Welcome to WebmasterWorld Guest from 23.20.64.96

Forum Moderators: Robert Charlton & andy langton & goodroi

Move to HTTPS... is it worth the stress?

     
6:45 pm on Nov 24, 2016 (gmt 0)

Full Member

10+ Year Member

joined:Aug 16, 2004
posts:325
votes: 1


I have a site which is 50% advice and 50% eCommerce. The eCommerce section of the website is on HTTPS pages for obvious reasons. However, for me to change over the rest of the site it is going to be a massive headache.

I've been reading more and more about how Google could penalise non-HTTPS sites. Is it worth me stressing over and moving everrything to HTTPS or will it be OK to stay as I am?
11:29 pm on Nov 24, 2016 (gmt 0)

Junior Member

Top Contributors Of The Month

joined:Jan 13, 2014
posts:82
votes: 20


If you use a cdn like Cloudflare there is an option to change all content to https so links images etc could be served over https very easily allowing you time to change over in the code. Should be able to change over relatively painlessly this way.

Is it worth it ? If it causes you less stress then yes but not for any seo benefit at present.
11:33 pm on Nov 24, 2016 (gmt 0)

Full Member

10+ Year Member

joined:Aug 16, 2004
posts:325
votes: 1


Is it worth me doing things "gradually". For now, redirect links to images, CSS files etc to https so at least they're secure for now and then do the rest when I'm more "prepared" and have more time? Basically, the thought of having to manually change all my internal links (on static pages not managed using a CMS) and fiddling around with the htaccess file (which I messed up before), scares me, frankly :-( Not to mention having to resubmit sitemaps and remember 101 other things to prevent potential disaster in SERPS...fun...
11:42 pm on Nov 24, 2016 (gmt 0)

Junior Member

Top Contributors Of The Month

joined:Jan 13, 2014
posts:82
votes: 20


The cdn or Cloudflare option would mean all links would automatically be rewritten to https, that would include css, js, image... well everything, I have switched whole sites in under a hour this way. You can get some great help on here regarding htaccess but for wordpress or magento for instance you would just change the site url to https.

Sitemaps you may need to do a little work on but its not like there that important anyway :)
11:48 pm on Nov 24, 2016 (gmt 0)

Senior Member from NL 

WebmasterWorld Senior Member 10+ Year Member Top Contributors Of The Month

joined:Sept 25, 2005
posts:1384
votes: 158


manually change all my internal links

Plenty of search & replace applications that let you do that quickly and reliably. I would often use Actual Search & Replace on Windows.
11:52 pm on Nov 24, 2016 (gmt 0)

Moderator from US 

WebmasterWorld Administrator keyplyr is a WebmasterWorld Top Contributor of All Time 10+ Year Member Top Contributors Of The Month

joined:Sept 26, 2001
posts:8008
votes: 284


Yes it is worth it for your visitors and your business also. Sites that are not SSL will loose ranking at search engines in the near future.

Shouldn't be much "stress" depending on your site schema. Most hosts are well experienced by now and should have help pages showing step-by-step.

All links in the body section of your mark-up are best with relative paths anyway. The only links that would need to be changed are the absolute links in the head or the absolute remote files you may be using.

I installed a cert, 301'd in htacces and changed all links on a 300 page site in less than an hour. There were of course a couple tweaks here and there I had to do later.
12:01 am on Nov 25, 2016 (gmt 0)

Junior Member

Top Contributors Of The Month

joined:Jan 13, 2014
posts:82
votes: 20


Good call robzilla If your on linux you could use something like this:

cd /path/to/your/website
find ./ -type f -exec sed -i 's/http:/https:/g' {} \;
12:16 am on Nov 25, 2016 (gmt 0)

Senior Member from GB 

WebmasterWorld Senior Member 10+ Year Member Top Contributors Of The Month

joined:Sept 7, 2006
posts: 956
votes: 61


having to manually change all my internal links


My site is mostly static (handwritten html/css), and I found it pretty easy.

How much bother you will find it depends on whether the links are are relative or absolute. If absolute and your usual html editor can't do a global replace, use e.g. Notepad++ (replacing "http://www.mysite" with "https://www.mysite" in main folder and all subfolders should work flawlessly). If relative, they don't need changing in theory, but in practice you might get partially unsecured warnings in your browser, and you can't easily change them all to absolute (which will solve it) in the same way, so that might be more of a pain to do.

Resubmitting sitemaps in GSC or Bing's equivalent is easy, and there are several free sitemap generators available online, so that really isn't much more work than a couple of mouse clicks.

For me, the most difficult part was the .htaccess file, as there are minor syntax differences between generations of Apache, but on my site's (shared Linux) server the pages don't change until rewritten, which gave me an opportunity to test it first. Even there I found only a couple of problems: the first was avoiding loops, and the second was making sure mistyped entries still got rewritten. Neither issue gave me a headache.

My two main bits of advice would be to back it up first (doing it all again can be easier than undoing a global replace that has done something you didn't predict), and make sure you use a history-cleared browser for testing.

To me, it certainly looked much more daunting before I started than it actually turned out to be, so if you decide to go for it - no bad thing, even if it isn't immediately necessary - I hope you will find that too.
12:24 pm on Nov 25, 2016 (gmt 0)

Preferred Member

Top Contributors Of The Month

joined:Sept 12, 2014
posts:377
votes: 64


More and more https sites wont open on my tablet. I know i can figure out how to fix the issue, although my first attempts have failed, but joe public wont fix it. The gang at mountain view need to climb out of their bubble every now and then to see what the real world is like.
12:31 pm on Nov 25, 2016 (gmt 0)

Moderator from US 

WebmasterWorld Administrator keyplyr is a WebmasterWorld Top Contributor of All Time 10+ Year Member Top Contributors Of The Month

joined:Sept 26, 2001
posts:8008
votes: 284


https sites wont open on my tablet
It's either your tablet browser or your network, and probably not the sites if this keeps happening.

Make sure your tablet & browser have the latest updates & check with your ISP for SNI support.
12:55 pm on Nov 25, 2016 (gmt 0)

Senior Member from GB 

WebmasterWorld Senior Member 10+ Year Member Top Contributors Of The Month

joined:Sept 7, 2006
posts: 956
votes: 61


https sites wont open on my tablet


I had a similar problem on desktop (following a Windows update) that took some time to trace back to my firewall/anitvirus application.The application adds its own intermediate cert to browsers, and the update had reset the browser cert in both Firefox and Opera. Removing and then restoring browser permissions cleared it.

The superficial symptom was a site access message (denial) in the browser, so the origin of the problem wasn't initially apparent.

Updating the browser - my first response - didn't work,

As keyplyr says, it won't be the sites if it the problem applies to many of them.
1:04 pm on Nov 25, 2016 (gmt 0)

Junior Member

Top Contributors Of The Month

joined:May 11, 2015
posts:176
votes: 63


What about Adsense sites? I have heard that if you change to HTTPS, your Adsense revenue will go down because Google will only display ads that are compliant with SSL.
1:13 pm on Nov 25, 2016 (gmt 0)

Moderator from US 

WebmasterWorld Administrator keyplyr is a WebmasterWorld Top Contributor of All Time 10+ Year Member Top Contributors Of The Month

joined:Sept 26, 2001
posts:8008
votes: 284


What about Adsense sites? I have heard...
That is old info. Adsense has caught up with all that. I saw no decline .
3:40 pm on Nov 25, 2016 (gmt 0)

Senior Member

WebmasterWorld Senior Member aristotle is a WebmasterWorld Top Contributor of All Time 5+ Year Member Top Contributors Of The Month

joined:Aug 4, 2008
posts:3102
votes: 210


keyplyr wrote:
Sites that are not SSL will loose ranking at search engines in the near future.

How do you know that?

Even if it's true, I doubt that it will be a big enough factor to have a noticeable effect on a site's traffic. What matters is the site's content, the ease of use, etc, not whether it's SSL.
4:52 pm on Nov 25, 2016 (gmt 0)

Senior Member from GB 

WebmasterWorld Senior Member 10+ Year Member Top Contributors Of The Month

joined:Sept 7, 2006
posts: 956
votes: 61


I doubt that it will be a big enough factor to have a noticeable effect


I'm not so sure. If, for example, a cluster of results all have very similar ranking scores, a very small difference to one of them could mean a much more substantial apparent effect.

I have no idea how Google scores sites, but say the pages on the bottom half of page 1 and top half of page 2 have scores that range between 100.035 and 100.009, and SSL is assigned a (relatively low) value of 0.05. If none of the other sites are SSL, the lowest site could move from #15 to #6, which would have a much more substantial effect than the small weighting implies.

It may be minor alongside link profile, content and other weightings, but that doesn't mean its effect is necessarily negligible.
5:30 pm on Nov 25, 2016 (gmt 0)

Senior Member

WebmasterWorld Senior Member aristotle is a WebmasterWorld Top Contributor of All Time 5+ Year Member Top Contributors Of The Month

joined:Aug 4, 2008
posts:3102
votes: 210


say the pages on the bottom half of page 1 and top half of page 2 have scores that range between 100.035 and 100.009, and SSL is assigned a (relatively low) value of 0.05. If none of the other sites are SSL, the lowest site could move from #15 to #6, which would have a much more substantial effect than the small weighting implies.

If you're going to pin your hopes on that kind of scenario, you're going to need an awful lot of luck.
6:30 pm on Nov 25, 2016 (gmt 0)

Senior Member from CA 

WebmasterWorld Senior Member 10+ Year Member Top Contributors Of The Month

joined:Nov 25, 2003
posts:1004
votes: 193


In order of current importance the reasons for going with HTTPS are:
1. secure handling of visitor personal and financial data.
Note: for site liability/insurance reasons and for customer confidence.

2. browsers increasingly highlighting 'non-secure' connections.
Note: for visitor confidence.

3. making the site transition from HTTP/1.1 to HTTP/2.
Note: for site connectivity, responsiveness, speed, etc. reasons.

4. Because some third party platform may at some future point provide some undefined benefit.
Note: so Google and similar are currently well down the list of reasons for switching.
6:34 pm on Nov 25, 2016 (gmt 0)

Senior Member from GB 

WebmasterWorld Senior Member 10+ Year Member Top Contributors Of The Month

joined:Sept 7, 2006
posts: 956
votes: 61


If you're going to pin your hopes on that kind of scenario


I'm not pinning my hopes on anything. All I am saying is we should not assume a proposed change will have no effect.
7:01 pm on Nov 25, 2016 (gmt 0)

Senior Member from GB 

WebmasterWorld Senior Member Top Contributors Of The Month

joined:Oct 14, 2013
posts:2512
votes: 218


Make sure your tablet & browser have the latest updates


Do you realise just how many millions of perfectly good Android tablets there are that cannot be updated?

I refuse to buy any Android product since it has a built-in obsolescence.

In my office we have 8 such tablets.
7:16 pm on Nov 25, 2016 (gmt 0)

Senior Member from US 

WebmasterWorld Senior Member lucy24 is a WebmasterWorld Top Contributor of All Time 5+ Year Member Top Contributors Of The Month

joined:Apr 9, 2011
posts:13599
votes: 412


the thought of having to manually change all my internal links

But you only need to do it once and then never think about it again. If the whole site uses the same protocol, all your existing http://example.com/ and https://example.com can change to / alone (global change using the text editor of your choice). This will remain valid even if next year someone comes up with a hot new httpx:// protocol.

<tangent>
I refuse to buy any Android product since it has a built-in obsolescence.

You can buy a heck of a lot of Androids for the price of a single iPhone. If you amortize it over the years, you'll still come out ahead.
</tangent>
9:02 pm on Nov 25, 2016 (gmt 0)

Moderator from US 

WebmasterWorld Administrator keyplyr is a WebmasterWorld Top Contributor of All Time 10+ Year Member Top Contributors Of The Month

joined:Sept 26, 2001
posts:8008
votes: 284


@aristotle - Google has anounced several times there will be an indicator in the SERP showing a site unsecure if not HTTPS.

What is not clear is when this will happen.
7:00 am on Nov 26, 2016 (gmt 0)

Senior Member from LK 

WebmasterWorld Senior Member 10+ Year Member Top Contributors Of The Month

joined:Nov 16, 2005
posts:2626
votes: 75


It is getting easier every day to switch to https. If you have your own server a LetEncrypt script will make it fairly painless. On shared hosting, it depends, but I noticed a lot of shared hosts offer LetsEncrypt support now. If yours does not you could prod them to add it.

I cannot imagine any scenario in which you cannot do a global search and replace to change internal links. It is only a problem if you have internal links that include the protocol, and that is easy to search and replace because if you have the protocol you must have the domain name in as well - so replace all http://www.example.com with https://www.example.com and you are done. There are tools that will do search and replace in all files in a directory, and you can do the same in a database column as well.
10:45 am on Nov 26, 2016 (gmt 0)

Moderator from US 

WebmasterWorld Administrator keyplyr is a WebmasterWorld Top Contributor of All Time 10+ Year Member Top Contributors Of The Month

joined:Sept 26, 2001
posts:8008
votes: 284


In a Google Security blog post, Google said that starting January 2017 with Chrome 56, the internet browser will begin to mark HTTP connections that transmit passwords or credit card information as non-secure.
Google is planning to eventually mark all HTTP connections as unsecure ones, with the security indicator for such websites to be marked with a RED TRIANGLE.
(emphasis mine)
[techtimes.com...]
12:03 pm on Nov 26, 2016 (gmt 0)

Preferred Member

Top Contributors Of The Month

joined:Sept 12, 2014
posts:377
votes: 64


@keyplyr and wilburforce

i appreciate the helpfull advice but my point is that the public is increasingly unable to view https sites. How g labels or ranks sites means squat if the public can not open the sites. The last 2 sites i could not get on did not even take credit cards. They were just info sites.
I doubt that the public are going to abandon their old tablets just because some sites dont work. They just go on to the next site.
12:27 pm on Nov 26, 2016 (gmt 0)

Senior Member from GB 

WebmasterWorld Senior Member 10+ Year Member Top Contributors Of The Month

joined:Sept 7, 2006
posts: 956
votes: 61


@toidi

Yes, it is a problem if a site is inaccessible.

However, there are several things to weigh up. Iamlost's post is very pertinent, and the first point on the list a particular concern if your site handles any client personal data. Mine does, which is why I moved to https. For me, compliance with data protection legislation trumps accessibility for a small (and diminishing) minority of users. The public will abandon their old tablets eventually, if only because they can't access anything (but more likely because the battery will die or they will drop it in the bath): the "some sites" that don't work are likely to become "most sites" in the foreseeable - although not immediate - future.

Also, accessibility is irrelevant if their searches don't find the site in the first place, or if they are put off by a warning that in their eyes brands it as untrustworthy.
12:30 pm on Nov 26, 2016 (gmt 0)

Moderator from US 

WebmasterWorld Administrator keyplyr is a WebmasterWorld Top Contributor of All Time 10+ Year Member Top Contributors Of The Month

joined:Sept 26, 2001
posts:8008
votes: 284


public is increasingly unable to view https sites
That's not true toidi.

Sorry you have been having issues, and hopefully you will figure out where the problem is, but HTTPS is here to stay and if you want to stay relevant, you will need to give your site visitors a secure connection.

I can relate. Sometimes change is difficult, but the internet will always be about change.
12:50 pm on Nov 26, 2016 (gmt 0)

Senior Member from NL 

WebmasterWorld Senior Member 10+ Year Member Top Contributors Of The Month

joined:Sept 25, 2005
posts:1384
votes: 158


public is increasingly unable to view https sites

Unless people are buying very old devices (like Android 2.x tablets or old BlackBerry phones), that's probably not true. It's more likely the opposite is true: more and more people are upgrading their devices, and actually getting SNI-support (the lack of which breaks many HTTPS sites on old devices). It will become an increasingly frustrating experience to browse the web on old (and often insecure!) devices, so it's probably due time to replace them.

If you can get your hands on any old device that doesn't support SNI, see how your website looks (on HTTP) on the device browser. Chances are, the browser is also far behind modern standards, and your website may not look good or even be usable. Perhaps that makes it easier to "ditch" those users.
4:35 pm on Nov 26, 2016 (gmt 0)

Senior Member

WebmasterWorld Senior Member aristotle is a WebmasterWorld Top Contributor of All Time 5+ Year Member Top Contributors Of The Month

joined:Aug 4, 2008
posts:3102
votes: 210


In a Google Security blog post, Google said that starting January 2017 with Chrome 56, the internet browser will begin to mark HTTP connections that transmit passwords or credit card information as non-secure.

I can understand the need for https in those cases.

But my sites are articles on static html pages with no forms of any kind (no registration, login, comments, contact, or anything else.) There are no ads either. People come and (hopefully) read the articles. That's all they can do.

So I don't see any reason why google would be justified in marking my sites as "non-secure"

I would also like to add that a large majority of sites that I visit are still http, including many large well-known organizations. If google pursues this policy, they will be improperly marking millions of sites as "non-secure"
2:35 am on Nov 27, 2016 (gmt 0)

Senior Member

WebmasterWorld Senior Member 5+ Year Member Top Contributors Of The Month

joined:Sept 14, 2011
posts:763
votes: 26


There is often no need for SSL on most sites but the SSL holder gets to see all traffic and interaction on your site so it is easier to force sites to SSL to monitor the conversations than it is to deal with a www, google push to ssl has nothing to do with security and everything to do with ease of monitoring your site and comments.
2:49 am on Nov 27, 2016 (gmt 0)

Senior Member from CA 

WebmasterWorld Senior Member 10+ Year Member Top Contributors Of The Month

joined:Nov 25, 2003
posts:1004
votes: 193


The critical point is in the quote:

...HTTP connections that transmit passwords or credit card information...

In other words the vast majority of HTTP sites will (in all probability) NOT be marked as 'non-secure'. And those few that are will, it appears, only have specific activity pages so marked not the entire site.

A case can be made that some things such as non-secure webdev fora log-ins are not exactly a high risk activity. On the other hand it is impractical to attempt to make such risk-benefit choices on the fly and I'm not surprised that Google would err on the side of caution. As to credit card or similar data over non-secure... that should have been flagged years ago... and some browsers already do.

The vast majority of sites will likely switch to HTTPS over the next few to five years simply because of (1) the benefits of HTTPS/2 and (2) the fact that certs are now available free.

The real battle in the next while is not between HTTP and HTTPS but between bog standard Secure Sockets Layer (SSL) Certificates and Extended Validation (EV) SSL Certificates.
* standard SSL certs are cheap to free
---the address/URL bar shows a green padlock before the URL
---clicking the log shows text box saying connection is secure and the cert verifying entity.

* extended validation SSL certs are expensive to extremely expensive
---the address/URL bar shows a green padlock AND the corporate name in green before the URL
---clicking the log shows text box saying connection is secure and the cert verifying entity AND who owns the site.

With the advent of free SSL certs extant verifying entities had to find some value added 'security' to recoup the lost cash grab.
This 92 message thread spans 4 pages: 92
 

Join The Conversation

Moderators and Top Contributors

Hot Threads This Week

Featured Threads

Free SEO Tools

Hire Expert Members