Welcome to WebmasterWorld Guest from 54.198.52.8

Forum Moderators: Robert Charlton & andy langton & goodroi

Message Too Old, No Replies

Could using a CDN's SSL hurt rankings (and engagement)?

     
9:13 pm on Dec 14, 2015 (gmt 0)

Senior Member

WebmasterWorld Senior Member planet13 is a WebmasterWorld Top Contributor of All Time 5+ Year Member Top Contributors Of The Month

joined:June 16, 2010
posts: 3823
votes: 29


Just realized that since my e-commerce site is hosted by a well-known CDN, that it uses the CDN's SSL (not my common name SSL) when serving up secure pages.

the problem is that neither chrome nor opera will recognize Subject Alternative Names and give a Green Padlock in the URL bar (or some other visual indication that the connection is secure).

In fact, opera goes so far as to say that the connection is not protected and gives me a little marketing ad to try and get me to sign up for a VPN service (that might be opera's doing, it might be my virus protection that is pimping the VPN service).

I know it is probably conjecture at best, Is there anything out there saying this might directly (or indirectly) affect rankings?

I am sure it must be affecting traffic / conversions :-(
9:47 pm on Dec 14, 2015 (gmt 0)

Full Member

5+ Year Member

joined:Aug 16, 2010
posts:240
votes: 18


Subject Alt Names is supported by Chrome. Otherwise you got a big error message and the page is not loaded by default.

I think the problem is that you have a http link or http form on the page. I have the same problem with one of my HTTPS pages which includes a HTTP form. If i remove the form i have a green sign in the URL bar now it is just white.
10:11 pm on Dec 14, 2015 (gmt 0)

Senior Member

WebmasterWorld Senior Member planet13 is a WebmasterWorld Top Contributor of All Time 5+ Year Member Top Contributors Of The Month

joined:June 16, 2010
posts: 3823
votes: 29


I think the problem is that you have a http link or http form on the page.


Well... there are over 30 links on that page with href="http:" instead of href="https"

Are you saying I need to change them all to href="https:" ?
10:19 pm on Dec 14, 2015 (gmt 0)

Full Member

5+ Year Member

joined:Aug 16, 2010
posts:240
votes: 18


Why not create a test page without any links or forms and see if you have a green sign on the url bar?
11:55 pm on Dec 14, 2015 (gmt 0)

Senior Member

WebmasterWorld Senior Member planet13 is a WebmasterWorld Top Contributor of All Time 5+ Year Member Top Contributors Of The Month

joined:June 16, 2010
posts: 3823
votes: 29


Why not create a test page without any links or forms and see if you have a green sign on the url bar?


I just tried that and no, I did NOT get a green bar / padlock. Just a "page" logo.

when I click on the page icon (at the start of the URL bar) I get this message:

"This site uses a weak security configuration - SHA-1 signatures blah blah blah..."

I tried using an "ssl labs site analyzer" and it said that I got an "A" grade for all four servers for my site.

So I am baffled.
12:08 am on Dec 15, 2015 (gmt 0)

Full Member

5+ Year Member

joined:Aug 16, 2010
posts:240
votes: 18


SHA1 is an old encryption algo

Thatís why Chrome will start the process of sunsetting SHA-1 (as used in certificate signatures for HTTPS) with Chrome 39 in November. HTTPS sites whose certificate chains use SHA-1 and are valid past 1 January 2017 will no longer appear to be fully trustworthy in Chromeís user interface.


[googleonlinesecurity.blogspot.com...]
12:57 am on Dec 15, 2015 (gmt 0)

Senior Member

WebmasterWorld Senior Member planet13 is a WebmasterWorld Top Contributor of All Time 5+ Year Member Top Contributors Of The Month

joined:June 16, 2010
posts: 3823
votes: 29


SHA1 is an old encryption algo


Ok, I guess I just don't know why the CDN is using SHA1...

I just put in a support request with them that I am hopeful they might answer.
9:09 am on Dec 15, 2015 (gmt 0)

Moderator This Forum from US 

WebmasterWorld Administrator robert_charlton is a WebmasterWorld Top Contributor of All Time 10+ Year Member Top Contributors Of The Month

joined:Nov 11, 2000
posts:11902
votes: 294


Just to respond to this question, which may not be the issue....
Well... there are over 30 links on that page with href="http:" instead of href="https"

Are you saying I need to change them all to href="https:" ?

On a completely secure site, or on https pages....

HREF urls that link to offsite http documents should not create problems.

Incorrect "SRC" urls that add insecure content to a page (via images, scripts, or iframes) will create problems.
2:03 pm on Dec 15, 2015 (gmt 0)

Senior Member

WebmasterWorld Senior Member aristotle is a WebmasterWorld Top Contributor of All Time 5+ Year Member Top Contributors Of The Month

joined:Aug 4, 2008
posts:3225
votes: 228


Are you saying I need to change them all to href="https:" ?

I don't understand this. Wouldn't you be changing them to different URLs that might not be valid and thus turn them into broken links?
5:12 am on Dec 16, 2015 (gmt 0)

Preferred Member

Top Contributors Of The Month

joined:Oct 29, 2012
posts:411
votes: 50


Is the page calling any non-https resources like image or scripts? It may be a missed typo somewhere. The green pad breaks with just 1 single non-https pixel.

And isn't it good practice to set entire set on https and switch all internal linking infrastructure, something about affecting the loading speed and better security? This is a question that I am wondering myself and not rhetorical.
3:15 pm on Dec 16, 2015 (gmt 0)

Full Member

5+ Year Member

joined:Apr 26, 2012
posts:328
votes: 8


frankleeceo, if internal links are relative, there is no issue because they'll always follow the protocol being used.
9:47 pm on Dec 17, 2015 (gmt 0)

Senior Member

WebmasterWorld Senior Member planet13 is a WebmasterWorld Top Contributor of All Time 5+ Year Member Top Contributors Of The Month

joined:June 16, 2010
posts: 3823
votes: 29


Just to follow up...

In my particular case (and I am trying to keep this general enough so that benefits ALL visitors to webmaster world), it might be a problem with Windows 7, google chrome, and SHA 2 (Meaning, it might be that my copy of win 7 is missing some updates from microsoft).

So without trying to derail things further, I will try and find out if something is wrong with my box first, and then look at other issues.

Thanks again.
5:45 pm on Dec 18, 2015 (gmt 0)

Moderator

WebmasterWorld Administrator ergophobe is a WebmasterWorld Top Contributor of All Time 10+ Year Member Top Contributors Of The Month

joined:Apr 25, 2002
posts:8510
votes: 228


>> if internal links are relative

They actually don't even need to be relative. They can be "protocoless" as in href="//example.com/some-page"

[en.wikipedia.org...]
Assuming that you do have a mix, in theory if you install HSTS on your server sends the header and conforming UAs (all major browsers at this point) will transform all http links to https to prevent "protocol downgrade" attacks

Obviously, none of the above helps with the fact that your CDN is still using an SHA-1 cypher.

SHA-1 has been deprecated for certificate signing since 2011, but few people did anything. Since late 2014, Google and Microsft have been upping the ante and after January 1 it's going to get harder and harder to use those certs (browser warnings, etc).

If your CDN doesn't have an upgrade path/plan, it would be hard for me to take them seriously. They must have something in place.

Why?....

Microsoft revoked 20 root certs *today*
[zdnet.com...]

Back on Dec 1, they revoked Dell's certificate
[zdnet.com...]

More reading...
[blog.chromium.org...]
[symantec.com...]
[groups.google.com...]
[schneier.com...]