Welcome to WebmasterWorld Guest from 107.23.176.162

Forum Moderators: Robert Charlton & goodroi

Will Cloudflare's HTTPS connection for non HTTP sites suffice for G?

     
11:06 am on Aug 18, 2018 (gmt 0)

Junior Member

Top Contributors Of The Month

joined:Jan 19, 2015
posts: 170
votes: 28


What do you think of the use of a WAF's HTTPS connection for websites which do not use an installed SSL certificate? Lots of non-SSL websites doing this via Cloudflare's own SSL/HTTPS but the actual server connection (website) itself is not HTTPS, which seems contradictory. I'm talking of a website that doesn't use HTTPS/SSL certificate and simply takes advantage of their traffic going through HTTPS provided by a WAF like Cloudflare. So:

server connection (HTTP) --> website connection to server (HTTP) ---> Cloudflare connection to website (HTTPS)

Traffic goes through Cloudflare's HTTPS but the actual website to server connection is via HTTP and not HTTPS.

Does Google accept the above as "HTTPs passed" and thus (Google) gives their thumb up to this setup as part of their HTTPS boosting ranking factor? Seems lots of "gurus" recommend this and spammers left and right are doing this, instead of installing an actual SSL certificate on their server.

What do you think?
11:44 am on Aug 19, 2018 (gmt 0)

Preferred Member

10+ Year Member Top Contributors Of The Month

joined:Feb 5, 2004
posts: 517
votes: 48


I am not too familiar with Cloudfare but I would say in my opinion no since the visitor would be connecting to your website via http first (if I understand correctly). Google bot would detect this. This was discussed before here on WebmasterWorld but the whole secure message is more than a little misleading to the average visitor as the website may use secure encryption to communicate with the visitor but may be completely unsecure elsewhere (either communicating with another server, bad code, etc...).
11:48 am on Aug 19, 2018 (gmt 0)

Preferred Member

Top Contributors Of The Month

joined:Nov 13, 2016
posts:596
votes: 90


Google bot would detect this.

How?
1:33 pm on Aug 19, 2018 (gmt 0)

Senior Member

WebmasterWorld Senior Member Top Contributors Of The Month

joined:Apr 1, 2016
posts:2357
votes: 625


the visitor would be connecting to your website via http first (if I understand correctly).

It goes the other way around the visitor connects to the Cloudflare proxy server first (https) and then the communication between the proxy and the web-server is http. As far Google and your browser is concerned this is sufficient. The caveat being if ever the proxy gets hacked then communications could be intercepted between the proxy and web-server.
2:24 pm on Aug 19, 2018 (gmt 0)

Preferred Member

10+ Year Member Top Contributors Of The Month

joined:Feb 5, 2004
posts: 517
votes: 48


visitor connects to the Cloudflare proxy server first

Okay then Google would not detect it then and you should be fine at least for the secure message showing up.
3:17 pm on Aug 19, 2018 (gmt 0)

Senior Member

WebmasterWorld Senior Member editorialguy is a WebmasterWorld Top Contributor of All Time 5+ Year Member Top Contributors Of The Month

joined:June 28, 2013
posts:3365
votes: 707


What NickMNS said. CloudFlare's "Flexible SSL" works just fine, in terms of what Google and browsers see.
4:44 pm on Aug 19, 2018 (gmt 0)

Senior Member

WebmasterWorld Senior Member aristotle is a WebmasterWorld Top Contributor of All Time 10+ Year Member Top Contributors Of The Month

joined:Aug 4, 2008
posts:3524
votes: 324


I looked at this last year (the free Cloudflare account), and initially thought it might be a good solution. But I ultimately rejected it, mainly because you're depending on two different companies ( your host and Cloudflare), which "doubles" the risk of something eventually going wrong.

I still haven't found any other options I like either, so my sites are still http.
4:52 pm on Aug 19, 2018 (gmt 0)

Senior Member

WebmasterWorld Senior Member Top Contributors Of The Month

joined:Apr 1, 2016
posts:2357
votes: 625


which "doubles" the risk of something eventually going wrong.

What could go wrong. You suddenly will not be https anymore? So to mitigate that risk you are not https at all. Sorry I don't see the logic. Just use Cloudflare until you find a suitable solution.
5:15 pm on Aug 19, 2018 (gmt 0)

Senior Member

WebmasterWorld Senior Member editorialguy is a WebmasterWorld Top Contributor of All Time 5+ Year Member Top Contributors Of The Month

joined:June 28, 2013
posts:3365
votes: 707


CloudFlare's "Flexible SSL" makes migrating to HTTPS really, really easy, and it's been reliable since I started using it months ago. I wouldn't use it if I were running a bank or an e-commerce site (since traffic between the origin server and CloudFlare's network isn't encrypted), but for an information site doesn't ask for confidential user data, it's a great solution. It sure beats getting labeled "Not secure" in Web browsers.
5:53 pm on Aug 19, 2018 (gmt 0)

Preferred Member

Top Contributors Of The Month

joined:Nov 13, 2016
posts:596
votes: 90


I still haven't found any other options I like either, so my sites are still http.

What is preventing you from configuring your site to be HTTPS , directly at your host?

CloudFlare's "Flexible SSL" makes migrating to HTTPS really, really easy, and it's been reliable since I started using it months ago. I wouldn't use it if I were running a bank or an e-commerce site (since traffic between the origin server and CloudFlare's network isn't encrypted), but for an information site doesn't ask for confidential user data, it's a great solution. It sure beats getting labeled "Not secure" in Web browsers.

I know the risk is low, but you are still exposed to hackers being able to inject malicious code into your pages, between your server and Cloudflare.
6:15 pm on Aug 19, 2018 (gmt 0)

Senior Member

WebmasterWorld Senior Member aristotle is a WebmasterWorld Top Contributor of All Time 10+ Year Member Top Contributors Of The Month

joined:Aug 4, 2008
posts:3524
votes: 324


What could go wrong.


Have you never heard of the "strong" version of Murphy's Law:
"Even if nothing can go wrong, something still will."


It sure beats getting labeled "Not secure" in Web browsers.

I checked the logs and stats for several of my sites a few days ago, and didn't see any noticeable change in the bounce rates and user engagement from past months. Evidently the vast majority of internet users are like me and don't notice the little "Not secure" warning. Also, I design my sites to load almost instantly and immediately grab a visitor's attention.
6:29 pm on Aug 19, 2018 (gmt 0)

Preferred Member

Top Contributors Of The Month

joined:Nov 13, 2016
posts:596
votes: 90


Evidently the vast majority of internet users are like me and don't notice the little "Not secure" warning.

I don't think this is a problem for a while. But, there is a possibility, that, with the time, web browsers become more "aggressive". And I think that, in a couple of years, web browsers might block the access to non HTTPS site, and request the user an explicit action to access them. Like a warning message, requesting the user to click to confirm he really wants to access the site in spite of "risks".

So I think everybody should switch, and not end to do it in a rush, if it happens. And it still profits from your user to have the connection between your server and their device encrypted. Even if you do not collect information, hackers can be very creative to exploit a non secured connection.
11:18 am on Aug 25, 2018 (gmt 0)

Junior Member

Top Contributors Of The Month

joined:Jan 19, 2015
posts:170
votes: 28


Is there any comment from Google directly on this topic? Seen lots of people recommending using a WAF's HTTPS connection but no confirming word from Google themselves as far as I know which always leaves me suspicious. You know with how Google is obsessed (to good measure) with making the internet safer and all that. Server to website is still vulnerable, minor vulnerability but still.

I've seen legit sites do the Cloudflare/WAF HTTPS method but also plenty of spam sites too. I think using a WAF's HTTPS connection is great for big websites for whom making a move from HTTP to HTTPS would be chaos and too costly. Surely Google will have consider these webmasters too and give the OK to using an HTTPS connection for traffic via a WAF with an HTTP server to website connection. The WAF products I've seen will turn everything to HTTPS including images, script etc on the front end to make sure no mixed content.

What I'd missing is G's confirmation on this. From the look of the replies here it does seem that using a Cloudflare/WAF HTTPS setup for traffic on an HTTP site would work as far as G's OK with a secure connection. Any more opinions?
11:30 am on Aug 25, 2018 (gmt 0)

Junior Member

Top Contributors Of The Month

joined:Jan 19, 2015
posts:170
votes: 28


I don't think this is a problem for a while. But, there is a possibility, that, with the time, web browsers become more "aggressive". And I think that, in a couple of years, web browsers might block the access to non HTTPS site, and request the user an explicit action to access them. Like a warning message, requesting the user to click to confirm he really wants to access the site in spite of "risks".

So I think everybody should switch, and not end to do it in a rush, if it happens. And it still profits from your user to have the connection between your server and their device encrypted. Even if you do not collect information, hackers can be very creative to exploit a non secured connection.


I disagree. For Google to do this they better differentiate between websites then. Commercial bank? Yes. Governmental website on diabetes? Meh. HTTPS websites can still be hacked. Man in the middle attacks are popular with commerce websites. Many informational websites (good ones, not those spammy ones) have their reasons for not moving to HTTPS. One is cost and the other is making a mess about it. Not the whole internet uses Wordpress.

Also a huge 'non secure warning' on a non commercial website would scare people away despite the website may have excellent content. This would affect Google directly with Chrome as ranking excellent non HTTP websites that display a huge warning block would lead to a bad user experience of the search results. What are they going to do then? Just rank spam websites with an HTTPS connection via a free SSL certificate implemented on the fly?

The websites that should be using an HTTPS connection should have been doing so 4-5 years ago. This isn't something new.
11:37 am on Aug 25, 2018 (gmt 0)

Preferred Member

Top Contributors Of The Month

joined:Nov 13, 2016
posts:596
votes: 90


I've seen legit sites do the Cloudflare/WAF HTTPS method

When a site uses Cloudflare , it doesn't mean that the connection is not secure between cloudflare's servers and the server(s) hosting the site. So you can't assume that, if a site is having an HTTPS connection through cloudflare, it means the connection between cloudflare and the site is insecure. You can't know that. There are plenty other reasons to use Cloudflare (global distribution, cdn, ddos protection, etc...)

My biggest concern about Cloudflare is more about sharing IP with hundreds, thousands or more other sites. In the past, Google could penalize a site, if it was running on the same IP as other "bad neighbors". It causes issues with Cloudflare, but this was in the past, since Google is taking in consideration the nature of services like Cloudflaire or AWS, but...

HTTPS websites can still be hacked. Man in the middle attacks are popular with commerce websites.

Oh, I didn't know that. Do you have a link to an article explaining it? I'd like to study it. Thank you.

One is cost and the other is making a mess about it. Not the whole internet uses Wordpress.

Even if you are not using Wordpress, it's very easy to switch, and free. If you are not a sys admin , then you are certainly using a plug-and-play host, which will have a button to switch, and if you are sys admin, you know how to configure your web server to use a TLS certificate. (and if you are in the middle, you use an admin GUI, like CPanel, Webmin, etc... and this is also one button to press...)
 

Join The Conversation

Moderators and Top Contributors

Hot Threads This Week

Featured Threads

Free SEO Tools

Hire Expert Members