Welcome to WebmasterWorld Guest from 107.23.37.199

Forum Moderators: phranque

Message Too Old, No Replies

What will happen if I don't switch to HTTPS?

possible downside of non-secure pages

     
12:23 am on Feb 18, 2017 (gmt 0)

Senior Member from US 

WebmasterWorld Senior Member keyplyr is a WebmasterWorld Top Contributor of All Time 10+ Year Member Top Contributors Of The Month

joined:Sept 26, 2001
posts:12913
votes: 893


Many site owners are still deciding if or when they will follow the new SSL standard of using a security certificate and switching to HTTPS.


Possible downside of not switching to HTTPS*

• Visitors may start to decline. As discussions about secure web sites become more popular, visitors may avoid non-secure web sites.

• Browsers are still transitioning but the warnings will get more explicit for ALL pages, not just Credit Card or forms. These warnings may further scare off visitors.

• Google has made statements that secure sites will gain advantage in mobile & desktop SERP. HTTPS is already being displayed for secure sites. Bing & other Search Engines will surely follow.

• Eventually, non-secure websites may be considered unsafe to users and purged from SERP altogether.

• Browser support for HTTP/2 protocol is only for HTTPS websites. This protocol greatly speeds up page loads. If your site is not secure, you will not benefit.

*Possible scenarios, no one knows for sure.
2:06 am on Mar 19, 2017 (gmt 0)

Junior Member

10+ Year Member

joined:May 20, 2006
posts: 73
votes: 0


@IanCP There seems to be a notion that the word "http" needs to be replaced with "https" in the internal linking structure.
Not true! https should rarely appear in your files.

Assume you need to use absolute links (relative are better if on the same domain), try to use // instead of https://
This way it will work on both protocols and you can change gradually.

Example, let's say you had a resource to an external static image like this:

<img src="http://staticfiles.example.com/myImage.jpg" >

change that to

<img src="//staticfiles.example.com/myImage.jpg" >

(It may be off topic but the advice your hosting company gave is a little risky, sorry... don't do auto-replace on that scale)


My site is hard-coded that every internal links are using http:// absolute links to link to every internal html files since this is what I read that they recommend many years ago from SEO specialists (to avoid duplicate content penalty also). What I'm doing now is changing all http:// to https:// absolute URL for internal links. So I find the above quote confusing about the use of simply relative // path. Or have things changed recently? Kindly enlighten thanks.
2:48 am on Mar 19, 2017 (gmt 0)

Senior Member from US 

WebmasterWorld Senior Member keyplyr is a WebmasterWorld Top Contributor of All Time 10+ Year Member Top Contributors Of The Month

joined:Sept 26, 2001
posts:12913
votes: 893


killua... I agree with IanCP.

SEO tactics change because the web changes. Yes, using absolute links is one tactic to combat forged sites since the perp will need to remove all those absolute paths, but that is not difficult nowadays; a text editor can do that with one press of a button.

Using relative paths makes so many things easier; this being one of them. If you had used relative paths sitewide there would be that much less work to do preparing your pages to be HTTPS.

So my advice is, while you are doing your preparatory editing, consider changing these absolute paths to relative.
3:00 am on Mar 19, 2017 (gmt 0)

Junior Member

10+ Year Member

joined:May 20, 2006
posts: 73
votes: 0


^Thanks for the advice. What about the issue of duplicate content? If I use relative links for internal html pages, Google may not know if they are linking to http:// or https:// or www or non-www. Or is this problem solved already today by major search engines?
3:32 am on Mar 19, 2017 (gmt 0)

Senior Member from US 

WebmasterWorld Senior Member keyplyr is a WebmasterWorld Top Contributor of All Time 10+ Year Member Top Contributors Of The Month

joined:Sept 26, 2001
posts:12913
votes: 893


If you properly use a 301 then Google will see only one set of pages... the HTTPS version.

Also, there's a setting in GSC to choose between non-www and www.
3:33 am on Mar 19, 2017 (gmt 0)

Administrator from US 

WebmasterWorld Administrator not2easy is a WebmasterWorld Top Contributor of All Time 10+ Year Member Top Contributors Of The Month

joined:Dec 27, 2006
posts:4349
votes: 295


Google will know if they can only access the pages under one protocol. That is the purpose of having the canonical rewrite rules in your .htaccess file - as discussed with examples a few posts back. If you can only access https, there is no problem to use relative URLs for either internal or external links. AdSense has been using // protocol without http or https for their asynchronous script for quite some time.

If you never used canonical rewrites to have only one form for your site to be accessed, then you would want to use absolute URLs. Even though technically the pages could be accessed with or without www.
5:12 am on Mar 19, 2017 (gmt 0)

Junior Member

10+ Year Member

joined:May 20, 2006
posts: 73
votes: 0


I see. Yes, I do use 301 via .htaccess. I use redirect-checker.org to test redirects. Since Google will respect the 301, then using // protocol is indeed a better option.
6:27 pm on Mar 19, 2017 (gmt 0)

New User

joined:Feb 25, 2017
posts:16
votes: 1


@IanCP, yes, I understand where you're coming from and I agree that we all have to move eventually.

Question to everyone - I see references to SSL protocol but is anyone (or anyone's host) using TLS? I think if HTTP/2 is used, TLS is required?
7:45 pm on Mar 19, 2017 (gmt 0)

Administrator from US 

WebmasterWorld Administrator not2easy is a WebmasterWorld Top Contributor of All Time 10+ Year Member Top Contributors Of The Month

joined:Dec 27, 2006
posts:4349
votes: 295


Without using tools other than your browser, you can check whether your redirects are working correctly. Just paste a few variations in the address bar and see if it resolves as expected.
http://example.com
http://www.example.com
http://www.example.com/folder/file.name

If your site structure uses directories, be sure to check them as well, the root .htaccess may or may not be rewriting those requests, depending on environment factors such as other .htaccess files in use.

With the added use of a browser extension tool or two you can verify the server responses to your request to be certain they are 301 (permanent) redirects.
8:08 pm on Mar 19, 2017 (gmt 0)

Senior Member from AU 

WebmasterWorld Senior Member 10+ Year Member Top Contributors Of The Month

joined:Aug 22, 2003
posts: 2254
votes: 149


Passed all those tests

Another matter to be considered as well is submitting a whole "new" sitemap.xml file to Google. I had to go through site verification again for the https site, etc, etc.
10:26 pm on Mar 19, 2017 (gmt 0)

Senior Member from US 

WebmasterWorld Senior Member keyplyr is a WebmasterWorld Top Contributor of All Time 10+ Year Member Top Contributors Of The Month

joined:Sept 26, 2001
posts:12913
votes: 893


No need for a new sitemap.xml, just edit the current one to reflect HTTPS paths and resubmit.
11:21 pm on Mar 19, 2017 (gmt 0)

New User

10+ Year Member Top Contributors Of The Month

joined:Nov 4, 2008
posts: 22
votes: 0


> If I use relative links for internal html pages, Google may not know if they are linking to http:// or https:// or www or non-www. Or is this problem solved already today by major search engines?

relative links use the same protocol and same host as the referrer page where they are located.

so if your site is using https (i.e. if all http requests are redirected 301 to their https counterparts), then all the 5relative links will be considered to be https.

and if your site is properly configured to use only the www. form (or only the non-www form), then those links will be considered to link to the same host name as the referrer page.

there is absolutely no issue with duplicated content when using relative links, if your site is properly configured, with 301 redirects to the canonical hostname and to your preferred protocol.
12:08 am on Mar 20, 2017 (gmt 0)

Junior Member

10+ Year Member

joined:May 20, 2006
posts: 73
votes: 0


By the way, when doing the https migration, at what point do I have to add the HTTPS version of the site in Google Webmaster Tools? Is it before I do the site-wide 301 redirect or is it after?
12:37 am on Mar 20, 2017 (gmt 0)

Senior Member from US 

WebmasterWorld Senior Member keyplyr is a WebmasterWorld Top Contributor of All Time 10+ Year Member Top Contributors Of The Month

joined:Sept 26, 2001
posts:12913
votes: 893


@ killua - this was posted earlier:

- Generic Steps to Switch from HTTP to HTTPS -


• Read all info at your host concerning certificates & switching to HTTPS and when applicable, follow those instructions.

• Install security certificate.

• Have you host enable HTTPS (if needed.) This will enable access from both HTTP & HTTPS.

• Go through site, page by page & make sure all file paths are relative (no protocol.) Test by accessing site using HTTPS and look for any browser alerts.

• Install 301 code in .htaccess file
RewriteEngine On
RewriteCond %{HTTPS} !=on
RewriteRule ^ https://%{HTTP_HOST}%{REQUEST_URI} [L,R=301]
Note: your server may require a different code

• Go through site again, page by page, and test. Any remote absolute links will need to be HTTPS including those found in scripts & pluggins. If you publish Adsence or other advertising, links in these scripts need to be HTTPS also (or just remove the protocol altogether.)

• Update sitemap.xml (if applicable) and submit to appropriate agencies (Google, Bing, Yandex, etc)

• In Google Search Council create a new site using HTTPS. It will take a few days to start populating information. This is normal & traffic to old site (HTTP) will drop off accordingly.

• Bing Webmaster Tools should update on its own once it crawls new pages & sitemap.xml should speed up this process.
1:37 am on Mar 20, 2017 (gmt 0)

Senior Member from AU 

WebmasterWorld Senior Member 10+ Year Member Top Contributors Of The Month

joined:Aug 22, 2003
posts: 2254
votes: 149


Sorry - that didn't work, and it also didn't pass muster. So I had to resubmit a completely revised one, including site verification again..

Which is why I so often say "don't ever assume anything". Works just fine now with all the boxes ticked in the Google Search Console.

[google.com ]
1:56 am on Mar 20, 2017 (gmt 0)

Senior Member from US 

WebmasterWorld Senior Member keyplyr is a WebmasterWorld Top Contributor of All Time 10+ Year Member Top Contributors Of The Month

joined:Sept 26, 2001
posts:12913
votes: 893


IanCP - Yes, you need to update (revise) the sitemap.xml with the new paths (HTTPS) - that what update/edit means.

And BTW - the link you posted does not point to your account. It defaults to everyone's account when accessed.
9:07 am on Mar 30, 2017 (gmt 0)

Senior Member

WebmasterWorld Senior Member 10+ Year Member Top Contributors Of The Month

joined:Sept 25, 2005
posts:2091
votes: 370


Congress just killed your right to online privacy [thenextweb.com]:
The vote today was one in favor of rolling back Obama administration guidelines designed to protect consumers from ISPs that sought to collect, and sell personal data from customers. This information included, but isn’t necessarily limited to internet browsing history and search data. This would, presumably, be used by third-party corporate interests to track internet users and inject relevant ads.

Can't track what you can't see.
8:23 am on Apr 29, 2017 (gmt 0)

Senior Member from US 

WebmasterWorld Senior Member keyplyr is a WebmasterWorld Top Contributor of All Time 10+ Year Member Top Contributors Of The Month

joined:Sept 26, 2001
posts:12913
votes: 893


Google's Chrome browser continues adding step in alerting users when a website is not secure:
Chrome now marks HTTP pages as “Not secure” if they have password or credit card fields. Beginning in October 2017, Chrome will show the “Not secure” warning in two additional situations: when users enter data on an HTTP page, and on all HTTP pages visited in Incognito mode... Eventually, we plan to show the “Not secure” warning for all HTTP pages
[security.googleblog.com...]
8:42 am on Apr 29, 2017 (gmt 0)

Full Member

5+ Year Member Top Contributors Of The Month

joined:Feb 19, 2012
posts: 334
votes: 2


Firefox seems to be much more aggressive in this regard: They display the warnings on the password field. For us, signup dropped 30% from Firefox when they came out with this feature.

But again, that does not mean that you have to move the entire site.
We moved 30 days ago and saw no change at all.
8:59 am on Apr 29, 2017 (gmt 0)

Senior Member from US 

WebmasterWorld Senior Member keyplyr is a WebmasterWorld Top Contributor of All Time 10+ Year Member Top Contributors Of The Month

joined:Sept 26, 2001
posts:12913
votes: 893


But again, that does not mean that you have to move the entire site
Not yet...
Eventually, we plan to show the “Not secure” warning for all HTTP pages
9:10 am on Apr 29, 2017 (gmt 0)

Senior Member

WebmasterWorld Senior Member 10+ Year Member Top Contributors Of The Month

joined:Sept 25, 2005
posts:2091
votes: 370


Half of Page-1 Google Results Are Now HTTPS [moz.com] -- no correlation, just steady adoption.
11:25 am on Apr 29, 2017 (gmt 0)

Full Member

Top Contributors Of The Month

joined:Apr 20, 2017
posts:334
votes: 73


Switching to HTTPS is also the opportunity to use the HTTP/2 protocole, which is neat.
12:34 am on May 12, 2017 (gmt 0)

Senior Member from US 

WebmasterWorld Senior Member lucy24 is a WebmasterWorld Top Contributor of All Time 5+ Year Member Top Contributors Of The Month

joined:Apr 9, 2011
posts:15700
votes: 810


Now, here's where you do need to replace http with https:

RewriteCond %{HTTP_REFERER} !^http://www\.example\.com/
... long-string-of-other-conditions-here ...
RewriteRule \.(jpe?g|gif|png)$ /pictures/hotlink.png [L]

Ask how I know. Heh. My test site doesn't have an anti-hotlinking rule, so I didn't think of this until I put a certificate on my personal site, which houses things like piwik that require a login. Goodness, how colorful it looked with all those NO HOTLINKS logos in all different sizes and shapes!
1:29 am on May 27, 2017 (gmt 0)

Senior Member from US 

WebmasterWorld Senior Member keyplyr is a WebmasterWorld Top Contributor of All Time 10+ Year Member Top Contributors Of The Month

joined:Sept 26, 2001
posts:12913
votes: 893


Another observation about HTTPS. Depending on your server set-up, it may be necessary to modify Header fields (Header set bla bla..) and/or Add attributes (AddHandler, AddOutputFilterByType, etc)

Example: 2 hosts that I use have compression (GZIP) on text/html by default. However, after switching to HTTPS it was necessary to list text/html in the attributes to be compressed:
AddOutputFilterByType DEFLATE text/html text/css text/plain image/png image/gif text/javascript application/javascript application/x-httpd-fastphp

So, after switching to HTTPS, be sure to check that everything that you intended to add to the Header is still being done.
7:52 pm on May 27, 2017 (gmt 0)

Preferred Member from GB 

5+ Year Member Top Contributors Of The Month

joined:Sept 29, 2009
posts:510
votes: 46


Another shove towards https for everyone: from June 1st, 2Checkout insisting on TLS 1.1 or 1.2

[2checkout.com ]
1:28 pm on May 28, 2017 (gmt 0)

Senior Member

WebmasterWorld Senior Member 10+ Year Member Top Contributors Of The Month

joined:Sept 25, 2005
posts:2091
votes: 370


Another shove towards https for everyone: from June 1st, 2Checkout insisting on TLS 1.1 or 1.2

A good thing, certainly, but it's not really a "shove towards https," seeing as SSL 3.0 and TLS 1.0 would also be HTTPS, just not as secure :-)
9:19 am on Aug 25, 2017 (gmt 0)

New User

10+ Year Member Top Contributors Of The Month

joined:May 2, 2009
posts:36
votes: 3


It's been a learning curve learning about SSL. I have tried enabling SSL at my shared webhosting server. The best I can get in a test by SSL Labs is a B. Is that because of the quality of the certificate provider or the setup of the equipment that hosts my site? Any suggestions on how to get an A, A+ ranking would be appreciated
10:14 am on Aug 25, 2017 (gmt 0)

Full Member

Top Contributors Of The Month

joined:Apr 20, 2017
posts:334
votes: 73


@surnames, the SSL Labs report tells you everything you need to know about why you achieve "only" B" and not A or A+. So check the report, usually things which are not good or not good enough are written in red.

This can be anything downgrading your rate. Like the key length (which I doubt nowadays) , the cipher suite, Forward secrecy, Strict Transport Security header not being configured.

Now, also all depend how your certificate was delivered, if it's by a trusted Certificate Authority. It's possible there is a mistake in the chain too , but since you are not doing it yourself, there is few chances the chains is wrongly built.

etc...
11:45 am on Aug 30, 2017 (gmt 0)

New User

joined:Aug 29, 2017
posts:2
votes: 0


I am too planning to get ssl done for my site (snip) but not sure how much time will it take to re-crawl, do we need to do all the URL as 301 redirects, will it affect current SEO of the site and most importantly how much of process its going to take for the developer. Also if HTTPs is secure the user interest, it should be free with the stringent process. Free so that it encourages all the webmasters and stringent process so that guilty webmasters get caught and penalized.

[edited by: phranque at 11:58 am (utc) on Aug 30, 2017]
[edit reason] No urls, please. See TOS [webmasterworld.com] [/edit]

10:46 pm on Sept 2, 2017 (gmt 0)

Senior Member

WebmasterWorld Senior Member 10+ Year Member Top Contributors Of The Month

joined:Nov 6, 2005
posts: 2853
votes: 33


Just wanted to jump back in this conversation and see if I'm correctly up to date.

I have read/been told that everything should be ssl by September 30 by one source, another by end of October and another by end of December.

Can anyone verify which is correct? Are any correct?

Thanks,
FarmBoy
12:39 am on Sept 3, 2017 (gmt 0)

Junior Member

10+ Year Member

joined:May 20, 2006
posts: 73
votes: 0


^I guess that has something to do with Chrome putting the "Not Secure" message on all types of forms when they release their latest version this October.

It's been three months since I've migrated to HTTPS and it looks successful so far. My google webmaster tools is currently showing 489 URLs submitted and 483 URLs indexed. Its kinda slow to fully index all URLs. Maybe I need to really wait several months more.
This 204 message thread spans 7 pages: 204