|brotherhood of LAN|
| 3:27 am on Aug 9, 2014 (gmt 0)|
I don't see anyone getting angry, bemused maybe... but it's the same old chestnut of whether we want to play the ranking game or not.
>Google says jump and we say how high
Hehe... true isn't it.
FWIW, I've already noticed a well-known CDN-type service that is providing free SSL in the coming months. Anyone behind those kind of gateways would only need SSL enabled between the client and the gateway which wouldn't require any further action on your own server.
| 3:35 am on Aug 9, 2014 (gmt 0)|
|Instead of getting angry because Google is encouraging HTTPS by making it a "lightweight" ranking factor, site owners who are aware of the announcement should be counting their blessings |
As one who works directly with a number of small businesses, I can tell you they are not jumping for joy by being blindsided with this expense. Many of these businesses are service providers and accept no online payments whatsoever. Despite logic, the vast majority of these business owners believe that if Google says something then it must be done. Therefore they are spending money on Certs, getting dedicated IPs if they don't already have them and some are taking this opportunity to upgrade their hosting to VPS or dedicated servers.
I'm not complaining because our workload just dramatically increased. How these expenses are received are in the eyes of the beholder. And many believe that encouraging SSL should have been publicly debated instead of forcibly pushed out with absolutely no notice. I'm in that camp as well.
Our staff was reduced after Google nuked a lot of small businesses. Now our staffing level is not at par to address the demand and work needed to accommodate/test SSL upgrades. If there were some notice, then design agencies and SEOs may have been better prepared to address the demand. Out of consideration to the webmaster and SEO community, Google should have set a target date for when it would be introduced as an algorithmic ranking factor. But just like Google does in most other cases, there is no consideration given to anyone but themselves. Maybe this lack of consideration is a simple oversight or an arrogant monopoly flexing their muscles. Once again, how this is perceived is in the eyes of the beholder.
| 6:35 am on Aug 9, 2014 (gmt 0)|
I was reluctant to share the link, but, as people asked, here is ONE site selling cheap certificates:
If you click the "features" tab you will see that they have 2048 bit keys.
I agree that increasing demand for IP addresses is a problem, but by the time Google increases the importance of this signal Windows XP will have declined further. Even now, lots of sites will be getting very little traffic from IE on XP, so this may be a good time to drop support - in which case you do not need a separate IP, just use SNI.
Even if you must support IE on XP, if you have multiple sites of your own, you can use one IP for the lot and use a multi-domain certificate: last time I shopped around they started from about $30/year.
| 9:31 am on Aug 9, 2014 (gmt 0)|
There's a lot of unnecessary panicking going on, IMO.
The whole purpose of an SSL certificate is to protect data transmitted between a website and a visitor. If there is no data to protect then a certificate is worse than useless.
I have no doubt that Google's message is aimed at those sites that ask visitors to input data into a form but who do not protect that data with encryption. For other sites, that simply provide information, encryption is completely superfluous and since Google are well aware of this the benefit of installing SSL on such a site will be at best zero and possibly even negative.
Unless I'm missing something, the majority of people who will now rush out for SSL certs will be wasting their time and money.
| 10:21 am on Aug 9, 2014 (gmt 0)|
Does anyone know if you need to get the certificates from your current hosting company or can you buy ones from say namescheap and still use okay? My current host is like £160yr per domain.. : /
| 12:21 pm on Aug 9, 2014 (gmt 0)|
|Does anyone know if you need to get the certificates from your current hosting company or can you buy ones from say namescheap and still use okay? My current host is like £160yr per domain.. : / |
You can do it yourself - if you're able to. It isn't easy. I installed my first one more than a decade ago but I get the hosts to do it now. It can take a lot of time and patience if you're not familiar with it.
| 12:30 pm on Aug 9, 2014 (gmt 0)|
> ...many of the lessons taught by Heartbleed persist
The lesson I took from Heartbleed was that sites implementing SSL were, in the main, less secure than those with no encryption at all.
| 12:34 pm on Aug 9, 2014 (gmt 0)|
You probably should ask your host if they are okay (and if you have sufficient access) with installing a 3rd party certificate.
|I have no doubt that Google's message is aimed at those sites that ask visitors to input data into a form but who do not protect that data with encryption |
No, they mean everyone. They were quite clear on that. [thesempost.com...]
|Out of consideration to the webmaster and SEO community, Google should have set a target date for when it would be introduced as an algorithmic ranking factor. |
They more or less did by saying it's a very minor factor at this time. Google doesn't give target dates, you must realize that by now. So tell your clients to hold off for a few months and see how it all shakes out. Unlikely they're going to suddenly tank big time just for lack of an SSL certificate, if all their other signals are good. Plus who knows, the cost and ease of implementation might come down.
Don't rush into anything; I'm not. All the ecommerce sites under my purview already had SSL certificates, though not all of them are fully HTTPS. My event sites can wait; I'm not going to leap into anything (and I sure don't want to give up all the social shares I've garnered over the years, which number in the hundreds of thousands in some cases).
There's no fire here. Yet.
| 2:16 pm on Aug 9, 2014 (gmt 0)|
|FWIW, I've already noticed a well-known CDN-type service that is providing free SSL in the coming months. Anyone behind those kind of gateways would only need SSL enabled between the client and the gateway which wouldn't require any further action on your own server. |
I've got the "pro plan" version of that service, and it took me about five minutes to implement SSL on our secondary site. (I'll see how things go on that site before making the change on our main site.)
An SSL testing tool gave the secondary site a grade of "A," so apparently the "CDN-type service" knows what it's doing.
| 3:38 pm on Aug 9, 2014 (gmt 0)|
|No, they mean everyone. They were quite clear on that. [thesempost.com...] |
Maybe. Maybe not. You can never tell with Google. I shall watch what the big brands over here are doing, they usually know a bit more about the algos than we little people, for some reason. Right now they are securing payment and contact pages, but nothing else. If that changes, then it's time to panic. Until then there are other priorities.
| 4:19 pm on Aug 9, 2014 (gmt 0)|
|netmeg wrote: |
Don't rush into anything
That's good advice.
I'm not going to do this for my sites anyway, but for those that are considering it, this is the type of thing that needs careful thought. Doing it solely because of Google isn't sufficient reason, but for some kinds of sites there could be other reasons.
Also, as netmeg suggested, during the next few months the costs might come down and providers might make it easier to implement.
| 4:28 pm on Aug 9, 2014 (gmt 0)|
|as netmeg suggested, during the next few months the costs might come down and providers might make it easier to implement. |
They already are, and Google's announcement will accelerate the process.
| 10:16 pm on Aug 9, 2014 (gmt 0)|
* If it's appropriate for a site to be secure in Google's estimation - either it is or it isn't... and a percentage bump is either applied if it's secure - or not (and possibly a percentage dump) if it isn't secure.
* If there is no good reason for the site to be secure in Google's estimation - this aspect of the algorithm obviously doesn't apply to that site.
| 2:50 am on Aug 10, 2014 (gmt 0)|
Basically, Google keeps essentially saying "Don't manipulate things." But with it's announcement, it's basically dictating webmasters/site-owners to manipulate things. For the betterment of the web, of course.
Oh, the contradictions in what Google says in one place v. what it says in others.
I could go on and on about how nearly everything Google says/announces contradicts it's own guidelines, but I'm sure there are some prominent posters who will disagree and support "manipulation" of the algo, as long as that manipulation is how Google says to do it, even though Google essentially says not to do it within it's guidelines, so better for me to not bring up too much reality.
A Few Quick Examples Focusing On "If Search Engines Did Not Exist?"
Would most people:
Nofollow links? Nope
Refuse to join a webring? Nope
Quit publishing press releases? Nope
Quit submitting to directories? Nope
Refuse to give reciprocal links? Nope
Remove ads from above the fold? Nope
Create a disavow file? Nope
Switch to https? Nope
Have stopped doing *anything* or started doing *anything* other than what the web was built on -- Meaning *stopped* creating links and entrances, rather than *started* spending time disawoving or justifying links to search engines? Nope
How is it those who refuse to do the preceding or change what they're doing today, even though they likely would do those things if search engines did not exist, yet change due to Google's algo and announcements, are *not* violating the guideline from Google I cited by kissing search engines a** and doing what the major search engine says could/can "manipulate" it's rankings for a site to [hopefully] rank higher?
| 4:11 am on Aug 10, 2014 (gmt 0)|
I just upgraded a few sites to SSL - right before hearing about Google's announcement. I had other reasons for the upgrade, but the potential rankings boost was a nice plus.
One thing that should be cleared up is that you do NOT need a dedicated IP for each site on SSL. There are basically two approaches for multiple SSL sites per IP. Either you use SNI/TLS and then use one cert per site, or you use a single certificate that can support multiple host names. There are some significant downsides to SNI/TLS - basically it should only be considered in shared hosting environments where multiple organizations share one IP - and then you have to realize that browser support isn't as good as it should be, so it shouldn't be used on "important" websites - but they're not likely to be on shared hosting in the first place.
The other approach is certificates that support multiple "host names". Wildcard certificates that support any subdomain in a domain are the type most people know about. But there's another type as well - UC SAN certificates. With those you can have any host name from any domain - they can even include the equivalent of wildcard certs. Functionally they work and, are installed, just like a wildcard cert.
UC and wildcard certificates can be installed (simultaneously) on multiple servers, multiple IPs and even multiple NamedVirtualHosts on the same IP (something my host thought was impossible until I pushed them to actually do it).
Basically you should change your thinking about certificates and stop thinking about them in terms of one IP / one cert per site and start thinking in terms of one cert per organization. Because all the host names are visible when you load a UC cert, this means Google can see common ownership (or management) of sites that use a common UC cert.
The bottom line for me is that my company can now use fewer IP addresses and have more sites protected by SSL - the opposite of common wisdom.
In terms of cost I'll say I just paid $1185 for an 11 host name x 3 year cert. So about $36/year/hostname. I can modify which host names are in the cert at any point, and add new host names for $20/year/host. So it's all completely flexible. UC certs do have a high upfront cost (the first three or so host names are far more expensive than a regular cert), but the more host names you add the cheaper they get (per site).
| 7:14 am on Aug 10, 2014 (gmt 0)|
As I said earlier, browser support of SNI is everything other than IE on XP, which is a combination that is in steep decline. People using an unsupported browser (IE8 is the latest version that runs on XP) on an unsupported OS (OK, a few big organisations have custom support, but that is not most XP users) are going to have to change soon.
| 9:13 am on Aug 10, 2014 (gmt 0)|
2000s - "build sites with your users in mind, nothing else."
2010s - "oh, we forgot to say, WE are your users, omglolz!"
2020s - "erm, we don't think these three Asimov laws apply to us really, we're going to add a fourth sort of all-encompassing one."
|Martin Ice Web|
| 1:17 pm on Aug 10, 2014 (gmt 0)|
Isn't it that cookies with secure flag set are not readable outsite of this https connection? This will be hard for user tracking fron other ad companies and retargeting ads on websites.
And again google has an adavatage seeling ads.
| 1:21 pm on Aug 10, 2014 (gmt 0)|
|I sure don't want to give up all the social shares I've garnered over the years, which number in the hundreds of thousands in some cases |
You don't lose the social shares if everything is done right (I mean 301 redirect). I've done that twice this year and every time (in some time frame) all the shares were transfered to the new domains (in one case it was just www to non-www and the other one was totally new domain).
Some say, that there is no point of going https for, say, info sites. But how about all that NSA stuff and privacy in general? Aren't your users concerned about eavesdropping from many sites that they visit and then the bad guys making their profiles of some soft and then using that information for God knows what for?
| 1:37 pm on Aug 10, 2014 (gmt 0)|
|Quit submitting to directories? |
The real question is would they quit publishing to directories that get no traffic to get page rank? Yes.
|Quit publishing press releases? |
Lots of people publish press releases. The only ones you have stopped are those who were doing it just for page rank. Another Yes.
Yes. I am not going to rush into doing it because of Google, but I think all sites will be https eventually anyway.
| 2:59 pm on Aug 10, 2014 (gmt 0)|
|Yes. I am not going to rush into doing it because of Google, but I think all sites will be https eventually anyway. |
Exactly. Google didn't invent HTTPS, and Google isn't forcing anyone to use it. Google is merely signaling its intentions, just as it did when it said that site speed was a new ranking factor, that paid links should be nofollowed to avoid penalties, etc. Some people may feel that ignorance is bliss, while others will be happy to have the "heads up."
| 3:07 pm on Aug 10, 2014 (gmt 0)|
A few questions for you guys...
Does this mean all internal links to all pages of my site should be https, or just that https should be available?
|Use relative URLs for resources that reside on the same secure domain |
So, on https pages, link to other https pages without specifying the protocol explicitly? Are there other implications?
|Use protocol relative URLs for all other domains |
Change all outbound links to protocol relative? Shouldn't that depend on the site being linked to?
| 5:31 pm on Aug 10, 2014 (gmt 0)|
I think the rankings boost question is a distraction from the actual message put out - which was that all sites should be using HTTPS for their content and that "for now" it would only be a minor rankings boost "while we give webmasters time to switch to HTTPS. But over time, we may decide to strengthen it, because we’d like to encourage all website owners to switch from HTTP to HTTPS to keep everyone safe on the web."
Google's article is here: [googlewebmastercentral.blogspot.com...] I haven't even considered it until this showed up, so I hope they'll give us lots of time.
| 7:12 am on Aug 11, 2014 (gmt 0)|
|Use protocol relative URLs for all other domains |
So they want me to change very single outgoing link on my site? What if the other site does not support https?
This seems to be an attempt to get us to "punish" those who have invalid https certificates, by linking in a way that scares off visitors. If I have existing http:// links the site I am linking to can easily redirect it if they wish.
|Use relative URLs for resources that reside on the same secure domain |
Why not absolute links to the https version? That way you cans serve content on both, but everyone ends up on the https version on the next click.
| 11:34 am on Aug 11, 2014 (gmt 0)|
As far as serving content on both but "everyone ends up on the https version on the next click"… That creates a duplicate content issue - technically the https and http versions of a site are two different sites. Google will only treat them as one site after examining the contents of both and finding no difference. Second, you missed their point - they're not talking about links, they're talking about asset URLs. With asset URLs that are served from the same host, a relative URL makes sense. However, many larger sites will put assets on a separate host/subdomain that can be served by a CDN.
| 12:38 pm on Aug 11, 2014 (gmt 0)|
We migrated a couple of websites to full HTTP two weeks ago and the results so far are promising with 13% increase in traffic and SERP positions . In short Google are pretty serious (and generous) about websites that migrated towards full https.
| 12:47 pm on Aug 11, 2014 (gmt 0)|
@jay5r, ah, I have been stupid enough to rely on a summary instead of the original article.
| 1:57 pm on Aug 11, 2014 (gmt 0)|
|We migrated a couple of websites to full HTTP two weeks ago and the results so far are promising with 13% increase in traffic and SERP positions . In short Google are pretty serious (and generous) about websites that migrated towards full https. |
I migrated a major site to EVHSSL two years ago. It was a page 3-4 site then, and it still is now. I would consider other possible factors before assuming that the HTTPS move was responsible for a traffic increase - there are several hundred of them according to G.
[edited by: superclown2 at 2:19 pm (utc) on Aug 11, 2014]
| 2:15 pm on Aug 11, 2014 (gmt 0)|
What we have to remember is that, even apart from the naïve people who believe everything that Google tells them, there are vested interests out there. Hosting companies are more than happy to sell new and higher priced services to us and HTTPS certificate issuers will be salivating at the prospect of a deluge of new clients.
Google has stated that there are a plethora of ranking signals, and this will be just one more. Getting an installation just right is not a job for a beginner and an imperfect job can have disastrous consequences as I first found out for myself more than a decade ago.
My advice for what it's worth; remember that Google stated than around 1% of global queries will be affected which means that for 99% of us it will not be relevant. So, if you must go down this route, tread very carefully unless you are one of the minority who know what you are doing.
| 1:39 am on Aug 12, 2014 (gmt 0)|
|The real question is would they quit publishing to directories that get no traffic to get page rank? Yes |
Ask Yahoo!, DMOZ, BOTW, JoeAnt [and others] how their directories are doing.
|The only ones you have stopped are those who were doing it just for page rank. |
I haven't stopped almost anyone from doing anything.
Of course, only having someone try to pick-apart 2 out of 8 points I made is way less "heat" than I expected.
| 12:45 pm on Aug 12, 2014 (gmt 0)|
|I wonder if this has ANYTHING to do with fighting spam? Surely spammers wont buy certificates for their churn and burn sites? |
There are a few providers giving free trials of SSL certs for 90 days. For most churn-and-burn sites 90 days is good enough time period to start and then if the site survives in SERPs beyond 90 days, one can always upgrade to a paid cert for 1 year or more. So churn-and-burn crowd may not be losing their sleep over this move.
Assuming fighting spam is the real motive behind this move, I suspect people using cheapest SSL certs that do only the domain validation may not benefit much. More expensive SSL certs that do organization validation may help in rankings for the obvious reasons. But google has not clarified what kind of certs they would like people to use.
So I'm tempted to wait for more details to emerge in near future or should I just get cracking and buy a bunch of cheap SSL certs? That is the dilemma.
| This 188 message thread spans 7 pages: < < 188 ( 1 2  4 5 6 7 ) > > |