Could using a CDN's SSL hurt rankings (and engagement)?

Forum Moderators: Robert Charlton & goodroi

Message Too Old, No Replies

Could using a CDN's SSL hurt rankings (and engagement)?

Planet13

9:13 pm on Dec 14, 2015 (gmt 0)

Just realized that since my e-commerce site is hosted by a well-known CDN, that it uses the CDN's SSL (not my common name SSL) when serving up secure pages.

the problem is that neither chrome nor opera will recognize Subject Alternative Names and give a Green Padlock in the URL bar (or some other visual indication that the connection is secure).

In fact, opera goes so far as to say that the connection is not protected and gives me a little marketing ad to try and get me to sign up for a VPN service (that might be opera's doing, it might be my virus protection that is pimping the VPN service).

I know it is probably conjecture at best, Is there anything out there saying this might directly (or indirectly) affect rankings?

I am sure it must be affecting traffic / conversions :-(

bhukkel

9:47 pm on Dec 14, 2015 (gmt 0)

Subject Alt Names is supported by Chrome. Otherwise you got a big error message and the page is not loaded by default.

I think the problem is that you have a http link or http form on the page. I have the same problem with one of my HTTPS pages which includes a HTTP form. If i remove the form i have a green sign in the URL bar now it is just white.

Planet13

10:11 pm on Dec 14, 2015 (gmt 0)

I think the problem is that you have a http link or http form on the page.

Well... there are over 30 links on that page with href="http:" instead of href="https"

Are you saying I need to change them all to href="https:" ?

bhukkel

10:19 pm on Dec 14, 2015 (gmt 0)

Why not create a test page without any links or forms and see if you have a green sign on the url bar?

Planet13

11:55 pm on Dec 14, 2015 (gmt 0)

Why not create a test page without any links or forms and see if you have a green sign on the url bar?

I just tried that and no, I did NOT get a green bar / padlock. Just a "page" logo.

when I click on the page icon (at the start of the URL bar) I get this message:

"This site uses a weak security configuration - SHA-1 signatures blah blah blah..."

I tried using an "ssl labs site analyzer" and it said that I got an "A" grade for all four servers for my site.

So I am baffled.

bhukkel

12:08 am on Dec 15, 2015 (gmt 0)

SHA1 is an old encryption algo

That�s why Chrome will start the process of sunsetting SHA-1 (as used in certificate signatures for HTTPS) with Chrome 39 in November. HTTPS sites whose certificate chains use SHA-1 and are valid past 1 January 2017 will no longer appear to be fully trustworthy in Chrome�s user interface.

[googleonlinesecurity.blogspot.com...]

Planet13

12:57 am on Dec 15, 2015 (gmt 0)

SHA1 is an old encryption algo

Ok, I guess I just don't know why the CDN is using SHA1...

I just put in a support request with them that I am hopeful they might answer.

Robert Charlton

9:09 am on Dec 15, 2015 (gmt 0)

Just to respond to this question, which may not be the issue....

Well... there are over 30 links on that page with href="http:" instead of href="https"

Are you saying I need to change them all to href="https:" ?

On a completely secure site, or on https pages....

HREF urls that link to offsite http documents should not create problems.

Incorrect "SRC" urls that add insecure content to a page (via images, scripts, or iframes) will create problems.

aristotle

2:03 pm on Dec 15, 2015 (gmt 0)

Are you saying I need to change them all to href="https:" ?

I don't understand this. Wouldn't you be changing them to different URLs that might not be valid and thus turn them into broken links?

frankleeceo

5:12 am on Dec 16, 2015 (gmt 0)

Is the page calling any non-https resources like image or scripts? It may be a missed typo somewhere. The green pad breaks with just 1 single non-https pixel.

And isn't it good practice to set entire set on https and switch all internal linking infrastructure, something about affecting the loading speed and better security? This is a question that I am wondering myself and not rhetorical.

Dymero

3:15 pm on Dec 16, 2015 (gmt 0)

frankleeceo, if internal links are relative, there is no issue because they'll always follow the protocol being used.

Planet13

9:47 pm on Dec 17, 2015 (gmt 0)

Just to follow up...

In my particular case (and I am trying to keep this general enough so that benefits ALL visitors to webmaster world), it might be a problem with Windows 7, google chrome, and SHA 2 (Meaning, it might be that my copy of win 7 is missing some updates from microsoft).

So without trying to derail things further, I will try and find out if something is wrong with my box first, and then look at other issues.

Thanks again.

ergophobe

5:45 pm on Dec 18, 2015 (gmt 0)

>> if internal links are relative

They actually don't even need to be relative. They can be "protocoless" as in href="//example.com/some-page"

[en.wikipedia.org...]
Assuming that you do have a mix, in theory if you install HSTS on your server sends the header and conforming UAs (all major browsers at this point) will transform all http links to https to prevent "protocol downgrade" attacks

Obviously, none of the above helps with the fact that your CDN is still using an SHA-1 cypher.

SHA-1 has been deprecated for certificate signing since 2011, but few people did anything. Since late 2014, Google and Microsft have been upping the ante and after January 1 it's going to get harder and harder to use those certs (browser warnings, etc).

If your CDN doesn't have an upgrade path/plan, it would be hard for me to take them seriously. They must have something in place.

Why?....

Microsoft revoked 20 root certs *today*
[zdnet.com...]

Back on Dec 1, they revoked Dell's certificate
[zdnet.com...]

More reading...
[blog.chromium.org...]
[symantec.com...]
[groups.google.com...]
[schneier.com...]