Welcome to WebmasterWorld Guest from 54.198.221.13

Forum Moderators: phranque

What will happen if I don't switch to HTTPS?

possible downside of non-secure pages

     
12:23 am on Feb 18, 2017 (gmt 0)

Moderator from US 

WebmasterWorld Administrator keyplyr is a WebmasterWorld Top Contributor of All Time 10+ Year Member Top Contributors Of The Month

joined:Sept 26, 2001
posts:10103
votes: 550


Many site owners are still deciding if or when they will follow the new SSL standard of using a security certificate and switching to HTTPS.


Possible downside of not switching to HTTPS*

• Visitors may start to decline. As discussions about secure web sites become more popular, visitors may avoid non-secure web sites.

• Browsers are still transitioning but the warnings will get more explicit for ALL pages, not just Credit Card or forms. These warnings may further scare off visitors.

• Google has made statements that secure sites will gain advantage in mobile & desktop SERP. HTTPS is already being displayed for secure sites. Bing & other Search Engines will surely follow.

• Eventually, non-secure websites may be considered unsafe to users and purged from SERP altogether.

• Browser support for HTTP/2 protocol is only for HTTPS websites. This protocol greatly speeds up page loads. If your site is not secure, you will not benefit.

*Possible scenarios, no one knows for sure.
11:58 am on Feb 21, 2017 (gmt 0)

Senior Member

WebmasterWorld Senior Member aristotle is a WebmasterWorld Top Contributor of All Time 5+ Year Member Top Contributors Of The Month

joined:Aug 4, 2008
posts:3282
votes: 244


By the way, google gave blogspot users the option to switch to https, but the vast majority haven't done so. What's google going to do about that?

When I made that statement earlier in this thread, I meant to refer to blogspot blogs themselves. Google wants to switch all of those existing blogspot blogs to https, and sometime last year gave blogspot bloggers an option to do so. But as I said, the vast majority haven't done it. In those cases, you can currently reach the blogs through either http or https.
2:53 pm on Feb 21, 2017 (gmt 0)

Full Member

5+ Year Member Top Contributors Of The Month

joined:Feb 19, 2012
posts: 323
votes: 2


A friend just told me that his websites' Facebook likes (which he proudly displayed) fell to 0 after switching to HTTPS.
If you're in a niche where these "likes" count for marketing purposes that argument would outweigh the arguments for switching. That is just an example for one of the unknown "byproducts"...

I am asking myself what the hidden financial benefits are for Google (for pushing HTTPS).

I am considering blocking https on my robot.txt and enable just the login and payment pages through HTTPS for now...
3:59 pm on Feb 21, 2017 (gmt 0)

Senior Member

WebmasterWorld Senior Member 10+ Year Member Top Contributors Of The Month

joined:Sept 25, 2005
posts:1568
votes: 213


A friend just told me that his websites' Facebook likes (which he proudly displayed) fell to 0 after switching to HTTPS.

If you point to the old HTTP version in your og:url meta element, you should be able to get your likes back, but I haven't tested this myself. Far from ideal, of course, as you won't be able to build likes for the HTTPS version.

I am asking myself what the hidden financial benefits are for Google (for pushing HTTPS).

Why does there always have to be a financial benefit?
4:25 pm on Feb 21, 2017 (gmt 0)

Full Member

5+ Year Member Top Contributors Of The Month

joined:Feb 19, 2012
posts: 323
votes: 2


@robzilla Google is a revenue-driven company and serving better Search is only one of their goals. The main goal is to maximize revenue by showing as many ads as possible on THEIR pages. They achieved this by pushing webmasters into Structured Data, Page-Layout-Algo, etc.

So, I am wondering, what's in it for them? I mean, they could have pushed for HTTPS login pages if they're concerned about security?
6:48 pm on Feb 21, 2017 (gmt 0)

Full Member

Top Contributors Of The Month

joined:Nov 13, 2016
posts: 348
votes: 50


@guggi2000, the likes your friend "lost", is simply because likes are associated to a page, or a site. http and https are seen as two different sites, like www. and non-www. url. So the likes counter thing is perfectly normal, and expected to be like that. Now, it's possible that, if redirections are set up correctly, Facebook will updates its links automatically as it recrawls the site of your friend.
7:17 pm on Feb 21, 2017 (gmt 0)

Senior Member

WebmasterWorld Senior Member 10+ Year Member Top Contributors Of The Month

joined:Sept 25, 2005
posts:1568
votes: 213


I think that's a very limited view. Every non-profit is revenue-driven, but that doesn't mean everything the company does is aimed at generating more revenue. Google is also trying to move the web forward, and it has made, and continues to make, many valuable contributions to make the web safer, faster and more accessible. Sure, the majority of those contributions will benefit the company in some way, directly or indirectly, since they were born out of internal needs, but they are under no obligation to fold them out to the internet at large, and yet they do.

HTTPS protects the integrity of your site and the privacy and security of your users. I can learn a lot about you from the (unencrypted) pages you visit, or from data traveling via any other insecure form of communication, like POP3, IMAP, SMTP, FTP, etc. You shouldn't need anyone to tell you it's best to employ it, for your sake and your users', and I don't think a webmaster's in the best position to judge whether or not users need protection.

HTTPS is the new default: your users will come to expect it more and more, and it will be a requirement for many new features of the web, much like it is for HTTP/2. What is everyone waiting for?
9:51 pm on Feb 21, 2017 (gmt 0)

Full Member

joined:July 23, 2015
posts:254
votes: 76


>> @keyplyr : What will happen if I don't switch to HTTPS?

Absolutely nothing will happen.

Outside of online commerce, majority of the websites will be http. People just won't bother or won't know to follow some obscure webmaster guidelines, another one of 200 that we already "need" to follow.

@guggi2000 , yes Google absolutely financially benefits from https. Big time. They already lost battle to web spam. So they are pushing people to "mobile" (as on mobile I can't identify mobile spambots as easy as on desktop and Google benefit in neighborhood of $ Billions per year). They now push to https as a way out of their lost battle to spam. Their failed logic is in the claim that "non-spammers will sure go https".

This is Google's internet certificates site:
[pki.google.com...]
[support.google.com...]
Planned to profit handsomely from https.

There's also Firefox, who's Mozilla browser claims they are pushing everyone to https. They also plan to profit handsomely from issuing millions of certificates and their renewals. Good riddance as a browser , if they do it, gone, bye-bye.

They don't know where else to get us for more billions, their offshore accounts are too fat.

The karma that's coming their way for this abuse, is going to be huge.
9:55 pm on Feb 21, 2017 (gmt 0)

Full Member

joined:July 23, 2015
posts:254
votes: 76


Let me copy this from Mozilla website , as I don't bother to repeat this:


Apparently the people at the top of Mozilla (and Google) with pockets filled with money can’t understand how hard it is to implement HTTPS for small websites owners. Personally i prefer visiting sites in HTTPS especially for big sites or to be precise it’s almost a requirement for those big sites to use HTTPS. But when you’re running your own sites it’s different especially if those sites are just small sites that don’t generate income or the income generated were too small.


I personally run maybe 70-80 sites. One person. ONE.
How many generate any money? Literally, two sites (majority started as projects that Google and scrapers killed via stealing content and images).

Is Google going to come here and tell me I can't run 78 out of my 80 websites?

TELL THIS IN MY FACE.
10:15 pm on Feb 21, 2017 (gmt 0)

Senior Member

WebmasterWorld Senior Member 10+ Year Member Top Contributors Of The Month

joined:Sept 25, 2005
posts:1568
votes: 213


You're not making any sense, smilie. You refer to a page about Google’s intermediate Certificate Authority (CA) which "issues digital certificates for Google web sites and properties" (my emphasis). They don't sell certificates, and Mozilla doesn't either. In fact, Mozilla is co-founder of Let's Encrypt, which gives away certificates for free. Nor does the push for HTTPS have anything to do with web spam. Did you make up this "failed logic" you say Google has, or do you have a reference? There's obviously no deterrent for spammers if certificates are free.

As for small website owners: yes, it's going to take quite a bit of time to get the majority on HTTPS, and web hosting providers obviously have a big role to play in this, but I'm already seeing a lot of movement in that area as more and more customers are likely asking for it.
11:43 pm on Feb 21, 2017 (gmt 0)

Senior Member from US 

WebmasterWorld Senior Member lucy24 is a WebmasterWorld Top Contributor of All Time 5+ Year Member Top Contributors Of The Month

joined:Apr 9, 2011
posts:14255
votes: 551


Is blogspot one of those setups that comes with a discussion-thread option even if you choose not to enable it for any given site? That would be the reason for pushing HTTPS. It's fuzzier if your site uses third-party discussion. Does the login actually pass through your site's servers--probably still using HTTP if you're not selling anything--or does it go directly to the site hosting the discussion, which by this time certainly ought to be HTTPS? Firefox, at least, seems to think the front-end site has some involvement, and slaps on the red-unlocked-slash icon.
12:22 am on Feb 22, 2017 (gmt 0)

Senior Member

WebmasterWorld Senior Member aristotle is a WebmasterWorld Top Contributor of All Time 5+ Year Member Top Contributors Of The Month

joined:Aug 4, 2008
posts:3282
votes: 244


Lucy -- The blogs at blogspot.com are hosted on google's servers. I'm not sure how many have been created, but wouldn't be surprised if there are a million or more.
1:39 am on Feb 22, 2017 (gmt 0)

Moderator from US 

WebmasterWorld Administrator keyplyr is a WebmasterWorld Top Contributor of All Time 10+ Year Member Top Contributors Of The Month

joined:Sept 26, 2001
posts:10103
votes: 550


Looks like blogger defaults to HTTPS now. I hadn't visited my account in a couple years and when I looked, it's now HTTPS.
1:52 am on Feb 22, 2017 (gmt 0)

Senior Member

WebmasterWorld Senior Member aristotle is a WebmasterWorld Top Contributor of All Time 5+ Year Member Top Contributors Of The Month

joined:Aug 4, 2008
posts:3282
votes: 244


Looks like blogger defaults to HTTPS now. I hadn't visited my account in a couple years and when I looked, it's now HTTPS

Do you mean that it redirected to https? I just looked at one (not mine), and http and https versions are both still available.
2:38 am on Feb 22, 2017 (gmt 0)

Moderator from US 

WebmasterWorld Administrator keyplyr is a WebmasterWorld Top Contributor of All Time 10+ Year Member Top Contributors Of The Month

joined:Sept 26, 2001
posts:10103
votes: 550


A redirect and having both secure & nonsecure accessible are two different things.

I suspect Google will eventually redirect all blogger pages to secure.

Future discussion about Blogs should be posted in the Blogging SEO forum [webmasterworld.com]
8:31 am on Feb 22, 2017 (gmt 0)

Preferred Member from BG 

Top Contributors Of The Month

joined:Aug 11, 2014
posts:526
votes: 164


In a similar thread some time ago I said that I will switch to HTTPS when Oracle does. Well, they did, and I can only imagine how painful the process was, in the summer of 2016 so, I switched as well.
9:00 am on Feb 22, 2017 (gmt 0)

Full Member

5+ Year Member Top Contributors Of The Month

joined:Feb 19, 2012
posts: 323
votes: 2


What @smilie mentioned does make sense.

Even if there are free certificates, many websites will still choose a paid certificate for whatever reason.

In short: pushing the web into HTTPS opens a billion dollar market for "someone". And the best way to do it, is to push it through SEO suggestions (or "threats").
9:16 am on Feb 22, 2017 (gmt 0)

Senior Member

WebmasterWorld Senior Member 10+ Year Member Top Contributors Of The Month

joined:Feb 12, 2006
posts:2648
votes: 94


maybe it has something to do with stopping spam sites. Spammers can put up loads of microsites each day, but if they now have to go through the rigmarole of applying for certificates to get ranked then that will slow them down a (tiny) bit.
9:28 am on Feb 22, 2017 (gmt 0)

Full Member

5+ Year Member Top Contributors Of The Month

joined:Feb 19, 2012
posts: 323
votes: 2


@londrum Good point. Maybe the type of certificate will soon play a role (for SEO), the same way a TLD does.
2:47 pm on Feb 22, 2017 (gmt 0)

Senior Member

WebmasterWorld Senior Member 10+ Year Member Top Contributors Of The Month

joined:Sept 25, 2005
posts:1568
votes: 213


For every such announcement Google makes, there's bound to be someone who profits. Site speed now a factor? Hurray for performance consultants and services. Same for mobile-friendliness, HTTPS, and what have you. I don't have a problem with that. In fact, everyone should have been focusing on those things long before Google began pushing them, but many people care more about their rankings than their users. I applaud Google for stepping up and using their influence.

You're all looking for some ulterior motive. It seems obvious to me that HTTPS trumps HTTP in much the same way that a faster page is better than a slower one, a mobile-friendly page better than an awkward one. If you had to choose between two pages that are otherwise very similar, you're going to choose the one that offers the best user experience, and HTTPS plays a small (yet potentially large) part in that. You can call foul, get angry, indulge in conspiracy theories and ignore all these recommendations but ultimately you'll get the short end of the stick -- and good riddance I'd say.*

* this isn't aimed at anyone in particular.

Will HTTPS deter spammers? Only the least technically competent ones. You can automate certificate requests and be assigned a free one in seconds. The type of certificate is unlikely to matter in the HTTP vs HTTPS debate, the connection is just as secure.
3:20 pm on Feb 22, 2017 (gmt 0)

Senior Member

WebmasterWorld Senior Member farmboy is a WebmasterWorld Top Contributor of All Time 10+ Year Member Top Contributors Of The Month

joined:Nov 6, 2005
posts: 2825
votes: 31


I again speak as a rookie, so put as much value on this as you think necessary.

I engaged in a chat with my current host and was told they could easily provide me a SSL certificate, https designation, or whatever.

The price they quoted for doing that with all of my domains made me close to falling on the floor clutching my chest. And that would need to be renewed each year.

And then I read here about getting it free elsewhere if not provided free by host.

My head is spinnning. Is IT a good and necessary idea and what exactly is "IT"?

Then there's talk of using the whole thing as a revenue earner which gives weight to my own somewhat suspicions.

Are there webmasters here, reading this, who have gone on over the years, adding to your site(s) and income, without changing to the https route? I sure would appreciate reading your thoughts on this matter.

FarmBoy (certified rookie)
3:30 pm on Feb 22, 2017 (gmt 0)

Full Member

5+ Year Member Top Contributors Of The Month

joined:Feb 19, 2012
posts: 323
votes: 2


@robzilla
No one claims that HTTPS is bad. No one wants to resist recommendations by Google. Google does not owe free traffic to anyone anyway.

However, webmasters need to ask themselves what motives Google has with every recommendation in order to better prepare their business for the future. I think "not asking" and "just following" is a narrow view.

Example: When Google pushed for structured data, their motive was to give answers on their domain and give less traffic to websites. They became an answer engine. Information and reference sites that prepared in advance and remodeled their business have survived. The others are gone.

Same applied
3:54 pm on Feb 22, 2017 (gmt 0)

Full Member

joined:July 23, 2015
posts:254
votes: 76


>> @londrum: maybe it has something to do with stopping spam sites. Spammers can put up loads of microsites each day, but if they now have to go through the rigmarole of applying for certificates to get ranked then that will slow them down a (tiny) bit.

no, it won't. Spammers operate with throw away domains and sites. They are long ago accustomed to their domains being only in Google for 2-3 weeks. That's why they use automated techniques to very quickly auto-generate large content and links. It won't stop them one single bit, if EVERYBODY have gone to https, maybe. But it is a pipes dream, how are you going to convince 90% of the web that doesn't even know Google has guidelines, or about webmaster forums etc.? There's no way to scare them into submission, they just don't know Google is trying to scare them and could care less.

>> @robzilla: a faster page is better than a slower one, a mobile-friendly page better than an awkward one

How's ugly, cut down mobile page with 1/5th of the content is better than a full size non-mobile? Especially since mobile is also way, way slower because it has to download a bunch of libraries first over generally a very slow connection (hint to Google, not everybody outside of Silicone Valley has 4G signal).
3:57 pm on Feb 22, 2017 (gmt 0)

Full Member

joined:July 23, 2015
posts:254
votes: 76


>> @farmboy: Are there webmasters here, reading this, who have gone on over the years, adding to your site(s) and income, without changing to the https route?

I only have https on a portion of an ecommerce website. My main portal, which at one point was huge and even PR7, I don't even put SSL there, there's nobody to pay for it. I am certainly not paying for it, no way, no how.

Maybe Google should spread the love and spend some of their millions of $ of stock options on a good project, free SSL to everyone who's content they made billions on? I don't hold my breath though. And I won't trust that sort of "goodness" from them, their trust level is at all time low.
6:12 pm on Feb 22, 2017 (gmt 0)

Senior Member from US 

WebmasterWorld Senior Member lucy24 is a WebmasterWorld Top Contributor of All Time 5+ Year Member Top Contributors Of The Month

joined:Apr 9, 2011
posts:14255
votes: 551


How's ugly, cut down mobile page with 1/5th of the content is better than a full size non-mobile? Especially since mobile is also way, way slower because it has to download a bunch of libraries first over generally a very slow connection

Who said anything about libraries and ugly pages? It's up to the site owner/developer/administrator to do things right. If a site does things badly, that's on them.
6:46 pm on Feb 22, 2017 (gmt 0)

Senior Member

WebmasterWorld Senior Member 10+ Year Member Top Contributors Of The Month

joined:Feb 12, 2006
posts:2648
votes: 94


@farmboy you can get a free one through letsencrypt, and then add it yourself through cPanel (assuming you've got cPanel). you'll have to read up on the instructions on the web, but it's easy enough.
7:10 pm on Feb 22, 2017 (gmt 0)

Senior Member from US 

WebmasterWorld Senior Member tangor is a WebmasterWorld Top Contributor of All Time 10+ Year Member Top Contributors Of The Month

joined:Nov 29, 2005
posts:7878
votes: 547


At some point "free" won't be good enough, or will be corrupted/abused .... and at that time the pay-to-play side will emerge. Some might call that bait and switch, others will call it building a base, either way the end result is garden-walled customers.

HTTPS has a very real reason to exist, and for those pages that NEED it, is exactly the protocol to use. Everything else, at this time, is not in need of that. Personally, I will migrate to HTTPS when it becomes REQUIRED, or when my site(s) are removed for non-compliance. I don't see that happening any time soon.
7:23 pm on Feb 22, 2017 (gmt 0)

New User

Top Contributors Of The Month

joined:Nov 17, 2016
posts:39
votes: 1


Authorship? Who else remembers? :)
9:19 pm on Feb 22, 2017 (gmt 0)

Moderator from US 

WebmasterWorld Administrator keyplyr is a WebmasterWorld Top Contributor of All Time 10+ Year Member Top Contributors Of The Month

joined:Sept 26, 2001
posts:10103
votes: 550


At some point "free" won't be good enough, or will be corrupted/abused .... and at that time the pay-to-play side will emerge. Some might call that bait and switch, others will call it building a base, either way the end result is garden-walled customers
That is not a fact based statement, more along the line of a conspiracy delusion. There is no evidence supporting anything like that scenario.

In fact, quite the contrary. More and more hosts are making it easier to freely install & use certs for their hosting customers.
10:11 pm on Feb 22, 2017 (gmt 0)

Senior Member

WebmasterWorld Senior Member 10+ Year Member Top Contributors Of The Month

joined:Sept 25, 2005
posts:1568
votes: 213


I think "not asking" and "just following" is a narrow view.

As do I, and I hope I didn't give the wrong impression. You always have to ask yourself how X will benefit your users. In the case of mobile friendliness, HTTPS, page speed, you're clearly improving your user experience, but structured data is a good example of something that doesn't directly benefit your users, so you need to carefully weigh your options.

...and for those pages that NEED it, is exactly the protocol to use.

I think HTTPS is a courtesy to your users, no matter the content you serve. For any type of content you can think of a situation where the information could be considered sensitive. Every day I serve thousands of users from all over the world, and I think it would be arrogant of me to decide for them that the data we exchange is not worth protecting, even if it's just information. I don't know about their lives, how secure their internet is, if they're on public wifi, to what extent their government or employer or anyone else keeps tabs on their internet use, etc. I turn on HTTPS and nobody needs to worry about it anymore. Again, a simple courtesy.

If that doesn't convince you, HTTP/2 alone is also good enough a reason to switch to HTTPS.
11:18 pm on Feb 22, 2017 (gmt 0)

Full Member

5+ Year Member Top Contributors Of The Month

joined:Feb 19, 2012
posts: 323
votes: 2


Careful, HTTPS encrypts the content of pages, not the URL itself (or at least not the IP or Host). It does not "hide" your surfing habits.

This means that encrypting public pages makes no sense from a security point of view. Anyone could access and see them. HTTPS makes sense for pages that serve private or dynamic content though, usually after a login.

I do not see why a public article about Harry Potter from Wikipedia needs to be served over HTTPS and why Google would boost it in SERPs if served over HTTPS.
This 204 message thread spans 7 pages: 204
 

Join The Conversation

Moderators and Top Contributors

Hot Threads This Week

Featured Threads

Free SEO Tools

Hire Expert Members