HTTPS All The Things!

What should you walk away with?

  • HTTPS is a good thing to do
  • Everybody is doing it
  • It's really easy
  • What tools there are

About me

  • Local boy (Windesheim)
  • Head of Mobile Tech @ Marktplaats
  • Systems Architecture background
  • Security at Marktplaats
  • Local SSL/TLS guru

About HTTPS

  • Invented in 1995 by Netscape
  • Protect data in transit
  • Way too easy to sniff traffic
  • Remember firesheep?

Low adoption early years

  • Encryption is costly
  • Certificate hell
  • Virtual Hosts
  • Mixed Content warnings
  • Third Parties
  • Too small for SSL

Encryption is costly:

Certificate hell:

Virtual Hosts:

Mixed content warnings:

Virtual Hosts:

Too small for SSL:

Industry says it's time

We were trailing behind!

Marktplaats

Nerd stuff

  • 6-7 gb/sec
  • 4500 requests/sec
  • Dual DC, private cloud
  • Microservices: Thrift, Scala/Java
  • Ubuntu, MySQL, Cassandra, Kafka, Consul
  • Ask me for more detail

HTTPS @ Marktplaats

1999-2010: no HTTPS

  • "Only for banks"
  • Fair amount of investment required
  • External content would have kicked our ass

2010-2012: HTTPS for login pages

  • Firesheep
  • Pentests
  • Public shaming
  • Wild west days are over
  • No longer in-line login

2012-2017: HTTPS for sensitive data

  • Mijn Marktplaats
  • Plaats Advertentie
  • If it's POST, it's secured
  • Banners holding us back
  • Double cookie auth (secure and non-secure)

2017: HTTPS all the things!

  • Goal: End of Q1 main website 100% HTTPS
  • End of Q2 everything 100% HTTPS

But how?

Application

  • Rewrite our stack... in 2012
  • Everything protocol agnostic
  • src="//i.marktplaats.com/image.gif"
  • HTTPS on local envs

Power!

  • Hardware!
  • Software!
  • Glorious Fabio

Third Parties

  • Wait patiently
  • Media partner negotiation
  • Review all tags
  • Content Security Policy

Test the shit out of it

  • A/B test on homepage
  • Revenue impact ( DFP, Google Analytics )
  • Performance impact (Graphite / Pingdom )
  • Customers
  • CSP Report-URI

CSP Report-URI

  • Report violations back
  • Build our own solution, but: report-uri.io

Rollout

Fast or slow?

  • Media wants slow (because: revenue)
  • SEO wants slow (because: double content)
  • Solution: move search-bots seperatly

Rollout

  • Homepage 10% for 1 hour
  • Fix
  • Evaluate revenue

Rollout

  • Homepage 10% for 1 day
  • Fix
  • Evaluate revenue

Rollout

  • Homepage 100%
  • Fix
  • Evaluate revenue

Rollout

  • Enable site-wide
  • Evaluate revenue
  • Fix
  • Allow bots in

Rollout

  • Kibana for missed pages
  • Fix

Rollout

  • Single-DC test
  • Fix

Rollout

  • Now
  • Party?

Rollout

What's next?

  • HTTP Strict Transport Security (HSTS)
  • HTTP/2
  • CSP improvement
  • TLS1.0 deprecation
  • TLS1.3 adoption (0-RTT!!)

What are you walking away with?

  • HTTPS is a good thing to do
  • Everybody is doing it
  • It's really easy
  • What tools you have

C'est ça