!= HTTPS is Hard - Sessions by Pusher

HTTPS is Hard

Steve Workman speaking at Front-End London in March, 2016
587Views
 
Great talks, fired to your inbox 👌
No junk, no spam, just great talks. Unsubscribe any time.

About this talk

Making a site work on HTTPS should be easy, but it’s not. The older your website, the harder it is to make the transition—but why? Steve takes you through a 9 month journey, of how he moved Yell.com to HTTPS; overcoming a 20-year-old website and its many tiers to get that green padlock, and what actually happens when you make such a breaking change.


Transcript


[00:00:06] My name is Steve. I’m the head of web engineering at Yell, or Yell.com. You may have seen we’ve dumped some pieces of paper on your doorstep recently. Do read them. They’re wonderful. I manage and help to run Yell.com and over the last few years we’ve had a horrible time with changing names and identities and stuff, but we’re getting better. One of the things about getting better is we get the time to occasionally reinvent ourselves. Over the last year or so I think we’ve managed to do that. Anyway, this is about HTTPS, something that should be incredibly easy but really, really isn’t. I’ll start the story at London Web Standards. It’s an event that myself and Dave, in the front, help to run. We’ve been running this for years now, but I was talking to Dan Appelquist who is the co-chair of the TAG, the Technical Architecture Group of the W3C. He had just given a talk on web security privileged, features HTTPS. We were in the pub and I was saying, “Hold on, Yell.com is a directory service. We literally mail you all of this information. Why do we actually need to be on HTTPS?” Dan basically told me, “Think about all the queries that your users are actually putting through this website. They’re searching for legal counsel, family planning clinics, as well as regular plumbers, hairdressers, schools – anything. All sorts of private and local identifiable information. If I was a hacker interested in intercepting your traffic, I could find out an awful lot of stuff about you.” [00:01:47] That’s scary. That’s really scary. That’s what absolutely got me here thinking, “Yes, you’re right. All this stuff is stuff that should be secure. The whole web should be secure.” He carried on saying Google is really pushing on this. It’s now a search engine ranking factor. If I’m selling it to my boss, which I then the next morning went and did, this is what you’ll major on because obviously around 85% of Yell’s traffic comes from Google, something ridiculously high like that. If any sort of SEO ranking is really, really important to us. Who here’s website is on HTTPS? Two hands. That’s not too bad, actually. How many are moving or are in the process of a transition? Half? How many are just going to stay stubbornly on HTTP because it’s good and everyone still can use it. There’s some people missing. I mean, how hard can this be? This is how I started thinking, “Yes, right, I’m in engineering. I’m going to talk to my product people.” I talk to my product people – they’re very lovely people. I’m going to talk to security and I’m going to talk to operations. You’ll notice at the bottom here there’s a bar starting January. It goes as long way. This is 2015. Okay, so we had to start. You start what you normally think you’d do. Yell.com as an application is 20 years old. It is ever so slightly older than The Guardian. It’s first domain name was “IYP” the Internet Yellow Pages, sorry, “EYP” Electronic Yellow Pages, which switched to Yell.com in the year 2000. Yes, it’s older than The Guardian, because I was talking to Patrick in the pub as well. It’s always very nice to say that we’ve got HTTPS before The Guardian, even though he moved on. [00:03:54] It’s a very, very, very old website and there are layers and layers and layers of applications, UIs, servers, load balances – all sorts of things that you find on a very large product production website. When you’re moving to HTTPS you start local, you start at home. You take your development environment that’s sat on my laptop, that very laptop there, and I go, “Okay, I’m going to make a certificate.” I start up open SSL and I start to generate myself a self-signed certificate.” Okay. That’s not that hard. There are loads of guides on the internet. There are some very, very useful ones about getting the green padlock on OSX, about actually taking some properties and putting it into open SSL and then generating that and installing it on Apache. One of the best ones is the Mozilla SSL configuration data. You quite literally put in on Apache, it’s kind of old and I want all these things and it literally generates you all the different things you’ll need in order to get that green padlock. Then later that day, hooray, it’s working. I’m on HTTPS. It took me a day. Yes, not quite. [00:05:19] Yes, it’s running locally on HTTPS and it’s secure. Wonderful. Does it work? No. Of course it doesn’t. You then go through and look at what breaks. You’re on HTTPS, you look at what breaks. The first thing we looked at, we looked at Adobe Analytics, which is the Analytics provider. You may have heard of Omniture, it’s an older version of it. There are alternatives, Google Analytics. This is one of them. All of our adverts they broke and they’re a great loss. People did complain. Our entire review section broke and finally a lot of URLs, connecting URLs, and everything else. Basically, you have a website that doesn’t work but it’s on HTTPS. You’ve got to make sure it’s not HTTPS. It’s not really as easy as just shoehorning the “S” into the URLs. Strangely, that actually solved most of the problems. I went through the entirety of the website and put an “S” into most of the URLs and they worked, because it’s all on the same domain and there’s no awkward sub-domains for a lot of things. It just worked and that was great. Except for the following exceptions, our advertising network. Our ad network we use AdTech, AOL’s AdTech service. They can easily serve their scripts over HTTPS. I went and talked to our advertising manager, who’s in the building, very nice guy, and he gave me access to the documentation, which of course is behind a username and password. I don’t know why. Then I dug through that and found that you just change this bit of the request script and then it comes over HTTPS. Yes, great. AdTech is being served over HTTPS. Aren’t adverts being served over HTTPS? No. Of course they’re not. [00:07:14] Yes. There’s this problem with the advertising industry and the IAB know this. Apparently 80% of it supports HTTPS. The major players double click AdTech and lots of the others, they do support it. However, they realised they messed up in IOS 9, when introduced ad blocking. They quickly issued a statement which is basically, “Guys, you don’t like these adverts, we get it. They are terrible for your web performance and so we’re going to do better. We are going to serve LEAN adverts.” Light, Encrypted, Ad Choice support, meaning that they can follow you around but you can tell them not to, and non-invasive. All these modular pop-overs, these things will go away. That’s a really, really big thing. When we actually first launched HTTPS, occasionally you’d get a blank 300×250 block box, because it didn’t work, because that particular advert was not served over HTTPS. Luckily for us, Yell’s revenue is not from that. Take major publishers, Guardian and such, this is a much bigger problem for them because that’s where their revenue comes from. They can’t just shut even 20% out. Lucky for us we could continue. However, I’ve had to talk to all of these people. This is growing. It is now the middle of February. [00:08:54] The next one I talked to was Adobe Analytics. Google Analytics it just works. They’ve supported HTTPS for a very long time. So have Adobe of course, but obviously we didn’t have it configured that way. Why would we? We were on HTTP. We made it work with HTTP. We had to contact Adobe and to do that I had to find out who in the company was an Adobe Administrator, which wasn’t me or anyone in my department or anyone in this country, actually. I had to find who they were and I had to get on to Adobe support and then I had to send them an email. They sent me back a request and they enabled first party domains for us after we’d sent them a certificate, which was very nice of them. We also at the same time very, very cautiously updated to the latest version of their tracking script. Now, people who have Google Analytics, this is not a problem for them, but Omniture, Adobe Analytics, you host the script and therefore, you are responsible for updating it. Ours was two/three years out of date. Considering that this is where all of the value actually is, because what Yell does is we supply adverts and we tell the small businesses of this world how well their advert is doing. This is the core. It actually took me until the start of April to get this through. After very cautiously, as I said, updating to the latest version of Omniture. [00:10:32] Also, we had a few other little benefits out of that. I think I shaved about 100 milliseconds off each request. That was rather nice. Once again, time has gone. I started out over here and I’m still not finished. I’ve not even gotten through the majority of the problems yet. It’s now April and time has just disappeared. Then of course, there’s this other system, in 2010 we bought a company called, “Trusted Places.” Anyone ever heard of Trusted Places? One. You used to use it? Do you use Yell reviews? There we go. Don’t worry, no one else does. We have a Java stack. The review system is written in PHP; we don’t have any PHP developers. How does that work? In December we actually replaced the entire system with a fast one, which means your reviews actually got published in 30 seconds. We replaced a lot of legacy. I had to do a lot of duplication. It’s one of those things, every system is going to have one of those things. This one component that is completely unloved and that you just can’t update, or you don’t know how to update or it hasn’t been deployed for years. Now I don’t have a deployment script for it, what in earth happened? Everyone has one of those. You have to live with it. There’s no easy way. There is no easy way to do HTTPS with such a large website, except, unless you keep going. I kept going. [00:12:25] I’ve only currently gotten a local certificate, which is a self-signed certificate. If you try and visit that in a web browser, you basically get that and that of course is no good. No one is going to trust that. You get a big message on your screen. There are plenty of other types of certificates. There is what’s called a DV certificate or a Domain Validated. They look like that which is on MS Edge. That’s just a padlock; it’s a green padlock on other browsers. These are certificates which you can get relatively cheaply. Let’s Encrypt, they do free DV certificates. Start SSL, they also do free DV certificates, the elect encrypt ones are much easier to get, though you have to renew them every four months. The thing with the DV certs is – actually, there’s nothing wrong with them. There actually isn’t anything wrong with them, but you can go a level higher, which is extended validation certificates. Now, if you’re using Chrome, Firefox, and you see a browser with one of these in it you will see that is an EV certificate. Basically, you’ve gone through a whole other level of validation to actually just say, “Yes, this is definitely me.” This is the mark of trust. You’ll notice this is our old company name. Actually, it’s the name of the company we used to trade under. In order to get our EV certificate, I actually had to talk to my security team again, who talked to our legal team, and had to talk to Company’s House and adjust the names of our domain name registrar records to then make sure that the Yell.com one matched exactly what was in Company’s House. Otherwise, EV certs don’t work. Thankfully, I didn’t have to do this. [00:14:28] That’s what the certificates look like. You see what certificate is there. That’s what it kind of looks like. It’s just a whole bunch of stuff. It’s just there. That’s actually my self-singed one, which is why it’s up on the screen, obviously. Yes, it isn’t hard it just takes time and the only reason why it’s actually worth it is on Edge. It’s the only one that actually makes the browser bar go green. On Edge it’s not actually a green, yes, I’m exactly who I say it is. We spent the extra time doing it. Now I’ve talked to all these people and it is the middle of May. Time obviously keeps passing. There are other third parties which I’m going to briefly skim over; although, I will probably come back to one of them. We have an anti-scrapping tool, so Yell’s value is in its data. We have 2.7 million businesses that are in the UK listed. We get scrapped all the time, so we have an anti-scrapping tool. They sit in front of us and to actually get an REV cert for them we had to spend some money for a private IP address. It’s worth it. It’s just one of those things that we had to do, but also, then again, more people to talk to. We also have a CDN for hosting videos. If you’ve ever looked really closely, Yell.com isn’t actually hosted on a CDN or in the cloud, it’s actually on a data centre. Imagine those. Who’s got a data centre these days? The CDN is of course on a global contract which we don’t control; therefore, we haven’t actually been able to update it. It costs money so we have to make change requests, because it’s actually run by the U.S. we still haven’t got there. [00:16:28] If you look at CDN.Yell.com it does run on HTTPS. We still have not got there. Nearly 16 months after I’ve started this. We’re nearly there for this one but not quite. Also, that particular host doesn’t support SNI. SNI is a technology that stands for Sever Name Identification, which means you don’t have to have a unique IP address for a certificate in order to use HTTPS. If you use Windows XP – who uses Windows XP? Awesome. No! At work, okay, fine. We’ll let you off. You would not be able to see this website because it’s on HTTPS and Windows XP does not do this. That was a surprise. I really didn’t think anyone would say yes. Not everyone supports it, even though this SNI is a technology which is almost a decade old. I’ve talked to quite a few people now and it’s now June, but of course to actually get the money for all of this because on this last slide I’ve now spent some money. My title is Head of Web Engineering. Actually, my title of Head of Web Engineering changed here. Nothing really happened until here, so I don’t have any sort of budget or anything like that. I have to write a business case. Who here has written a business case? That’s a small number of people. Mostly the older people in the audience as well. It’s not easy. Who knows how to write a business case? Or even where to start. Google. Yes, they’re shit. Honestly, there’s not really good stuff about how to write a business case. One of my friends from a management consultancy I used to work at, literally had to dig around and find me some really old government guidelines on how to write a business case. There’s really not that much out there. Certainly nothing for software devs or for these kinds of projects. This is quite hard. [00:18:38] A lot of people will say, “I’ve got to spend some money. I have to ask my boss.” Is it important for your boss? If it’s not, they probably won’t waste their time. That’s where you get stuck. This took months. We’ll just leave it at that. It took months. It had to get signed off. It had to go to the investors of all things. Madness. Absolute madness. We’re now nearly live. Okay? We’re now nearly there. It is the middle of July and now people have suddenly thought, “Hold on. This is actually going to happen. Steve’s not just mad. He’s not just on this little crusade on his own. He’s actually going to do this.” People said, “We have some concerns about performance. Is TLS fast yet?” Yes, of course it is. It is fast. It has an entire website about it. Go and read that if you need any kind of evidence about it. We agreed to terminate the connection as close to the edge of the network as possible. Now, I’ve already described our anti-scrapping, that’s a man in the middle, it literally sits in front of us. Now, I wasn’t willing to say, “Okay, we have a data centre, we have a man in the middle which is in a different data centre, the traffic between those two would have to go over a public network.” That wasn’t something I wanted to do. We terminate the network connection twice. Once at our anti-scrape and then it re-encrypts it and then it comes back to us and then we decrypt it again. There’s a performance penalty for that and I’ll show you exactly what that is, but there is a performance penalty anyway. We’ll get to it. [00:20:17] Of course, we have our load balancer so we had to make sure that was up to date. This actually happened in March. We flipped the switch to put that live in early July because our load balancer being 20 years old, it says Citrix Net Scaler if you’re really interested. We were on 9.5, we updated to 10.5. I thought, “Look, there’s a button there, that says speedy, tick it.” Everything fails. Untick it quite quickly. We made sure everything was up to date and that modern stuff, if you are doing HTTPS you got to be [Inaudible 00:20:58] open SSL and its performance for decrypting especially the stronger elliptical curve cyphers, you’ve really got to have a modern version of 101 or 102 in order to actually get enough performance for it not actually be a problem for you. Of course people said, “Well, we’ll have to wait and see.” Okay, we’ll see. We’ll exactly see. We used Soasta’s mPulse tool to martyr real use measurement timings and we said, “Okay, we’ll monitor it and we’ll see and we’ll make performance tweaks afterwards.” Before the button push, I’ve talked to all of these people and it’s July. We finally reached the big day. The 31st of July, 2015. You press the button, but on that big day we had to do all the following things because they don’t work on HTTPS and HTTP. We have to update our sitemap, 10 million links, our Rotbots.txt file, much smaller; Google search console or webmaster tools, as it used to be. You have to make sure you register the property and that you’re tracking everything, otherwise how on earth do you know what on earth is going on. Then actually setup a redirect. [00:22:11] If you have HTTP and HTTPS and we did actually have them running side-by-side for a couple of weeks. Unless you’re actually redirecting people to HTTPS, no one is going to go there. Google had 80 million search results for us and those were all HTTP, so we had to update them somehow and Google will get there. I’ll show you a graph in a minute. You have to redirect and you have to do what’s known as a HTTTP 301 redirect, which is a permanent redirect. Literally, we have gone from HTTP to HTTPS. You have to do this for every URL, every single one of them. If you do a 302 which is a normal redirect, if you’re doing a PHP by server side redirect or any of that, that will normally do a temporary redirect, which is a 302. That isn’t good enough, you have to do a 301. You have to configure the Net Scaler. I had to learn all the Net Scaler rules. Anyway, I pressed the button and no one died! Thankfully. No one died. It’s August. What do you think was the actual benefits of doing this? What did we actually gain? Any bets in search engine average placement ranking? Any bets? No? No one even wants to hazard a guess? No, not further down, but some did go down. 0.2 places. So worth it. 0.2 places over – there was this crazy thing where Google updated their algorithm and then we did a massive re-launch literally 14 days later. We only have like a weeks’ worth of data we could actually save. This is exactly what HTTPS did. It was only 0.2 places for the URLs that got updated during that week, which are our most popular URLs, so that’s okay. [00:24:29] Anyway, that translates into less than 2% click through, but 2% is actually quite good. That’s the thing, right? This HTTPS ranking, Google has made so much about this SEO ranking that it’s got blown out of all proportion. It’s described as a tie break. A tie break. What this means is if all else is equal beyond HTTPS and the other guy isn’t, we’ll put you above it. That’s it. The correlation factor between ranking and HTTPS is 0.04. For anyone who does maths, that’s like that maybe. It’s not a direct correlation, which is 1, 0 is about there, that, nothing. Absolutely nothing. We did it anyway. This is over time how Google indexed us as a percentage of the total number of pages. That is the 7th of February this year, 2016. That is when we launched, the first week of August. Google is still indexing us after all this time, still going, because there’s so much. To take a large site over this journey it does take a long time. That 0.2 is literally there on that many pages. That was still ranking there. What else went wrong? I suppose is the question. As I said earlier, our Java is our stack. We have a slightly older version of Java than we’d like to have. It occasionally just stops sending requests. The next Monday I got in and someone said, “Steve, no one can make this prodigal premium listing anymore. It just doesn’t work.” Okay, great. How’s that my problem? There’s a request to HTTP in Java. Java doesn’t have – Trust Way is our certificate provider – it doesn’t have Trust Way root certificate in its key store. These words mean nothing to most of you, but literally the request just failed completely silently until someone noticed because they couldn’t do stuff. [00:27:00] Java did include this in version 7ish, but upgrading Java wholesale will take just as long as this project if not more and it will take the entire engineering team to do it, not just me. It’s basically simpler to install all the missing CAs; however, a massive pro tip, always keep a non-HTTPS internal virtual IP. Always keep one around because someone or something will need it. Something will just say, “No, I don’t do HTTPS.” It will fail. Always keep one around and make sure you can do something with it. [00:27:46] Now, on to performance. We could measure this instantly, right? We can measure exactly how long the TCP requests and the SSL handshake take, then the navigation timing API version 2, which is support by basically chrome and a few others now since this, actually gives you this at a network level and reports it back to our RUM tool. Any guesses on how much time at the median, so for 50% of our traffic, how much time it added? 200, any further advances on 200? 2? No, in fact, it was only 100 milliseconds at the median, but this is the graph. This is the 50 median; this is the 95%. 5% of our users, the slowest 5% are there. That’s on desktop browsers because we are able to at least segment them. What about smart phones? I’m not going to let you guess on this one. It’s fucking awful. 2 seconds. 2 seconds at the 95 percentile and a good 250 milliseconds at the 50% and I bet that’s pretty much everyone on Wi-Fi, rather than on mobile networks. HTTPS is fast. It is not free. It can add a lot to your initial render time. Now, I made the post yesterday and Ilya Grigorik, who wrote High Performance Browser Networking, which is what I then went away and took the book off my shelf and I sat down with the Net Scaler documentation and I went through it and I tried to update it and tried to get things right. He then basically in about ten minutes posted a forensics examination of Yell.com’s TCP infrastructure and pointed out all the different things we were doing wrong. Read the blog post, it’s incredible. [00:29:53] Unfortunately, our problem here actually is the anti-scrape because we’re behind them, we’re beholding to what they are doing. We’re working on this directly with them and I’ve got a call tomorrow, talking with them about this. We’re trying to improve it but things like OCSP Stapling, which also once again means nothing to people. That allows with EV certificates you to staple requests together, so there’s only one round trip to the server rather than two. When that really matters, especially when you’re doing two hops. There’s a lot more detail in the blog post. I’m not going to go into any more than that. It is not free. Absolutely, guaranteed not free. This is not the biggest problem I’ve faced. It’s taken me an eternity to get here. End of August, one of my sales managers comes over to me and says, “Steve, our customer’s traffic has dropped off the face of the earth at about the time you did that flip to HTTPS. Anything you’d like to tell me?” Shit. What am I going to do? What the fuck am I going to do? Literally. We have many larger customers and obviously they use Google Analytics to – they don’t use all the data that we give them, that I spent ages to getting to work to make sure we gave them. They use Google Analytics because we’re not their only supplier of advertising, obviously. Yell as a referrer dropped off. Now, there’s a very good reason why this happened. [00:31:41] If you haven’t studied HTTP before, so if you are from HTTP and you go to another HTTP website you pass a referrer, basically where you came from, if you go to HTTPS you pass it again, but if you, the source, are on HTTPS you do not pass it to HTTP websites because you are secure and they are not. Shit. 99% of our customer’s websites are served over HTTP and of that 1%, a quarter are Facebook pages. I haven’t actually gone back and looked at what that stat is now. I don’t really want to know. Shit. Right, how do I do this? There are options. The W3C obviously has options about how to solve this. There is a referrer policy spec, where basically in a metatag on every page, which would be very easy for us to do, you can add a referrer and set content to unsafe and it will pass the referrer to wherever the hell you want it to go. The browser support for this is that and this is a great feature which put it down to our traffic is 70%. We could send 70% of it back. No. That’s not it. Suddenly – imagine the sale’s call next year, “Hey, we dropped 30% traffic. I’m not renewing.” Okay, right, so we can’t do that. What else can we do? Content security policy. Level two also has this; however, that browser support is approximately 40%. This is, in fact, how Twitter’s t.co service passes referrer information because that’s on HTTPS and obviously that’s passing through HTTP sites all the time. That sets a content security policy. Instead, we went and did things the old fashioned way and I made a video. I literally went and made a feature, which helped users use Google Analytics campaign tags and that’s the best thing we came up with, and then we applied it to everyone. Literally, we send more campaign tags than anything else to our websites. The video is there is you want to cringe. [00:34:06] That’s it. That is how many people I actually had to talk to in order to make this happen. I finally stopped talking to people about this about December after I’d written this article. This article has changed a lot. Yes, it’s a massive amount of time for .2 places in SEO, for security. The problem with HTTPS is not technology. We can overcome that. The problem is the incentives, previously that said perseverance, but the problem is actually incentives. Is there any incentive to carry on and do this? Maybe. Maybe. We can make this easier but there’s no real incentive at the moment. If we can get rid of the cost of DV certificates, Let’s Encrypt is fantastic, I absolutely love it. Do use it if you want a free certificate. You just have to renew every four months but otherwise it’s fine. CDNs, software as a service provider, they need to be HTTPS by default, they need to encourage that this is the way, that this is the only way. We need to provide more incentives to people. There’s a spec that used to be called, “Powerful Features” it’s now called, “Privileged Contacts” which means that features like service worker, geo-location, camera usage, that kind of thing, will only run on HTTPS domains. Service worker already does, but geo-location, that’s happening soon. It’s already been deprecated as of Chrome 43. If you use geo-location on a HTTP website, you’ll get a warning in your browser console. I saw a couple of nights ago when I was looking into it a bit further, the commits have been made to completely remove it from insecure domains. Things are happening here. Chrome is being the aggressor. Great. Brilliant. Well done. Firefox is not far behind. It needs this push, not just to developers to say, “Okay, we need to do this now. You can’t do this unless you have this.” Now, there are actually some really good reasons why Service Worker has to be HTTPS, there’s a massively long thread if you’re interested, which I linked to from the article. You can’t do HTTP without it. We can’t do HTTP too because our man in the middle doesn’t support it, nor does out Net Scaler right now, but it will do if we upgrade it again. Since it has, of course, over this period of time had a major relaunch. [00:36:54] HTTP2 is fantastic. The performance gains you get out of it, we’re predicting about 30% performance improvement, which will take us from a median of about 2 seconds to 1.6. That kind of improvement just from HTTP2 is fantastic and if you’re looking at performance, that’s the killer. However, it does need more support. The CDNs don’t all support it right now. It’s coming but it’s not quite there yet. Search engines need to make it a stronger signal. Some business people get the performance argument, some business people get the security argument, but they don’t really. What they get is, “Hey, you’ll get more business from it because Google will send more people your way.” That needs to be stronger, 0.2 places is bullshit. It needs to go up. Browsers need to warn against HTTP. If you were at the Chrome Dev Summit the end of last year, Emily Stark stood up in front of everyone and said, “In 2016, we intend to basically put that red cross through HTTP at some point.” That is going to be amazing. It’s scary as, yes. It’s scary as because Firefox is going to do it as well. No one else has said anything about it in browser manufactures, but they said they’re going to do it this year. It’s going to take a lot of time. Everyone is going to be warned but they want it to happen. It needs to be a massive incentive because if you went to a HTTPS website and you saw the red cross through it, that’s going to send you running. If you went to a HTTP website, it would send you running. [00:38:53] People need to be educated about this. Google have just launched a migrating to HTTP guide, that Matt Gaunt helped to write, and hopefully through talks like this. Everyone will more understand what big orgs have to go through in order to do this and why a lot of the internet isn’t on it. Smaller orgs, great. Put a cert on your server. Do Let’s Encrypt, done. The Yell blog that we wrote in order to do this, I did a Let’s Encrypt cert, it took five minutes. That’s how it should be. It isn’t and that’s the web. There is a tag document on moving to HTTPS as well. Finally, what’s next? We’re going to improve TCP performance, we’re going to go to HTTP2, we will then be able to take a look at HTTP Strick Transport Security, which is another way of doing the 301s. Basically, the browser, if it knows about it, will attempt to automatically upgrade HTTP connections through HTTPS if it can and if it knows about the header, which is a really useful way of catching the remainder. We can’t do it at the moment because our CDN doesn’t work and then all our videos on Yell.com will break. Then we’ll do Content Security Policy. You can also set Cookies to be HTTPS only; whereas, at the moment, they’re set to be HTTP only, so some of the Cookies don’t quite work. I only found out about that yesterday. Still, you learn something new every day. We’ll get our CDN done. [00:40:31] Thank you. I hope you’ve learned… what have you learned? I hope you’ve learned that HTTPS is hard. It is. It is worth is. In the end, it is absolutely worth it and it certainly will be more worth it by the end of the year. If you want to do service work, you’ve got to go for it. There are barriers. They can be overcome, all of them. Doing so, you will probably be in a much better place for it. Thank you for listening. Thank you. I’m on Twitter, the slides are up, and there is an epic blog post there if you do want to read it. Thanks.