Is your HTTPS setup causing SEO issues?

GTB

Tazmanian
Joined
Nov 24, 2005
Messages
4,031
SSL encrypts the data sent to avoid it being hijacked and read. So not sure what CM30 means really, in leading to a forum getting hacked?

Maybe he means if offering paid forum subscriptions, then SSL would offer the best security. Which it would really for that. And which ever way you look at it Ozzy, it is a form of hacking.
 
Last edited:

cheat_master30

Moderator
Joined
Jan 16, 2010
Messages
3,869
A forum needs SSL if it's even slightly controversial. Stops people being targeted based on the exact topic/content they're looking at on the site, which can be useful in some environments.

But you're right that a weak server or outdated software is a bigger issue.
 

esquire

Habitué
Joined
Jul 11, 2010
Messages
1,588
Honestly it is a terrible article , lacks tons of other important things to check
Perhaps the article is better titled as the easy things to check when switching to https. I was a bit surprised that it didn't mention the technical parts of https setup. To anyone seeking to move - just perform an SSL server test on a failed site such as a tester like Qualys and you'll begin to understand the problems. There are speed issues, ciphers, vulnerabilities which must be patched/turned off, unsecured content, etc. After switching you may find pages loading at a noticeably slower speed. Not only can it harm your SE performance but it will annoy your users. 301 redirects and link issues are more easily solved.
Actually, no. Watch the video all the way through and he specifically says that as long as you 301 there will be no loss of pagerank.
Further: Google's Gary Illyes confirms that any 301, 302, 3xx redirect does not lose any PageRank value.
http://searchengineland.com/google-no-pagerank-dilution-using-301-302-30x-redirects-anymore-254608
Gary is an amazing guy, brilliant and very careful about being accurate. When he says so, I believe him.

But they ran a test between two sites, or something. They went into it pretty in-depth testing it out and came back with that result, less than 1% gain. Also keep in mind if showing ads on a forum that it's better to use HTTP and not SSL, as you have fewer bidders available to show ads on your forum for higher pay rates. Things like that work against switching to SLL really at this time. You also have god knows how many sites paying Google to get a higher ranking as well, something else to consider when thinking using SSL gives you any real 'worthwhile' edge

Matt Cutts I read doesn't work for Google anymore. Dunno?

http://searchengineland.com/matt-cutts-extends-his-unpaid-leave-with-google-through-2015-223951
Early on it was stated that the https ranking would only impact a certain percentage of sites and impact may be difficult to measure because you're never sure you're comparing apples to apples unless you're in Google. But look at Zineb's article here too: https://webmasters.googleblog.com/2015/12/indexing-https-pages-by-default.html There is definitely an initiative to move forward with "https everywhere" - although that doesn't mean it's as urgent as many other items on your list. It appears they are moving forward slowly and carefully because major changes can impact many things, people, variables, etc. Still something to certainly keep an eye upon.
 

Drastic

Habitué
Joined
Apr 19, 2014
Messages
1,189
Perhaps because they either don't know or previously used normal http. So got more worried about losing some 'page rank' than they do about security.
Here's samples of sites NOT using SSL and there's tons more just like them. All in top Alexa ranks and extremely successful. If they're not worried about it, then I'm not either. I have nothing to lose, compared to those who probably bring in more income in a day than many of us do in a month.

http://www.foxnews.com/ http://www.cnn.com/ http://www.aol.com/ http://heavy.com/ http://www.wired.com/ http://www.ign.com/ http://www.wpbeginner.com/
etc..

I'm certain they know about SSL. It will be interesting to see if sites like those switch in the future.
 

mysiteguy

Migration Expert
Joined
Feb 20, 2007
Messages
3,104
I can't tell you the last time I read about a forum being hacked because it didn't use SSL. And yet there are countless forums hacked every day due to old versions of software, bad file permissions, social engineering, insecure plug-ins, improper user permission settings, etc.
 

Joeychgo

TAZ Administrator
Joined
Feb 28, 2004
Messages
6,957
I can't tell you the last time I read about a forum being hacked because it didn't use SSL. And yet there are countless forums hacked every day due to old versions of software, bad file permissions, social engineering, insecure plug-ins, improper user permission settings, etc.
Exactly my thoughts.
 

mysiteguy

Migration Expert
Joined
Feb 20, 2007
Messages
3,104
Exactly my thoughts.
Come to think of it, not only forums, but also forum users! I can't tell you when the last time I've heard of a forum user being hacked because the forum didn't use SSL. The instances I've heard of where user accounts were compromised its generally compromised by:

- a "friend" getting access to a computer
- logging into an ex-spouse's (or boyfriend/girlfriend) account to cause havoc
- admin account compromised via the methods I listed in my previous reply, and the user database obtained.
- guessing passwords
- brute force and/or dictionary password attacks
- In the very early days, forging cookies
- Bad settings in the forum allowing HTML in posts and rouge user embeds hidden script or plugin code in post. Not as much of an issue these days as it used to be since basic XSS protection is included in most browsers.

Attacking a user's session/account directly requires access to one of the hops along the way. Difficult to do, and frankly in most cases there's not a payoff to make it worth the cracker's effect --- someone with those skills usually go after bigger fish like taking an entire database.

There is an exception, and that is browsing with a plain text session over a non-secure connection where someone can easily snoop like setting up a fake public hotspot or using (foolishly) a legit public hotspot which doesn't have encryption and not using a VPN.
 

esquire

Habitué
Joined
Jul 11, 2010
Messages
1,588
Originally the issue with https was on sites that should be using it, e.g. storefronts, commercial transactions, etc. My advice is to keep your eye on the Google Webmaster Central blog and not blow this off. It doesn't matter whether you think you're right. It's all about what is and isn't being implemented. And if they do go forward further, there will be very good reason. Much is thought out and not so easily dismissed.
 

eva2000

Habitué
Joined
Jan 11, 2004
Messages
1,782
HTTPS for me is all about web performance and page speed. HTTPS via HTTP/2 benefits page speed as does using HTTPS allows web servers that support Brotli content encoding compression to serve smaller static file sizes than the regular default gzip/deflate content encoding compression to web browsers that support Brotli https://community.centminmod.com/th...algorithm-coming-to-chrome-browser-soon.5806/

For me on js files it's between 7-25% smaller file sizes on Brotli (br) vs Gzip (gzip) and for css files up to 10-33% smaller files. Smaller size = faster page loads :)

My forums on my own Centmin Mod Nginx web server built with Brotli support in latest beta, https://community.centminmod.com/ uses Brotli compression for web browsers that support it and fall back to default Gzip compression for web browsers that do not support it :)

upload_2016-7-30_10-51-15.png

Xenforo js files ~19.7% to ~20% smaller via Brotli compression compared to Gzip compression

upload_2016-7-30_10-54-3.png

FYI, brotli compression is only supported over HTTPS ;)
 
Last edited:

sgray

Aspirant
Joined
May 11, 2013
Messages
36
Since Let's Encrypt has gone live, I have aimed to enable and prefer TLS on my sites. Not because of Google's reported preference or other "hype", but there is near zero cost for me to make this little bit of security available to my visitors. My web servers are already regularly optimized such to support it, it takes less than 10 minutes to set up, and I've never seen a negative impact on a site I manage. I'm not going to block one of the most common web protocols just because other webmasters haven't gotten around to supporting it or are being stubborn how they don't need it (not referencing anyone specific, just some sites completely block TLS, not even redirect).

In regards to security, it is more about protecting your visitors' transmitted data from snooping and interruption than preventing misc kinds of attacks on web sites. When my ISP decides interrupting my page request with an ugly service announcement is more important than me reaching the intended webpage, it's always while I'm browsing a site via plain HTTP. That is one of the most mild examples of how non-secure connections can be a problem and still it is annoying no matter how much I try to understand it's probably the best way for customers to receive such communication. I wouldn't want someone to get the same kind of speed bump visiting one of my sites and think I am trying to doing something bad to them.

I don't pull out the pitchfork on a site that prefers plain http as long as they don't expect me to send unprotected sensitive data, but please at least redirect connections from the non-preferred protocol. Otherwise, don't be surprised to later find out you've been losing people that, for whatever reason, prefixed your site with https.
 

smirkley

ID'mazing
Joined
Nov 15, 2004
Messages
1,167
I converted to ssl early this year.

I understand googles position and dont want to touch the suggestion of whether or not it can still be hacked or not.

But I did it for my members exclusively. I cannot quantify if my serps recieve any bennies or not. I honestly dont care.

But I certainly do 301's to https from http as well as to www. As opposed to non www. (My preference). All done in htaccess of course.
 

mysiteguy

Migration Expert
Joined
Feb 20, 2007
Messages
3,104
I honestly dont care.
smirkley said:
We are back now, and we are slowly regaining our traffic and google listings, but that is primarily the result of changing everything including adding ssl.

It has been a miserable year.
Question, what did the SSL switch contribute to the misery, verses splitting that out from the other issues at the time?
 
Last edited:

Monkey Wrench

Enthusiast
Joined
Aug 18, 2007
Messages
131
I lost 90% of my indexed links when I switched in february, my setup was perfectly fine. Now half a year later I gained all my indexed links back plus many more. Also due to my small niche I notice quite some advantage from the "slight" boost for Google ranking.
 

GTB

Tazmanian
Joined
Nov 24, 2005
Messages
4,031
HTTPS for me is all about web performance and page speed. HTTPS via HTTP/2 benefits page speed as does using HTTPS allows web servers that support Brotli content encoding compression to serve smaller static file sizes than the regular default gzip/deflate content encoding compression to web browsers that support Brotli https://community.centminmod.com/th...algorithm-coming-to-chrome-browser-soon.5806/

For me on js files it's between 7-25% smaller file sizes on Brotli (br) vs Gzip (gzip) and for css files up to 10-33% smaller files. Smaller size = faster page loads :)

My forums on my own Centmin Mod Nginx web server built with Brotli support in latest beta, https://community.centminmod.com/ uses Brotli compression for web browsers that support it and fall back to default Gzip compression for web browsers that do not support it :)

View attachment 42578

Xenforo js files ~19.7% to ~20% smaller via Brotli compression compared to Gzip compression

View attachment 42579

FYI, brotli compression is only supported over HTTPS ;)
Just looked at your forum and images are not showing up, I'm using FireFox.

Capture.PNG
 

smirkley

ID'mazing
Joined
Nov 15, 2004
Messages
1,167
Question, what did the SSL switch contribute to the misery, verses splitting that out from the other issues at the time?
The ssl switch was added during the rebuilding from a major crash as part of the rebuild process.

Exclusively the only misery caused by the switch itself was, 1- the loss of search engine coverage and traffic until which time my 301s took effect in the serps, and 2- the many many internal links in posts that have to be sought out and corrected in posts, which is still ongoing to date.

But that was all reletively minor considering the totality of the rebuild.
 

kontrabass

Participant
Joined
Mar 12, 2004
Messages
76
There is definitely an initiative to move forward with "https everywhere" - although that doesn't mean it's as urgent as many other items on your list. It appears they are moving forward slowly and carefully because major changes can impact many things, people, variables, etc. Still something to certainly keep an eye upon.
Agreed. I was under the impression (from a video I watch a long time ago and don't have a link to), that Google was going to increase the ranking signal of https more over time. Besides the http/2 benefits, the fact that Google likes https is reason enough for me to stick with it. Never know what the future will hold. Google is my master. :love:
 

eva2000

Habitué
Joined
Jan 11, 2004
Messages
1,782
remember not all HTTPS setups are equal
  • HTTP/2 HTTPS fastest/best
  • SPDY/3.1 HTTPS EOL deprecated
  • HTTP/1.1 HTTPS slowest
Then not all web servers' HTTP/2 implementations are created equal
 
Top