Welcome to WebmasterWorld Guest from 3.231.228.109

Forum Moderators: Robert Charlton & goodroi

Message Too Old, No Replies

How do Google treat Shared SSL's?

     
11:17 pm on Nov 17, 2016 (gmt 0)

Junior Member

joined:Jan 13, 2014
posts:115
votes: 23


When Cloudflare first launched it found some sites were adversely affected by shared ips by Google. So much so that those sites sharing an ip with a bad neighbour within Cloudflare found their site got penalised. Cloudflare dealt with this issue by isolating the bad domains to separate ips. However and I am sure I am not alone in this I often use the free SSL service from cloudflare. What I am wondering is if you share your SSL with a bad neighbour could this adversely effect your search positions in the same way it happened with ip's? Be interested in people's thoughts
11:43 am on Nov 18, 2016 (gmt 0)

Senior Member

WebmasterWorld Senior Member bwnbwn is a WebmasterWorld Top Contributor of All Time 10+ Year Member Top Contributors Of The Month

joined:Oct 25, 2005
posts:3595
votes: 50


As cheap as SSL's are why are you going free and then worrying about a shared SS?. I would never share an SSL to me makes no sense other than being cheap
12:32 pm on Nov 18, 2016 (gmt 0)

Senior Member

WebmasterWorld Senior Member Top Contributors Of The Month

joined:Nov 13, 2016
posts:1194
votes: 285


To me, 1 IP = 1 Site = 1 SSL.

You can get free SSL with Let's Encrypt, or with NameCheap this should be less than $10 / year.

About dedicated IP, if you rent a dedicated server (which can be as low as $10 / mo) , you'll get a dedicated IP, and some hosts are proposing extra IP for additional costs (at my host, I guess I don't have the right to name it, extra IP are just a one time $3 set up fee. Or you can rent a VPS (with dedicated IP) and use it as reverse proxy.

I think that from the moment you are a minimum concerned about how Search engines are perceiving your site, these are mandatory (cheap) expenses.
4:09 pm on Nov 18, 2016 (gmt 0)

Senior Member from NL 

WebmasterWorld Senior Member lammert is a WebmasterWorld Top Contributor of All Time 10+ Year Member Top Contributors Of The Month

joined:Jan 10, 2005
posts: 2955
votes: 35


@Dimitri:
With CloudFlare you can't get a dedicated IP. That's the way the cloud works and it is actually one of the strengths of the cloud. Using multiple IP addresses to distribute the sites enhances redundancy and reliability. But because of this you will have to use an SSL encryption scheme which matches that setup. Let's Encrypt and NameCheap are not among those options.

@3zero:
CloudFlare offers a free shared SSL certificate for the average site, and dedicated certificates for those who want to pay more for their encryption. What I remember is that CloudFlare SSL pricing for dedicated certificates is quite reasonable compared to some other cloud providers and you may want to look at their price list to decide if that is worth the invest. Headaches about bad neighborhoods also cost money in terms of time investigating and managing.
10:47 am on Nov 20, 2016 (gmt 0)

Junior Member from AU 

10+ Year Member Top Contributors Of The Month

joined:June 28, 2003
posts: 178
votes: 24


The cost isn't the SSL - it's managing a distributed CDN on multiple IP addresses with an SSL.

I ran an SSL via Amazon CloudFront, using SNI, for nothing - and this worked relatively well.

I've since shifted to a shared SSL with CloudFront (a proper one, not an SNI one). I've had significantly increased traffic as a result. It turns out that there are far too many proxies and other things which don't cope well with an SNI SSL.

You can spend $300 on a dedicated SSL with Amazon CloudFront, and a similar cost with CloudFront. That's not chicken-feed, and the benefits will be slight.
2:43 am on Nov 23, 2016 (gmt 0)

Junior Member from GB 

10+ Year Member Top Contributors Of The Month

joined:Oct 16, 2002
posts: 182
votes: 3


@Dimitri one IP per SSL site is a thing of the past. SNI or Server Name Identification is well supported by browsers going back some way (e.g. Firefox 2, IE7) so no reason not to use it. This needed sorting as IP4 addresses have been scarce for some time. The Apache wiki gives a good overview of the technology:

[wiki.apache.org...]

Just read your post @james007 what's a "proper" shared SSL?
4:24 am on Nov 23, 2016 (gmt 0)

Junior Member from AU 

10+ Year Member Top Contributors Of The Month

joined:June 28, 2003
posts: 178
votes: 24


A proper SSL is one that isn't SNI.

My experience with an SNI isn't good. Many corporates might use a compatible browser, but don't use a compatible proxy server. I had many people who couldn't understand why they couldn't see my site at work, or in a library, or wherever. Or why their RSS reader didn't work. Even Microsoft's Webmaster Tools didn't deal with an SNI for some time - it only was fixed earlier this year.

When shifting away from SNI and to a proper SSL connection, my traffic increased substantially.

I would highly recommend against an SNI SSL solution, however tempting it might appear.
2:22 pm on Nov 23, 2016 (gmt 0)

Junior Member from GB 

10+ Year Member Top Contributors Of The Month

joined:Oct 16, 2002
posts: 182
votes: 3


Thanks. That's good to know. I had no idea there were such issues. I've been looking at it recently and was planning to start using it for client sites in general.
8:50 pm on Nov 23, 2016 (gmt 0)

Senior Member from US 

WebmasterWorld Senior Member keyplyr is a WebmasterWorld Top Contributor of All Time 10+ Year Member Top Contributors Of The Month

joined:Sept 26, 2001
posts:12913
votes: 893


I choose to use a free (but not shared) Lets Encrypt cert instead of a paid cert.

Yes, very old browsers without SNI support and any browser used from Windows XP will not connect to my site. However these browsers are rapidly being phased out (if not gone already) and I saw zero difference in traffic.

Any increase in traffic by allowing non-SNI archaic browsers is likely due to bot activity.
10:27 pm on Nov 23, 2016 (gmt 0)

Junior Member from AU 

10+ Year Member Top Contributors Of The Month

joined:June 28, 2003
posts: 178
votes: 24


As I've said earlier - the browser is the least of your worries: many proxies used in corporate situations are not SNI compliant. RSS readers, too. If you rely on corporate users, don't use SNI.

My increase of traffic is measured by Google Analytics, which doesn't measure bots (at least, doesn't measure them well). Removing SNI also increased my crawl rate with Googlebot. Not sure why.
10:48 pm on Nov 23, 2016 (gmt 0)

Senior Member from US 

WebmasterWorld Senior Member keyplyr is a WebmasterWorld Top Contributor of All Time 10+ Year Member Top Contributors Of The Month

joined:Sept 26, 2001
posts:12913
votes: 893


Well I block all RSS apps as they are a significant tool used in sucking web pages into iFrames at remote servers: [webmasterworld.com...]

Proxies? Most of what you say was true (to an extent) in the past, but things have moved forward where it is of little significance today. Possibly you have unique traffic through a proxy that has not yet conformed.

Also, I have a strong presence in the edu sector and watch it closely. The US, Canadian, Australian & EU library systems were also non SNI compliant for many years. They have also complied as of January 2016.

YMMV
12:20 am on Nov 24, 2016 (gmt 0)

Junior Member from AU 

10+ Year Member Top Contributors Of The Month

joined:June 28, 2003
posts: 178
votes: 24


Proxies? Most of what you say was true (to an extent) in the past, but things have moved forward where it is of little significance today


I come here to pass on my experience and learn from others. In this particular case, it is experience from the last few months. There are still major companies in my sector (media) who are running old proxies and firewalls that aren't SNI compliant.

What's deeply unhelpful is coming to specifically argue against my experience while not really offering anything other than just an "you're wrong" argument. I've always seen this forum as being - unusually - free of this type of behaviour. Particularly from someone claiming they're a moderator, I'm rather disappointed.

As a Brit, might I also tell you that there is no such thing as "the EU library system". Libraries in most European countries, and here in Australia, are run by local councils, who each have their own separate IT infrastructure, usually maintained by entirely different companies. That's factual experience based on using them, and based on living in Britain and Australia. (Indeed, I was in a library only yesterday).

YMMV, indeed.
12:57 am on Nov 24, 2016 (gmt 0)

Senior Member

WebmasterWorld Senior Member bwnbwn is a WebmasterWorld Top Contributor of All Time 10+ Year Member Top Contributors Of The Month

joined:Oct 25, 2005
posts:3595
votes: 50


egos tend to get in the way of a discussion seems to be happing a lot more. Suggest a read on "Who Moved My Cheese"

[en.wikipedia.org...]
1:24 am on Nov 24, 2016 (gmt 0)

Senior Member from US 

WebmasterWorld Senior Member keyplyr is a WebmasterWorld Top Contributor of All Time 10+ Year Member Top Contributors Of The Month

joined:Sept 26, 2001
posts:12913
votes: 893


What's deeply unhelpful is coming to specifically argue against my experience while not really offering anything other than just an "you're wrong" argument...
I never said "you're wrong." I shared my experience by saying I saw no change in traffic. I didn't intend to imply that *you* didn't. Maybe you missed where I said:
Possibly you have unique traffic through a proxy that has not yet conformed.
And also where I added
YMMV

Again, everyone's traffic is a bit different. You go with what you have.
1:41 am on Nov 24, 2016 (gmt 0)

Junior Member from AU 

10+ Year Member Top Contributors Of The Month

joined:June 28, 2003
posts: 178
votes: 24


I didn't, And thank you, bwnbwn.
2:01 am on Nov 24, 2016 (gmt 0)

Senior Member from US 

WebmasterWorld Senior Member keyplyr is a WebmasterWorld Top Contributor of All Time 10+ Year Member Top Contributors Of The Month

joined:Sept 26, 2001
posts:12913
votes: 893


Here's a related thread. Scroll down to find dedicated cert & SNI discussed: [webmasterworld.com...]
2:12 am on Nov 24, 2016 (gmt 0)

Senior Member from NL 

WebmasterWorld Senior Member lammert is a WebmasterWorld Top Contributor of All Time 10+ Year Member Top Contributors Of The Month

joined:Jan 10, 2005
posts: 2955
votes: 35


Switching to SNI did reduce traffic to my sites between 2 an 10% but with these sites revenue did not chance, probably because those not willing to spend money on their own computer are not willing to spend their money online either in the markets I am operating in.

But if you are targeting specific user groups which may be on technology not supporting SNI yet like james007 is talking about, it is wise to do some tests before making the switch. The effect of shared vs dedicated SSLs and shared vs. dedicated IPs can change widely depending on the niche you are targeting.
2:23 am on Nov 24, 2016 (gmt 0)

Senior Member from US 

WebmasterWorld Senior Member keyplyr is a WebmasterWorld Top Contributor of All Time 10+ Year Member Top Contributors Of The Month

joined:Sept 26, 2001
posts:12913
votes: 893


The effect of shared vs dedicated SSLs and shared vs. dedicated IPs can change widely depending on the niche you are targeting
Exactly and many site owners get sold dedicated IPs & certs they don't need.

This is an important discussion, one that shows that every site owner switching to SSL should do their homework and evaluate how it will affect their interests.
9:50 am on Nov 24, 2016 (gmt 0)

Senior Member from GB 

WebmasterWorld Senior Member 10+ Year Member Top Contributors Of The Month

joined:Sept 7, 2006
posts: 1136
votes: 140


any browser used from Windows XP will not connect to my site


Having just (1 November) moved my site to SNI/SSL I find this discussion interesting. I agree with lammert's view about paying clients. The points at the bottom of the cheese page are also worth noting: if someone can't find my business because their map is ten years out of date I can probably live with it.

I'm certainly not taking issue with the view that a dedicated IP address is best practice, and extends the life of systems and browsers that don't support SNI (or HTML5, or...), but best practice isn't always necessary or affordable for everyone.

On the XP/browser point - also made on [webmasterworld.com ] - I still have an XP machine, which I use to run legacy software (including, perhaps ironically, a Windows version of Safari).

On that machine, my site is fine in all browsers except IE. In IE/XP, google.co.uk won't load either (although - I have no idea why - google.com is OK), so I'm in good company.

It certainly isn't the case, therefore, that any browser in XP will not connect to any SNI/SSL site, which raises the question - possibly related to the google.co.uk issue - of why some sites might work where others don't. Any ideas?
10:10 am on Nov 24, 2016 (gmt 0)

Senior Member from US 

WebmasterWorld Senior Member keyplyr is a WebmasterWorld Top Contributor of All Time 10+ Year Member Top Contributors Of The Month

joined:Sept 26, 2001
posts:12913
votes: 893


@ Wilburforce - I made that comment above because everyone disagreed with me when I said that IE on XP couldn't connect because of SNI. I had only seen the failure with IE. Then adamant posts said ALL browsers from XP had that issue: [webmasterworld.com...]

As I said, my traffic did not drop after installing a free cert, so I did not test further. Traffic has actually continued to climb at a slow but steady pace.

Yes it would be interesting why some sites on some server configs don't have issues with SNI, but the importance of this will continue to decline IMO.
11:38 am on Nov 24, 2016 (gmt 0)

Junior Member from AU 

10+ Year Member Top Contributors Of The Month

joined:June 28, 2003
posts: 178
votes: 24


Internet Explorer on XP doesn't work with SNI, but others do. Nothing works on Android v2, BlackBerry 7 or Symbian. There is a full list here: [en.m.wikipedia.org...]

But in my experience this is a bit of a red herring. One visitor to my SNI-enabled SSL site, via Amazon CloudFront, couldn't connect using his iPhone. Upon digging, his phone was connected to the office wifi. On turning wifi off, it worked fine. Another person couldn't see it at all from their Windows 10 computer - again, the office connection was at fault somehow. Microsoft's own Bing Webmaster Tools didn't work until earlier this year. Many RSS readers are still not SNI enabled, so none of my RSS feed actually worked correctly for many. Quite a few online test tools failed to work.

So, despite what the proponents of SNI will tell you, it isn't anywhere near universally available yet throughout the entire stack. And, worse, there's no way to catch those users and give them an alternative; not is there any way to know how large the problem actually is, since it's almost impossible to monitor. The contacts I had were mainly personal contacts anyway; I could have had thousands of visitors who couldn't see it. I have no way of knowing.

I now have a shared "real" SSL with about five other sites from CloudFlare. (I'm paying US$19 a month for the wholeCloudFlare package). Since shifting from an SNI SSL over to a real one, Google has started crawling my site more frequently and appears to have slightly rewarded me in traffic and position (though it could also be site speed).

So in response to the original post: no, I can see no downside with Google if you use a shared SSL. There is plenty of upside with a correctly configured CDN.

It might be useful, too, to pass on the reasons why I switched to SSL. It had little to do with Google's rumoured boost to sites using it - and rather more to a) safeguard my visitors (who look on my website to find new jobs - often when at work), and b) because one of the coffeeshop hotspots I was using began injecting stuff in the page of HTTP websites, and potentially interfering with the content and/or the ad code. Switching on SSL has fixed both the above issues.
11:57 am on Nov 24, 2016 (gmt 0)

Senior Member from GB 

WebmasterWorld Senior Member 10+ Year Member Top Contributors Of The Month

joined:Sept 7, 2006
posts: 1136
votes: 140


@keyplyr - The adamant posts (to which my post also referred) are mistaken, in that case.

Even if the failure extended to all browsers it shouldn't have much impact on traffic. Current estimates for use of XP are between about 1.3% (W3Cschools) to less than 6%. This will obviously vary with location and primary web user, but in a UK technology-based business, I personally see almost no XP users, and I would be surprised to find a potential - let alone actual - client among them.

Server or proxy errors are another issue, but I would be surprised to find many non-compliant examples in the UK corporate or standard ISP environment. Common proxy systems (e.g. Tor) have no issues with it.

There are still people out there that use paper directories, and to me it is as pertinent to ask how much of my marketing budget goes on a dedicated server and certificate as it is to ask how much of it goes on paper directory listings.
12:05 pm on Nov 24, 2016 (gmt 0)

Senior Member from US 

WebmasterWorld Senior Member keyplyr is a WebmasterWorld Top Contributor of All Time 10+ Year Member Top Contributors Of The Month

joined:Sept 26, 2001
posts:12913
votes: 893


I also block HTTP/1.0 so that may also contribute to my traffic not changing, plus I still think a lot of the non-support for SNI traffic are bots, no matter how it gets reported in stats reports.
12:18 pm on Nov 24, 2016 (gmt 0)

Junior Member from AU 

10+ Year Member Top Contributors Of The Month

joined:June 28, 2003
posts: 178
votes: 24


Wilberforce: I suspect you'd be surprised how many proxies, firewalls and other things still don't support it - but you're fine to ignore those users, of course. I'd just urge caution that you can use the most up to date OS on the planet, but if there's a dodgy old proxy or antivirus solution somewhere in the network, it still won't work.

An answer to your Google issue: MSIE v6 SP1 is no longer supported by Google. Scroll down [ssllabs.com...] and look for MSIE v6 on XP to see "Server sent fatal alert: protocol_version" in big red letters. Seems like they've, also, made that decision not to support those users. It's nothing to do with SNI, by the way - Google.co.uk doesn't use it.
12:58 pm on Nov 24, 2016 (gmt 0)

Senior Member from GB 

WebmasterWorld Senior Member 10+ Year Member Top Contributors Of The Month

joined:Sept 7, 2006
posts: 1136
votes: 140


I still think a lot of the non-support for SNI traffic are bots


Most of what shows up in my server/error logs is from China Telecom IPs.

It doesn't seem to show up in my analysis software, however (I'm not sure how it gets filtered), which is how I assess traffic.

you can use the most up to date OS on the planet


I sometimes feel the pressure we are under to do just that is more like a treadmill than a road to progress.

However, to me it looks like anyone in the UK who collects personal client data (in the shape of online forms, in my case) is probably in breach of the seventh data protection principle of the UK Data Protection Act 1998: "Appropriate technical and organisational measures shall be taken against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data". That means I must protect the data from snoopers during transmission (SSL), and may not use insecure systems (e.g. XP, which is no longer supported) to store or transmit it.
1:20 pm on Nov 24, 2016 (gmt 0)

New User

5+ Year Member

joined:Jan 20, 2011
posts:22
votes: 0


Did a calculation with numbers from analytics one year ago, and about 3-4% used Windows XP with IE. So I went with dedicated IP.

[edited by: Perren at 1:35 pm (utc) on Nov 24, 2016]

1:26 pm on Nov 24, 2016 (gmt 0)

Senior Member from US 

WebmasterWorld Senior Member keyplyr is a WebmasterWorld Top Contributor of All Time 10+ Year Member Top Contributors Of The Month

joined:Sept 26, 2001
posts:12913
votes: 893


... I must protect the data from snoopers during transmission (SSL), and may not use insecure systems (e.g. XP, which is no longer supported) to store or transmit it.
Good point and also applies to unsecure systems :)
6:13 am on Nov 25, 2016 (gmt 0)

Junior Member from AU 

10+ Year Member Top Contributors Of The Month

joined:June 28, 2003
posts: 178
votes: 24


I still think a lot of the non-support for SNI traffic are bots - Most of what shows up in my server/error logs is from China Telecom IPs.


How are you testing for this? Given that a call to an SNI website from an affected client simply doesn't connect, at all, I'm perplexed how you can have any visibility into the issue. It can't go into any log, since the connection never happens.

The only way I can think of doing it is running an HTTP website that does JavaScript to check whether the HTTPS version is visible, which would be probably the worst thing for SEO.

Keen to learn how you do it.
6:41 am on Nov 25, 2016 (gmt 0)

Senior Member from US 

WebmasterWorld Senior Member keyplyr is a WebmasterWorld Top Contributor of All Time 10+ Year Member Top Contributors Of The Month

joined:Sept 26, 2001
posts:12913
votes: 893


Referring to the requests at the server that were assumed to be increase in traffic, not the ones that "never made it."
11:24 am on Nov 25, 2016 (gmt 0)

Junior Member from AU 

10+ Year Member Top Contributors Of The Month

joined:June 28, 2003
posts: 178
votes: 24


Aha, so comparing SNI with a non-SNI (but still HTTPS) connection?
This 35 message thread spans 2 pages: 35