 I've got to give you this claim I'm from, I'm an IT nerd I would say, so if I dive too deeply into taking this stuff, please just wave your hand. I know it can get very, very boring for people who, I don't know, might not want to get that much technical details, so please give me a note, I might not know this myself. But, let's start the next hour, 10-15 minutes, maybe 20, let's see how many meters I've got. I want to introduce you to basic principles of HTTPS, why it's useful, and most of all, why you really, really should use it and start right now. If you have questions, they will be Q-native in the end, I believe. If there's something very weird to you on the slide, just also wave your hand and ask a question. So, I hope I get very, very packed up beyond this, but I really try to take care of everyone and get you on the level that's also technical, but not too technical and give you off some high level details to tell it to your customers. Because that's what all about, someone has to pay for the limitation or something else and I want you to be weapons and also the ammunition to get this running. First of all, HTTPS, what does it complain to? It is some kind of a validation stuff, an authentication stuff, and consists of some levels. It's like there's some basic stuff, there's some fun stuff, and I want to give you an idea of what's all about there. Because HTTPS, sadly, is not like HTTPS, it's very different, you should know about it. From start, there are validation levels. So, what does it mean with validation? What's validated? And that's exactly what's all about. There is a domain validation. Let's have something from the show outside, and by the certificate, by something, by SSL. And the first question you have to ask yourself is what level of validation do I require? If you have to think about it, there is something at the end that's priced. And the levels, I will start here, they are also the increased price that the most top one is very cheap. And at the end, there will be something really, really expensive. If you need something of it, you should know afterwards what you need. The first one is the domain validation. The only question it answers is the domain that it's doing all for is the domain's own controls. You get an email, you click a link, and it's done. That's all the validation that will happen at the domain validation level. So, that's where the logic of that. On the second level, you see it also slices cake there, it's getting neutral. You've got an organization validation. It's not just the domain you have to validate. If you own the domain, that's nice, but that's not enough. You have to have some organization records, so some text number, you have an address, you have a bank account. You have to prove that stuff. So if you have an organization validation level certificate, then you can also say, okay, that's not just the main owner, but it's also a corporation or a company or organization that's behind the domain. The last one, it's like a birthday cake. It's the nice and very neat green local bar in the browser when you're visiting your bank website, hopefully. It's not usually the main source of the bank account, just an advice. And the green is because the extended validation, if you want to get an extended validation certificate, it's the same as yes. It costs you time, it costs a lot of money. But at the end, you get a nice green website, you get a nice, ventilated logo, and you get this nice certificate that says you own the main, you own the company, you tell them you own, and it really exists. So this is a sign of trust and really is. The real use cases that come up are these ones. At the top level, you can see the most basic and the most important useful feature of SSL and HTTPS is increased the data become between the browser and the website. So saying this on the left side, you see those nice green checkmarks. It doesn't matter which kind of validation you use. It really doesn't matter. Each certificate is as good as the other one. We'll make sure no one in between the communication line between your browser and your smartphone or whatever, and the website that you're talking to can tap into that connection and with all the data. On the opposite side, if you do not use this encryption level, and you're surfing in a nice, wilty hotspot right here, and you have an unencrypted site, someone who gets into that connection, and that's easy by the way, can read all the data that's transmitted there because it's plain text. All your user data, your passports, it's plain text. They will just be transmitted really well for everyone. It sounds scary and yes, it is. At low cost, there is the only use case to use something else as a domain validation certificate. It is if you need to know who you're talking to. So I made the example of a bank account. That's just one example. You can account with many more like your health insurance, or wherever you have very, very sensitive data stored, then it is just not enough to ensure the data on the connection, but you also need to know that the data in person you're talking to is the person you think you're talking to. If I say person, are you being a server or organization or whatever? There are no people behind there at all. The odd validation certificate, as you can see, is from my opinion, there might be other ones saying different, it's quite useless right now, because if you really want to make trust, you have to use a standard validation. The organization validation is too easy to fake, and my at some level of trust, obviously, you will need that trust to use a standard validation. Everything else, the main validation for just 0 to 10 bucks will do the trick. Don't think too much about it. The next slide. This is the same one before. This is a bit technical, so I try to rush through it. HTTPS is not as safe as it might be everywhere, because it depends on how you implement it and how the servers configure it. There are some parameters that you have to turn them on. If you don't understand it, don't get it. It's not bad, just here, turn it on. So, it's a cypher feed. That's the way it's encrypted, so it's like the encryption algorithm. You might have heard of many sets up broken in the last time. Those in both are the encryption cypher fields you can't use, and if you have someone you can figure out that you have to use it. In a perfect way, you've also already done that for you, and you don't have to worry about it. If you have your own server implemented, is that something you should take care of? The second one, the hash algorithm, that's something that the certificate provider, so the company where you're buying the certificate, has to take care of. Before that, you also have to take care of that. The hash algorithm is the right one. Too technical, I understand. The last thing, server configuration, very, very important stuff. It's quite easy to configure. It's just a property in your Apache or anything, so whatever you use, if you lost yourself, you have to make sure that those legacy codes, like SL3 and QLS 1.0 are disabled. The leaders have to use the enabled methods to circumvent a set of encryption, and it's useless again. The other stuff, they're involved again in good stuff. Last thing, certificate provider. I'm going to have to go now. Search for Anas Ahmed and SSL. It's a very, very funny story about how the SSL system is broken. In terms of, it's just there to make money. It is. But, on the other hand, it's very funny to read how to get back on that system. If you need this very scientific model, or there are many other providers who will provide you with certificates, there are some reasonable providers to get certificates. We had also asked years enough cases whether certificate providers, at least there were Dutch companies or other companies that were hacked, the certificates were broken, and they were useless again. So even worse, people could create certificates and sadly, it is happening again, because sometimes they can create certificates for Google.com or other websites that you never would expect if there is a green HTTPS. You're not talking to Google. So make sure you take some responsibility for your certificates. Now back to business part. If you go out and think about HTTPS, the first thing you will get a mind is over. I have to pay money for that. The first thing your customer asks is, why should I pay money for that? My website will run even without it. The answer to this is yes. It will run without it. And why should someone buy a HTTPS when it's just that nice green bar in your browser? It's true. As I explained to you earlier, it is equipped with communication. If you use it to go to Starbucks or some public wifi hotspot, it doesn't matter where you are and there are many people out for it or shopping malls, I don't care. It doesn't matter. Many people on one wifi network that might also be at home. It doesn't matter. All the traffic runs through the same network and everyone in this network can read it. They can tap into it. It's called Man in the Middle. So it's technically not hard to achieve that situation. The network isn't probably secure. And most of the home or public network, they aren't secure for that. So security, if you want to log in to your WordPress and your credentials are not for the public team just by plaintext with the username and passwords, HTTPS makes real bad. Oh, this is my favorite one for selling people. If people tend to say, oh, my website is so important to my business, HTTPS might get the tip on the Google ranking. Because it's nice. It's a very, very simple to implement and very nice mission to the Google ranking. They do that for some time now to upload those sites to offering HTTP connected. So why not use this as a selling point for customers? Most important for the whole stuff, I believe, is HTTPS is meant to give trust, to make people trust your website, to make people giving data to your website. Because you're talking to business relationships. When you enter your private details into a website that you don't know where it's built, honestly, would you go to some website and enter your address, maybe your birthday, your email address. When it says, just enter all your personal details. Enter password here and you'll get something for free. I believe you've never looked in that process. Grab your password. On the other hand, taking a shop website, HTTPS is one of the factors that add trust. They're showing that here is someone really taking care of your data. Because your data is what matters. Your data, my data. That is what belongs to us and giving that away. Something that requires trust, imagine. Raising trust with HTTPS is something technically spoken, something that we should do to honor those submissions of data to our service. If you see it differently, you should reconsider, but one of those people who wants to take care of their data, same situation in the airport, sending all your personal data to websites that doesn't use HTTPS, everyone can read it. You really want that? I won't. The last point, this is a very, very recent point and it's, in my opinion, making the role as a self-HTPS story being strong. HTTP 2.0, it is coming. It is arising. It is RST by now, so it's standardized and implementation in websites and web shows and browsing is going on. It is coming. And it will be the future of the internet as it makes all the points to a better level, which is the current protocol. Those of you who don't know what HTTP 2.0 is, HTTP, you have seen it in the browser, HTTP from the point slash slash. This is the protocol which makes communication between the browser and the server, so it's kind of language. This language, sadly, is some years old now. It has several decades on it and HTTP 2.0 is the way of making better. Better in terms of, it will be faster. It will be more modern by design and it's an approach to get all the stuff out of the way that I'm making in websites, loading times to go up or... Nah, I don't know. Many things take into this program will get better and HTTP is also part of that. Many of us got a lot of attention in WordPress right now. On the main blog, if you're interested in, there are times about what is needed to be done to get WordPress on HTTP 2.0. To be honest, there's nothing that has to be done because it's just building up into the old HTTP and it's breaking nothing, so it's backward-covered a little. But, and that's the main point here, the HTTP 2.0 arose from speed. I don't know if many know that Google implemented speedy and protocol to make it faster. They had a kind of experiment. We know Google do their stuff, they make experiments and they show it away and it was a really great approach but it was only meant to work with HTTPS. Now, HTTP 2.0 was standardized and they said, ah, no, we don't want to make it HTTPS only. So that's the standard, but right now, those major browser windows we all know and I was personally also shocked that also Microsoft did this approach. They say HTTP 2.0, but only with SDL. So, I guess you get the point. Not having your website on HTTPS in the near future will cut you off on the next step of internet speed. Also, web servers like in the 80s, 80% of the internet right now, they all say HTTP 2.0, yes, but no HTTP 2.0, not without a cell. I guess you get the point here. Now, what to do? Actually, it's quite simple. If I haven't looked at it already, now, the very, very easy and quick steps how to get websites on a cell. It is really easy. The first one, buy HTTPS. Rule of the buy, get a HTTPS. You don't have to buy it anymore. I guess you got the point. The second point, you have to install it. So, it's nothing worthless. This is web server power. You have to have someone that's able to install it to your web server or maybe you have a hosting provider who has a nice interface or a web channel and you have an HTTPS button there or something like that. That's what you have to do first. You have to do this for your main thing and get a client there. That, sadly, won't make WordPress work with HTTPS instantly because WordPress is still HTTP by default and that's something that's luckily very easily changeable right now. So, all you have to do, open your WordPress, open the settings in WordPress, open the general tab, find those two fields, and say, WordPress Press, the title press, all you need to do is that necessary. Sounds magically, but isn't. Edit and then press the Save button and you're nearly done. Not completely, but nearly. So, you've done that most of the way done. Now, the nice part of it, what's this called? It's fully done with that. The bad part? Only what's this called? Existing content, blog posts, or whatever. You know, everything that's in a nice big text field it won't be changed automatically because there's unstructured data. There is just a link containing HTTP, and the URL to your site, maybe images or media content and that cannot be changed automatically because, you know, there's no logical relation between protocol change and just this HTTP as in those content. But it doesn't matter. You can also change that. The other thing that you need to take care of on the way to HTTP as in plugins. Plugins seems that you take external concepts. External concepts, this case, means the news of Tom Bosson or the jQuery library from jQuery again, or Twitter API, or you name it. Everything that's not on your server. And also, things that are on your server. So if you write this in your site for your plugin and you include resources, and there might be, I don't know, a reason why you don't use it in your scripts, what you should do, by the way, only include sessions to work as a functionality there. Then you might just edit the HTTP because you just don't know how to wait. The other thing, add networks. We work with some customers who use add networks to deliver ad works on the websites. Seriously, and I honestly don't understand why. Those networks are in some kind of prehistoric state, and they don't offer HTTPS. I don't know why. It might be a close thing, but they don't have it. There are customers that are here, but I don't understand why. It doesn't make any sense. It's like, I don't know. I don't have anything to compare with that. So make it better. How to make it better? First thing, text, log posts. You can migrate it. It's not that hard. There are plugins with repositories that are called release search and reface, for example. They move through the database and they search for string refaces. So that could be approach to it. You can also, if you know how to, manually change that. I wouldn't recommend it if you don't know what to agree, but those plugins are also working fine. Search for HTTP with the domain and replace it with HTTPS. The second part, if you have introduced so-called theme plugins, as I mentioned, there are two very easy solutions. If you have an external user, Twitter, Facebook, whatever, just use HTTPS for that. And if you use a plugin that includes something without HTTPS, just use HTTPS or make the plugin office to change it. All the big providers out there, Google, Facebook, Twitter, Instagram, they all have HTTPS support. And it's... We're not gonna hurt if you don't have an HTTPS site and you include HTTPS. But the other way around, if you have an HTTPS site and those content are absolutely new to you, then you get a yellow HTTPS. Because of content, your website includes is not safe. Save it in easy terms. If you have a website with HTTPS with content without HTTPS, you can forget the whole security stuff and it's just without it. Why? Because there is one link in the security chain. That's broken. That's broken because of that, and now it seems as if it's important. You don't want to do that. For the internal part, you have to be a little bit more careful. The easiest way would be just use the WordPress call functionality to enforce scripts and actions that are there. They will handle everything. There is still a reason you don't do that. Just remove the HTTPS from the URL you're including and those imports will automatically select HTTPS dependent on the HTTPS opened and what protocol it is. It is latency. Nothing that networks if you want to and need to use it and they don't have HTTPS, make them or leave them. Forget it. HTTPS should be more important than delivering ads on the website. The provider doesn't really know why it should be important for external users. And honestly, there were enough examples where ad networks were hacked and used to deliver a network. There were fans of such things. So it's that version that includes code or anything else from someone external to trust. I don't trust that approach. In conclusion, what does code has everything to do with it? We are there on the last meters because there are still some things about HTTPS in the backtracker but they will be fixed and I don't think that will be too long because HTTPS will be on focus. HTTPS has to work. So we are on a good line here. All you have to do is get certificates, install it, name the settings, change the content and it is still speaking about why it should pay money for all those certificates. It shouldn't. Let's conclude. For those of you who haven't heard of it yet, it will be the solution for all this name about money for HTTPS is too hard to install because it is a tool brought to you by Mozilla, and also automatic part of this one great HTTPS anywhere. And what it does is for one, it provides certificates of free. Free. Totally free. Lifetime. No one here and then the pay is free. And it will be on a level that will one meter of metadata be paid certificate with a new one because that is how it works. What do you have to do there? It has to be implemented. So someone of your most someone who knows what it is doing has to submit that on the server and everything else should be run by the server. If you don't know that, there might be a possibility to generate those certificates also on the website. I don't know if they really want to do that but there might be a service service. Anyway, remember I left you fruits and questions I need so yeah I personally have really really big and huge options for them because every discussion, every why should I pay why isn't that for free it will be. I hope that we have at the end of the year a solution that HTTPS is possible for everyone without any limits. If you're still considering moving to HTTPS you can't wait for this one but nevertheless, for example, start to sell offering free facilities right now. You can't start with that and it's not that much of a work to submit but the benefits are great and they are on a level every month of the summer. Yes, I am really eager for that. So go for it if you get right now. Thank you very much. Questions for Jan? I don't quite get it but what about external leads that still point to the HTTPS? Backlinks are in their age and this is about external inclusions. If this group needs JavaScript for example Facebook, so the Facebook integration is like us, or if you require some Twitter integration code then you're good to go. Coming back to my question, why is it if somebody links my web page as made to be it will still it doesn't matter? It has nothing to do with external links that are stuck in your website. The tools come from outside to your website. So anybody linking to my website for him it doesn't matter it will get an answer without. Sorry, I got the wrong but it was confusing. What would you recommend for migrating from a site that is running on HTTPS to HTTPS in terms of SEO? Do it. I haven't seen many cases where there was a slight drop in terms of traffic. So how would you recommend this move migration here? Yes, good point. Honestly a very good point because you have to take care of 7 points. The easiest solution would be just offer your website HTTPS only. So you configure a redirect from server level if the customer come to the HTTP he will redirect to HTTPS. If you do that with the 301 redirect Google will know. So if you have the breakdown it will usually happen because Google maybe recognized your HTTPS domain as traffic and content. This can happen. But if you always use HTTPS redirect all the traffic that shouldn't be an issue for you because there is no HTTP domain anymore. With the 31 redirects Google will also get notice of all the chain domains from the solution HTTPS only in your level. I'm on the way there, redirect I'll do the one solution. Great. Now you have to get your hand up. That's the last question. So you now say recommend like best-in-crit because it's free but why would you still play financial when best-in-crit is live? Usually. Now we also said the extra validation that you should basically pay for your money when you start working. Yes, I will. Good point. Let me move back to the beginning. It's all in the beginning. Let's run it all starts. The upper case and encrypting the data best-in-crit will be for free. So as I said all validation is used as a typical level because of the weight of money. The main validation will be provided for free by best-in-crit. What they won't provide because they cannot you know, that's encrypt automatically. It's true. It's running. They cannot validate if you exist. They can just validate that the domain you create a certificate for is a domain you control because they extend the email to you. That's it. So you pay for the validation and in my opinion it's very fair to pay for that because the company is behind it. You are you. You are at least the one you intend to be. And in this way this is what you still pay for and this is what lets you fill the cover. This is what 99.99% of the people need for the websites and this are the remaining special use cases where you need more. So that's a simple line. Okay? Great.