Welcome to WebmasterWorld Guest from 35.175.180.108

Forum Moderators: phranque

Message Too Old, No Replies

Do I need to convert my company website to https?

     
1:44 pm on Sep 30, 2018 (gmt 0)

Junior Member

Top Contributors Of The Month

joined:Sept 8, 2016
posts:99
votes: 0


We've been operating a company website since about 1999 and since about 2001 the site has remained static with a few tweaks here and there over the years. The site makes a lot use of meta keywords and page title descriptions. We host no ads, no adsense stuff, no links to external urls at all. The site takes no orders (no ecommerce stuff) and has no data-entry forms of any kind. Just links to product photos and descriptions and pdf files and our contact info. The site is operating on an NT4 server running IIS4. We sell technical / scientific products that we make. Google and bing are constantly downloading our files on a daily basis. At least a few dozen hits every day. Don't know why they are constantly downloading the same files so often - our html pages rarely change and our pdf files never change.

A google search for a few keywords always shows links to our site and internal pages and documents on the first page of results. Nobody else in the world makes the stuff we do. Ok, all fine and good.

We've recently become aware that at least one organization (A VA hospital where a customer of ours works) doesn't allow access to our website. We're not sure why. I'm wondering if it's because it's not https, and the main question of my post here is this:

Are there browsers, or browser settings (for home / mobile users) or firewall appliances (for institutional / corporate users) that are limiting / blocking access to websites that they can't connect to using https secure protocols? Even if there is nothing that the user can do on the site that would require security of any kind?

From some limited research I've done on this so far, the only downside to not having https for a site that does not conduct ecommerce is that the site's search rankings may be dropped to a lower position - but in our case even that is not an issue.
3:11 pm on Sept 30, 2018 (gmt 0)

Preferred Member from CA 

Top Contributors Of The Month

joined:Feb 7, 2017
posts:579
votes: 60


I'd be more concerned about your 2001 design. Is your site mobile friendly and have a responsive design? How does it render on a phone? My view is that if you are not doing ecomm, user logins, cannot take advantage of https's added speed, then I would not bother. For now. There are long threads to say differently.
.
Have you looked at your raw access log to see if your server is rejecting people/bots? How about other search engines?

Static is not worse for security, it is better. But the lack of interactivity might be a concern. This is up to you. There have been great advances in web design since 2001. Maybe you want to improve your Google page rank? Do you do SEO? Google Analytics? You might be able to attract more customers doing searches on Google, Bing, Yahoo, Yandex, Baidu, there are so many.
3:31 pm on Sept 30, 2018 (gmt 0)

Senior Member from FR 

WebmasterWorld Senior Member leosghost is a WebmasterWorld Top Contributor of All Time 10+ Year Member Top Contributors Of The Month

joined:Feb 15, 2004
posts:7139
votes: 413


Google Analytics?
..or be sensible, secure, snoopless, control your own analytics and keep Google's snoopy nose out of the back end of your site ( and sales figures ) and run [matomo.org...]
4:11 pm on Sept 30, 2018 (gmt 0)

Senior Member from FR 

WebmasterWorld Senior Member leosghost is a WebmasterWorld Top Contributor of All Time 10+ Year Member Top Contributors Of The Month

joined:Feb 15, 2004
posts:7139
votes: 413


Btw
We've recently become aware that at least one organization (A VA hospital where a customer of ours works) doesn't allow access to our website. We're not sure why. I'm wondering if it's because it's not https,

It is perfectly possible that an over zealous sysadmin at the hospital may have set up their system so that all outgoing traffic to non https is blocked..Anyone who has done that is not likely to be open to changing their mind,so it may be just as well to change to https now, and as TorontoBoy says, look into updating your site at the same time..
The change to https can be very simple, and an overhaul of your site's tech and internal linking is worth doing, and is often easier to implement if all done at once..If you are already well positioned in search , just be careful not to go changing all your URLs other than the change from http to https..and resist the temptation to "re-write" or "polish" your content..otherwise any "blips" that might happen ( usually there won't be any on a change from http to https ) would be very difficult to attribute..

re the constant attention from Google , Bing etc..that could very well be that you have sites linking to you which are crawled frequently, so the crawlers will follow those links..Unless this crawling is stressing your server, don't worry about it..
5:12 pm on Sept 30, 2018 (gmt 0)

Administrator from US 

WebmasterWorld Administrator not2easy is a WebmasterWorld Top Contributor of All Time 10+ Year Member Top Contributors Of The Month

joined:Dec 27, 2006
posts:4558
votes: 363


Are there browsers, or browser settings (for home / mobile users) or firewall appliances (for institutional / corporate users) that are limiting / blocking access to websites that they can't connect to using https secure protocols? Even if there is nothing that the user can do on the site that would require security of any kind?


Most current browsers offer a visual signal when any site is not https that varies from browser version to version. But it is clear to visitors that they are not on a secure site. From there it is up to the user to decide whether to continue so it depends on your visitors' understanding. Business and institution networks can and do limit connections for devices on their networks. That is up to company policy.

6:25 pm on Sept 30, 2018 (gmt 0)

New User

joined:Sept 30, 2018
posts:7
votes: 1


Couple of things are important now when it comes to web design as regard to SEO...those things are

1) The responsiveness of your site / mobile friendluness

2) The security of your site /it having SSL/https

3) The last is once again ( 1 ) above.

Take care of these two, and you're not far from the rest
6:51 pm on Sept 30, 2018 (gmt 0)

Senior Member from US 

WebmasterWorld Senior Member lucy24 is a WebmasterWorld Top Contributor of All Time 5+ Year Member Top Contributors Of The Month

joined:Apr 9, 2011
posts:15932
votes: 887


I'd be more concerned about your 2001 design.
Paradoxically, a very very old site* may in fact be more responsive than a newer one, as itís less likely to contain directives that assume the user's viewport is some-vast-number-of-pixels wide.

But honestly, what can it hurt? If your site is properly coded, a change to https should involve--aside from getting the certificate--one or two lines in the config file. And if the site is improperly coded, youíre due for an overhaul anyway.


* For ### and giggles, I dug up a couple of my old AOL pages dating from 1999 and Previewed. Hideous, of course--but utterly responsive, because there's nothing telling them not to be.
7:31 pm on Sept 30, 2018 (gmt 0)

Junior Member

Top Contributors Of The Month

joined:Sept 8, 2016
posts:99
votes: 0


We host our own site, we have 50/10 DSL with static IP. Site seems very responsive, even when hit from outside our LAN. Not concerned at all regarding our page ranking - every sort of search we've tried over the years to see where our site ranks, it always ranks high, usually #1, and usually 5 of the results on the first page point to us in some way. We have no links or connections or hooks to any analytics (nobody, not even google). We got a letter (in the mail) 1 or 2 years ago from google, saying our site was not mobile friendly. I myself do not own a cell phone (never have) but several of us in the company do (blackberry, android, iphone) and the site renders just fine on their phones. I see lots of hits in our logs from people with all sorts of phones. I've been scanning our logs daily for the past 2 - 3 years, and have been blocking lots of IP's that are clearly bots. We've recently started blocking these IP's in our router (as opposed to in the web server). We're blocking about 350 million IP's (in about 4 or 5 thousand CIDR's). China, southeast asia, russia / eastern europe, central / south america, etc. Also blocking hosting companies (as I discover them via the logs). Always seeing attempts to get wordpress files (that we don't have) so I block the entities hosting them. I only want to get hits from "real people" and other than that, the big search engines (google, bing, and yahoo). I see security outfits (ie symantec) and when I can identify them, I don't block them.
7:32 pm on Sept 30, 2018 (gmt 0)

Senior Member from US 

WebmasterWorld Senior Member keyplyr is a WebmasterWorld Top Contributor of All Time 10+ Year Member Top Contributors Of The Month

joined:Sept 26, 2001
posts:12913
votes: 893

7:56 pm on Sept 30, 2018 (gmt 0)

Preferred Member from CA 

Top Contributors Of The Month

joined:Feb 7, 2017
posts:579
votes: 60


FYI responsiveness is not how fast your server renders your site, but if the site can display well on various sizes of screens. Many current sites resize their html to the dimensions of the device.

You seem to be well on your way. There a lot of bots targeting Wordpress, that I can attest. If your site works then stick with it.
7:56 pm on Sept 30, 2018 (gmt 0)

Senior Member from FR 

WebmasterWorld Senior Member leosghost is a WebmasterWorld Top Contributor of All Time 10+ Year Member Top Contributors Of The Month

joined:Feb 15, 2004
posts:7139
votes: 413


Sounds like you could just switch to https, ( look at letsencrypt [letsencrypt.org...] ) make sure that redirects from anyone requesting http go to https..and leave the rest ( what is not broken, does not need fixing ) alone.. :)

You might find this thread [community.letsencrypt.org...] and some of the places it leads to useful..

HTH
9:23 pm on Sept 30, 2018 (gmt 0)

Junior Member

Top Contributors Of The Month

joined:Sept 8, 2016
posts:99
votes: 0


I don't think IIS4 can do https. I really don't want to have to mess with it. And - don't I have to pay someone like verisign for an SSL certificate?

I just tried a site performance analyzer on our site. It said the fully-loaded time was 0.8 seconds (average is 6.8 seconds), total page size is 94 kb (average is 3.11 mb), number of requests is 32 (32 files) average is 89.

Thing is - earlier I said that a customer at a VA hospital couldn't get access to our website. I know his IP address and I can see that there are requests for our default.hml file coming from his IP, but not the other 31 files that make up a complete page load. So there must be some network appliance on his end that is making a snap decision to not allow access to our site based on grabbing our default.html file. That said, I see lots of other accesses to our site from other IP's that show the same behavior (they grab only the default.html file) and I think mostly with no referrer URL (but a normal-looking user-agent). I've always put those down to bots doing scanning or god knows what. Now I'm not so sure.
9:41 pm on Sept 30, 2018 (gmt 0)

Senior Member from US 

WebmasterWorld Senior Member keyplyr is a WebmasterWorld Top Contributor of All Time 10+ Year Member Top Contributors Of The Month

joined:Sept 26, 2001
posts:12913
votes: 893


I don't think IIS4 can do https.
Yes IIS4 supports HTTPS. [digicert.com...]

don't I have to pay someone like verisign for an SSL certificate?
Lets Encrypt FREE Security Certificates [letsencrypt.org]
9:46 pm on Sept 30, 2018 (gmt 0)

Senior Member from FR 

WebmasterWorld Senior Member leosghost is a WebmasterWorld Top Contributor of All Time 10+ Year Member Top Contributors Of The Month

joined:Feb 15, 2004
posts:7139
votes: 413


I don't think IIS4 can do https. I really don't want to have to mess with it. And - don't I have to pay someone like verisign for an SSL certificate?

It can..which is why I gave you the link to the lets encrypt forums, which in turn have a link on how to set up letsencrypt certs ( which are free ) on IIS..

Here is the direct link ..for the "how to use lets encrypt on IIS"
[weblog.west-wind.com...]
9:58 pm on Sept 30, 2018 (gmt 0)

Junior Member

Top Contributors Of The Month

joined:Sept 8, 2016
posts:99
votes: 0


Alright, I will check this out and fool around and get an https version of our site up and running. For what it's worth, I just tried trend micro Site Safety Center and Norton Safe web online check of my site. Both gave a big green checkmark saying " this URL contains no malicious software and shows no signs of phishing (trend micro) and Norton Safe Web found no issues with this site - Computer Threats: 0 Identity Threats: 0 Annoyance factors: 0. Interesting that they don't mention that the site is http and not https.
10:40 pm on Sept 30, 2018 (gmt 0)

Senior Member from US 

WebmasterWorld Senior Member lucy24 is a WebmasterWorld Top Contributor of All Time 5+ Year Member Top Contributors Of The Month

joined:Apr 9, 2011
posts:15932
votes: 887


not mobile friendly
<snip>
the site renders just fine
It should be pointed out that rendering is not the only aspect of mobile-friendliness, though it's certainly the first and most obvious one. Google also notices things like clickable areas being too close together (because a fingertip is bigger than a mouse pointer). Ask your cell-phone-users if they find any trouble spots navigating the site.

At this late date, a server that won't support HTTPS is a server that is overdue for putting out to pasture. So it is good to learn you were misinformed on this point.