Welcome to WebmasterWorld Guest from 34.229.24.100

Forum Moderators: phranque

Message Too Old, No Replies

What will happen if I don't switch to HTTPS?

possible downside of non-secure pages

     
12:23 am on Feb 18, 2017 (gmt 0)

Senior Member from US 

WebmasterWorld Senior Member keyplyr is a WebmasterWorld Top Contributor of All Time 10+ Year Member Top Contributors Of The Month

joined:Sept 26, 2001
posts:12913
votes: 893


Many site owners are still deciding if or when they will follow the new SSL standard of using a security certificate and switching to HTTPS.


Possible downside of not switching to HTTPS*

• Visitors may start to decline. As discussions about secure web sites become more popular, visitors may avoid non-secure web sites.

• Browsers are still transitioning but the warnings will get more explicit for ALL pages, not just Credit Card or forms. These warnings may further scare off visitors.

• Google has made statements that secure sites will gain advantage in mobile & desktop SERP. HTTPS is already being displayed for secure sites. Bing & other Search Engines will surely follow.

• Eventually, non-secure websites may be considered unsafe to users and purged from SERP altogether.

• Browser support for HTTP/2 protocol is only for HTTPS websites. This protocol greatly speeds up page loads. If your site is not secure, you will not benefit.

*Possible scenarios, no one knows for sure.
11:44 pm on Feb 22, 2017 (gmt 0)

Senior Member

WebmasterWorld Senior Member 10+ Year Member Top Contributors Of The Month

joined:Nov 6, 2005
posts: 2853
votes: 33


More and more hosts are making it easier to freely install & use certs for their hosting customers.


If it is allowed here, would someone mention the names of a few of these hosts making it easy to freely install? Any of the larger and/or better known hosts?

I wonder if this will lead to all (or most) making it free and easy?


FarmBoy
11:50 pm on Feb 22, 2017 (gmt 0)

Senior Member from US 

WebmasterWorld Senior Member keyplyr is a WebmasterWorld Top Contributor of All Time 10+ Year Member Top Contributors Of The Month

joined:Sept 26, 2001
posts:12913
votes: 893


guggi2000 - don't ague what is unrelated. SSL (HTTPS) is not many things.

HTTPS is a protocol, a language the browser uses to speak to the server. This language is encrypted so 3rd parties cannot capture info during this transaction. HTTPS is not a cure all for all the internet's security woes.

A Wiki article is part of the web. The web has moved to be more secure by implementing all pages be HTTPS.
12:35 am on Feb 23, 2017 (gmt 0)

Senior Member from US 

WebmasterWorld Senior Member tangor is a WebmasterWorld Top Contributor of All Time 10+ Year Member Top Contributors Of The Month

joined:Nov 29, 2005
posts:9925
votes: 972


That is not a fact based statement, more along the line of a conspiracy delusion. There is no evidence supporting anything like that scenario.


Google started as bait and switch and continues to this day (not a delusion) and nothing has changed. What I said was that things given away for FREE to get folks to do it INVARIABLY become mandatory and monetary values are added and that is HISTORICAL, not hysterical.

Think Bell Telephone as an early "tech" version....

HTTPS has a purpose to encrypt, it has no benefit re: transport or delivery of content. If AMP can suck folks in, I suppose the G run on HTTPS will soon follow.
2:22 am on Feb 23, 2017 (gmt 0)

Senior Member from US 

WebmasterWorld Senior Member keyplyr is a WebmasterWorld Top Contributor of All Time 10+ Year Member Top Contributors Of The Month

joined:Sept 26, 2001
posts:12913
votes: 893


Google is not giving away certs for free, Mozilla's Lets Encrypt [letsencrypt.org] is... you know, the ones who give us Firefox (for free.)

Google is championing the web's move to HTTPS but it is not selling security certificates that I'm aware of. HTTPS has nothing to do with Google projects like AMP, Structured Data or Rich Cards.

You can entertain all the conspiracy theories you like. The simple fact is, the standard for the web is now HTTPS. HTTP/2 is supported by all major browsers to display web pages more quickly. HTTP/2 is only supported on sites that use HTTPS.
6:37 am on Feb 23, 2017 (gmt 0)

Senior Member from US 

WebmasterWorld Senior Member tangor is a WebmasterWorld Top Contributor of All Time 10+ Year Member Top Contributors Of The Month

joined:Nov 29, 2005
posts:9925
votes: 972


Still missing the point, but let's move on....

HTTPS is not a requirement .... yet. That's all the OP asked. :)

(The way to get folks to take up something new is to prime the pump by giving it away for free.)
6:37 am on Feb 23, 2017 (gmt 0)

Senior Member from GB 

WebmasterWorld Senior Member graeme_p is a WebmasterWorld Top Contributor of All Time 10+ Year Member Top Contributors Of The Month

joined:Nov 16, 2005
posts:2952
votes: 195


A lot of shared hosts support Let's Encrypt

That said, I think it will take a long time to switch.

The underlying problem is the mechanism used by certificates. Something more like ssh where everyone always issues there own keys - or the option of doing either - would be far preferable.
7:59 am on Feb 23, 2017 (gmt 0)

Senior Member from US 

WebmasterWorld Senior Member keyplyr is a WebmasterWorld Top Contributor of All Time 10+ Year Member Top Contributors Of The Month

joined:Sept 26, 2001
posts:12913
votes: 893


HTTPS is not a requirement .... yet. That's all the OP asked. :)
I didn't ask that, but IMO I see no indication that HTTPS will be "required" and by who? However, eventually browsers may drop support for nonsecure sites. I guess we'll find out.

I think it will take a long time to switch
A large portion of the world's web sites probably won't switch. Many sites are not maintained and have become archaic. This might end up being an affective method of getting rid of the dead wood from indexes.

As far as "something more like ssh" I think it is forseeabble that security certificates will evolve as the protocol advances to support some yet-to-be realized future purpose.
8:42 am on Feb 23, 2017 (gmt 0)

Full Member

5+ Year Member Top Contributors Of The Month

joined:Feb 19, 2012
posts: 334
votes: 2


@keyplyr If there is private data HTTPS is a must. I also understand the marketing point of view: A green lock, better SEO signal, user expectations etc... it is better for a website.

But technically speaking, why is a specific public (and static) page, such as a Wikipedia article more secure under HTTPS?
9:22 am on Feb 23, 2017 (gmt 0)

Full Member

5+ Year Member Top Contributors Of The Month

joined:Feb 19, 2012
posts: 334
votes: 2


2 more questions:

1. WWW vs non-WWW are 2 different sites but GSC gives the option to indicate the preferred one to serve the right version. Why is Google pushing to switch to HTTPS while at the same time claiming that switching to HTTPS is like moving an entire domain, which is not entirely risk-free? Sounds strange that they did not better prepare for this, as they did with WWW and non-WWW

2. Have you heard that if you turn on HTTPS without doing a 301 redirect, Google will eventually pick it up anyway and decide that it would serve the HTTPS version?
9:30 am on Feb 23, 2017 (gmt 0)

Senior Member from US 

WebmasterWorld Senior Member keyplyr is a WebmasterWorld Top Contributor of All Time 10+ Year Member Top Contributors Of The Month

joined:Sept 26, 2001
posts:12913
votes: 893


@guggi2000
A website can be sensitive even if it's just information. What's sensitive to some may not be sensitive to others, so it's impossible for Google (or anyone else) to tell. It's best to encrypt everything.

Besides sensitive information that a site can collect or not, there is still the risk of a "man in the middle" attack on regular sites like an article on Wikipedia (for example.l

A browser sends a transmission to a server supplying a set of credentials. The server responds likewise. This is how the browser gets the necessary files to construct the web page.

It all travels over the internet in plain-text. It can be read by 3rd parties which can inject malicious code into your page during that transmission (man in the middle attack.) HTTPS encrypts the transmission so this can't happen.

WWW & non-WWW are unrelated to this discussion so I won't get into that.
10:13 am on Feb 23, 2017 (gmt 0)

Full Member

5+ Year Member Top Contributors Of The Month

joined:Feb 19, 2012
posts: 334
votes: 2


@keyplyr We're not talking about the same thing: You're talking about credentials being transmitted and I am talking about static and public content without any credentials.

@keyplyr I did not ask about WWW & non-WWW. I asked why switching to HTTPS is like switching an entire domain.
10:24 am on Feb 23, 2017 (gmt 0)

Senior Member

WebmasterWorld Senior Member 10+ Year Member Top Contributors Of The Month

joined:Sept 25, 2005
posts:2091
votes: 370


Careful, HTTPS encrypts the content of pages, not the URL itself (or at least not the IP or Host).

Well, which is it? The URL is most definitely encrypted, and so is the host, since both of them are HTTP headers and encryption is set up on the level of the TCP connection (using only the IP addresses) before HTTP even comes into play.

The underlying problem is the mechanism used by certificates. Something more like ssh where everyone always issues there own keys - or the option of doing either - would be far preferable.

It seems to me that if you can vouch for yourself, rather than having a trusted CA vouch for you, the whole idea of trust goes out the window. Which is exactly why self-signed certificates result in a warning; nobody dares to claim it's actually a secure connection. And with a system like SSH, your browser would need to hold a public key for every server on the internet.

[edited by: robzilla at 10:47 am (utc) on Feb 23, 2017]

10:38 am on Feb 23, 2017 (gmt 0)

Senior Member from US 

WebmasterWorld Senior Member keyplyr is a WebmasterWorld Top Contributor of All Time 10+ Year Member Top Contributors Of The Month

joined:Sept 26, 2001
posts:12913
votes: 893


guggi2000
RE: credentials - the term is applied to several functions. I described the browser connecting to the server and passing to the server basic information like language, IP address, user agent, etc. I was not referring to Credit Card or password credentials.

Please read what I wrote above. It addressed your concerns about why "static and public content" needs to be encrypted.
8:50 pm on Feb 23, 2017 (gmt 0)

Full Member

5+ Year Member Top Contributors Of The Month

joined:Feb 19, 2012
posts: 334
votes: 2


Anyone an idea about my second question:

"Do you know if it's true that if you turn on HTTPS without doing a 301 redirect, Google will eventually pick it up anyway and decide that it would serve the HTTPS version as the preferred one in the SERPs?"
9:23 pm on Feb 23, 2017 (gmt 0)

Senior Member

WebmasterWorld Senior Member 10+ Year Member Top Contributors Of The Month

joined:Sept 25, 2005
posts:2091
votes: 370


Yes, that's true, and has been for a while, but there are a few exceptions:

Specifically, we’ll start crawling HTTPS equivalents of HTTP pages, even when the former are not linked to from any page. When two URLs from the same domain appear to have the same content but are served over different protocol schemes, we’ll typically choose to index the HTTPS URL if:

- It doesn’t contain insecure dependencies.
- It isn’t blocked from crawling by robots.txt.
- It doesn’t redirect users to or through an insecure HTTP page.
- It doesn’t have a rel="canonical" link to the HTTP page.
- It doesn’t contain a noindex robots meta tag.
- It doesn’t have on-host outlinks to HTTP URLs.
- The sitemaps lists the HTTPS URL, or doesn’t list the HTTP version of the URL.
- The server has a valid TLS certificate.

[security.googleblog.com...]
9:41 pm on Feb 23, 2017 (gmt 0)

Full Member

5+ Year Member Top Contributors Of The Month

joined:Feb 19, 2012
posts: 334
votes: 2


@robzilla

"- The sitemaps lists the HTTPS URL, or doesn’t list the HTTP version of the URL. "

In other words: If there is an updated sitemap for the HTTP site, then they won't index it...
9:45 pm on Feb 23, 2017 (gmt 0)

Senior Member

WebmasterWorld Senior Member 10+ Year Member Top Contributors Of The Month

joined:Sept 25, 2005
posts:2091
votes: 370


If the sitemap on both HTTP and HTTPS includes only HTTP versions of the URLs, Google won't overrule that. It will consider that (HTTP) to be your preference, much like if your rel canonical tags on HTTPS were to point to HTTP.
9:48 pm on Feb 23, 2017 (gmt 0)

Full Member

5+ Year Member Top Contributors Of The Month

joined:Feb 19, 2012
posts: 334
votes: 2


Has anyone considered not moving to HTTPS because of:

- Potential (temporary) traffic loss, similar to moving a domain. This was reported by several big sites, including Moz about 3 years ago

- Potential Adsense loss as reported by many webmasters, also 1-2 years ago

- Other unknowns, such as Facebook likes being reset for the new https version (yes, we are aware of the workaround)

- Compatibility issues and slight traffic loss (yes, we know it's minimal)

Opinions?
9:53 pm on Feb 23, 2017 (gmt 0)

Full Member

5+ Year Member Top Contributors Of The Month

joined:Feb 19, 2012
posts: 334
votes: 2


@robzilla Thanks. I understood it this way that if the page does not exists in BOTH sitemaps Google will prefer the secured one.
10:05 pm on Feb 23, 2017 (gmt 0)

Senior Member

WebmasterWorld Senior Member 10+ Year Member Top Contributors Of The Month

joined:Sept 25, 2005
posts:2091
votes: 370


I understood it this way that if the page does not exists in BOTH sitemaps Google will prefer the secured one.

That seems to be true also, yes. Basically, if you want Google to return only HTTP, you need to make this known to them explicitly by listing only the HTTP URL(s) in the sitemap, employing rel canonical, redirecting, or by other means.

The general consensus seems to be that nowadays, if the implementation is correct, moving to HTTPS should not result in a loss of rankings, traffic or revenue.
10:17 pm on Feb 23, 2017 (gmt 0)

Full Member

5+ Year Member Top Contributors Of The Month

joined:Feb 19, 2012
posts: 334
votes: 2


The general consensus seems to be that nowadays, if the implementation is correct, moving to HTTPS should not result in a loss of rankings, traffic or revenue.

True, and I guess there is a very good chance that everything will be fine. However, I am wondering whether there are other people who postpone the move to minimize risks and unknowns.

Thanks
10:24 pm on Feb 23, 2017 (gmt 0)

Senior Member

WebmasterWorld Senior Member aristotle is a WebmasterWorld Top Contributor of All Time 10+ Year Member Top Contributors Of The Month

joined:Aug 4, 2008
posts:3612
votes: 353


It doesn’t have on-host outlinks to HTTP URLs.

I don't understand what that means.
8:17 am on Feb 24, 2017 (gmt 0)

Senior Member

WebmasterWorld Senior Member 10+ Year Member Top Contributors Of The Month

joined:Sept 25, 2005
posts:2091
votes: 370


I don't understand what that means.

If the HTTPS version links to the HTTP version, e.g. when you use only absolute URLs pointing to HTTP, Google assumes HTTP has your preference, and won't choose to index the HTTPS versions. If you explicitly link to the HTTPS versions, or you use relative URLs, and the other conditions listed are met, it will crawl, index and rank the HTTPS versions of your pages.

On-host meaning on the same domain. Whether other domains point to HTTP or HTTPS is irrelevant.
9:40 am on Feb 24, 2017 (gmt 0)

Full Member

5+ Year Member Top Contributors Of The Month

joined:Feb 19, 2012
posts: 334
votes: 2


At the moment we serve our HTTPS pages through a subdomain and another webserver. Our main domain does not even listen to the 443 port (HTTPS port) to avoid any potential issues.

IMO, best practice it to switch the entire domain to HTTPS or not to switch at all. Do not have some pages HTTPS and some not. One could work with 301 redirects but that would create a mess too, sooner or later.
9:57 am on Feb 24, 2017 (gmt 0)

Full Member

5+ Year Member Top Contributors Of The Month

joined:Feb 19, 2012
posts: 334
votes: 2


I am checking for all possible pitfalls when moving to HTTPS. One thread I have found on this forum refers to Webmaster Tools, but I am not sure if that is still relevant and what exactly happened to the user called @superclown2

[webmasterworld.com ]

Can anyone elaborate what problems can arise when defining a new site under GSC (Webmaster Tools)?
10:08 am on Feb 24, 2017 (gmt 0)

Senior Member from US 

WebmasterWorld Senior Member keyplyr is a WebmasterWorld Top Contributor of All Time 10+ Year Member Top Contributors Of The Month

joined:Sept 26, 2001
posts:12913
votes: 893


guggi2000 a discussion from 2014 may not be the best source to get an idea of what occurs today.

Correctly implemented, there should not be any problems with GSC. Using a 301 to redirect all traffic to HTTPS, your old site profile at GSC will die a natural death. Your new HTTPS profile will just take a few days to start displaying everything.

Not that complicated.
10:57 am on Feb 24, 2017 (gmt 0)

Senior Member

WebmasterWorld Senior Member 10+ Year Member Top Contributors Of The Month

joined:Sept 25, 2005
posts:2091
votes: 370


Correctly implemented...

Quoting for emphasis, because as superclown2 admits in that thread, he made some mistakes.

In the Search Console, your backlink data will also be "preserved" so long as you redirect HTTP to HTTPS. I say "preserved" because they will appear with the added note "Via this intermediate link: http://www.example.com". Whether the links lose any value from the redirect of HTTP to HTTPS is a matter of debate, but I doubt it so long as the content and path are the same.
11:52 am on Feb 24, 2017 (gmt 0)

New User

10+ Year Member Top Contributors Of The Month

joined:Nov 4, 2008
posts: 22
votes: 0


but there is no turning back. if people start linking to your new HTTPS site, if you ever want to go back to HTTP (and drop your SSL cert, all those HTTPS links would cause a warning (unsafe redirection), so most likely google would not give any "ranking juice" from your HTTPS inbound links. right?
12:03 pm on Feb 24, 2017 (gmt 0)

Senior Member from US 

WebmasterWorld Senior Member keyplyr is a WebmasterWorld Top Contributor of All Time 10+ Year Member Top Contributors Of The Month

joined:Sept 26, 2001
posts:12913
votes: 893


loupiote - and the web isn't turning back :)
12:29 pm on Feb 24, 2017 (gmt 0)

Full Member

5+ Year Member Top Contributors Of The Month

joined:Feb 19, 2012
posts: 334
votes: 2


@robzilla
Whether the links lose any value from the redirect of HTTP to HTTPS is a matter of debate, but I doubt it


I doubt it too. But the fact that there is a debate and we are not 100% sure makes me suspicious. As I mentioned earlier, in webmaster tools there is 1 checkbox to indicate www vs non-www preference. So easy, so clear. But they did not implement a checkbox for the https... and they had 3 years since the announcement.
This 204 message thread spans 7 pages: 204