this course, Play by Play: What You Need to Know About HTTPS Today, Troy Hunt and Lars Klint cover how securing web traffic over HTTPS is rapidly becoming a critical component for today. Learn how websites are increasingly being compelled to go secure as browsers warn users of insecure sites, allow performance features only over secure connections, and increase content security policies. By the end of this course, you’ll have a clear understanding of the importance of securing web traffic over HTTPS.
Troy Hunt is a Microsoft Regional Director and MVP for Developer Security. He's a regular conference speaker, frequent blogger at troyhunt.com and is the creator of the data breach notification service known as “Have I Been Pwned”.
Lars is an author, trainer, Microsoft MVP, community leader, authority on
all things Windows Platform, and part time crocodile wrangler. He is heavily
involved in the space of HoloLens and mixed reality, as well as a published
Pluralsight author, freelance solution architect, and writer for numerous
Course Overview Hi everyone! This is Troy Hunt. And I'm Lars Klint. And welcome to our Play By Play on What You Need to Know About HTTPS Today. I'm a Microsoft Regional Directory and Most Valuable Professional for Developer Security. And I have a passion for security. I've written many, many other Pluralsight courses on the topic. Plus I'm also the creator of the data breach notification service known as Have I Been Pwned? And I'm a freelance solution architect at larsklint. com, Microsoft's Most Valuable Professional for Windows Development, speaker, and expert in mixed reality development. I'm also an Australian Outback internet specialist. Yes, really. I've been building software systems from tiny websites to massive telecommunications systems for the past 20 years. In this course, we will discuss why HTTPS is becoming such an essential part of the internet. What's driving its growth? How is it overcoming the barriers to adoption? And, indeed, why do we even need it in the first place? Learn how the value propositions of confidentiality, integrity, and authenticity are a big deal and how they can be abused if not used correctly. We're going to debunk myths around HTTPS such as it being slow or hard to implement or expensive. They're just simply not issues anymore. This course will help you learn how to take advantage of modern services that make development for secure web a lot easier and much more approachable too. But it doesn't end there. This course includes real-life examples of where things went wrong and how it can be so easily avoided today. We'll look at some best practices for using HTTPS and show the tools and methods needed to build a web for the future. To complete the course, all you need is a passion for building more secure web apps, an understanding of the internet, and the next hour or so to watch this course. I hope you will join us on this journey to learn how to manage HTTPS for your web development with the What You Need to Know About HTTPS Today Play By Play at Pluralsight.
HTTPS Introduction Hi! I'm Lars Klint, and I'm here with Troy Hunt, and today we're going to have a discussion around HTTPS, which provides people, I guess, secure internets. But do you want to kind of tell us more about what we're going to look at today. Yes, so like we said, we're going to introduce some HTTPS stuff, and we're going to have I guess a high-level chat about why we need HTTPS. Why it's growing so quickly. Some of the things it does that I think a lot of people are not aware of because everyone sort of looks at it, and they sort of see the padlock, and they go, Oh, Secure, and that's kind of the end of the discussion, right? Yes. There's a whole bunch of other stuff it does, and I guess what sort of the big thing to think about before we even begin is this is becoming no longer optional. You don't get to go, Do I have HTTPS or not? You basically have to have it. Yeah, right. And if not today, then very, very soon and possibly even before this recording comes out. Yeah, true. And then there are a lot of other things where really the direction we're heading is HTTPS everything by default.
Why Do You Need HTTPS? When people see this and particularly when they see the padlock, the thing they think about most---and, in fact, I'm going to ask you because we'll see if it aligns, what do you think about most when you see the padlock? What do I think about most? Well, when you see the padlock and see the thing that says Secure, what does that mean to you--- To me? ---as a technical person? As a technical person. That means that the transmission of data between my browser and the server it's on is secure. Okay, but what does that give you? So what is the upside? What does it give me? The upside is that, say there was a man-in-the-middle attack, someone, we don't know who that would be, would have a device that I would connect to invariably, and it would--- Some people get this. ---I've heard, and they can then get my data if it wasn't secure because they could see all the traffic on it. So you just said, They could get my data if it wasn't secure. So you're going down the confidentiality aspect of HTTPS, which is when we have the padlock, and let's say you log in and your passwords and things go over an HTTPS connection, you're saying other people can't see your passwords. When you go to your bank account, and you load your data, other people can't see your bank account number and your balances and things like that.
This Is Not Your Grandfather’s HTTPS So now we've looked at the---well, we've talked about authentication, and we talked about integrity, and we talked about confidentiality. What are some of the other upsides that we have? One of the interesting things---and also we spoke about upsides like there are certain features which are deprecated for nonsecure origins in the browser. There're a couple of other things that are really significant in terms of the upsides you get from HTTPS. And one of them is you can get things like Brotli compression. Now here's our mate, Scott, again. He's written about Brotli here. And Brotli is a really interesting compression algorithm that as you can see here Google announced back in 2015. You do get much better compression out of it. They claim 20-26%, and in Scott's findings, he found a little bit less than that. But the bottom line is that they do manage to compress the traffic further. The relevance to HTTPS is that Brotli is only supported over HTTPS. Or certainly browsers that implement Brotli compression are only supporting it over HTTPS. You've still got to have a server that can do Brotli compression as well. But this is just like one more of those things of I can actually get an upside by doing this. And I like this because this is saying if you go and get HTTPS, not only do you get the security things, you can also get some performance things as well. So when you're trying to sort of sell this as if all the other stuff, like not having sort of warnings in the browser isn't enough, you can go, Hey, we get upsides here too.