Is your HTTPS setup causing SEO issues?

Discussion in 'Forum SEO' started by Joeychgo, Jul 27, 2016.

  1. ozzy47

    ozzy47 Tazmanian Veteran

    9,007
    892
    +4,328
  2. The Sandman

    The Sandman Administrator

    29,080
    1,822
    +5,510
  3. GTB

    GTB Tazmanian

    4,038
    862
    +1,045
    SSL encrypts the data sent to avoid it being hijacked and read. So not sure what CM30 means really, in leading to a forum getting hacked?

    Maybe he means if offering paid forum subscriptions, then SSL would offer the best security. Which it would really for that. And which ever way you look at it Ozzy, it is a form of hacking.
     
    Last edited: Jul 28, 2016
  4. cheat_master30

    cheat_master30 Moderator

    3,802
    1,052
    +1,075
    A forum needs SSL if it's even slightly controversial. Stops people being targeted based on the exact topic/content they're looking at on the site, which can be useful in some environments.

    But you're right that a weak server or outdated software is a bigger issue.
     
  5. esquire

    esquire Habitué

    1,588
    642
    +629
    Perhaps the article is better titled as the easy things to check when switching to https. I was a bit surprised that it didn't mention the technical parts of https setup. To anyone seeking to move - just perform an SSL server test on a failed site such as a tester like Qualys and you'll begin to understand the problems. There are speed issues, ciphers, vulnerabilities which must be patched/turned off, unsecured content, etc. After switching you may find pages loading at a noticeably slower speed. Not only can it harm your SE performance but it will annoy your users. 301 redirects and link issues are more easily solved.
    Gary is an amazing guy, brilliant and very careful about being accurate. When he says so, I believe him.

    Early on it was stated that the https ranking would only impact a certain percentage of sites and impact may be difficult to measure because you're never sure you're comparing apples to apples unless you're in Google. But look at Zineb's article here too: https://webmasters.googleblog.com/2015/12/indexing-https-pages-by-default.html There is definitely an initiative to move forward with "https everywhere" - although that doesn't mean it's as urgent as many other items on your list. It appears they are moving forward slowly and carefully because major changes can impact many things, people, variables, etc. Still something to certainly keep an eye upon.
     
  6. Drastic

    Drastic Habitué

    1,172
    282
    +633
    Here's samples of sites NOT using SSL and there's tons more just like them. All in top Alexa ranks and extremely successful. If they're not worried about it, then I'm not either. I have nothing to lose, compared to those who probably bring in more income in a day than many of us do in a month.

    http://www.foxnews.com/ http://www.cnn.com/ http://www.aol.com/ http://heavy.com/ http://www.wired.com/ http://www.ign.com/ http://www.wpbeginner.com/
    etc..

    I'm certain they know about SSL. It will be interesting to see if sites like those switch in the future.
     
  7. mysiteguy

    mysiteguy Devotee

    2,943
    887
    +2,267
    I can't tell you the last time I read about a forum being hacked because it didn't use SSL. And yet there are countless forums hacked every day due to old versions of software, bad file permissions, social engineering, insecure plug-ins, improper user permission settings, etc.
     
    • Like Like x 1
    • Agree Agree x 1
    • List
  8. Joeychgo

    Joeychgo TAZ Administrator

    6,770
    1,532
    +3,456
    Exactly my thoughts.
     
  9. mysiteguy

    mysiteguy Devotee

    2,943
    887
    +2,267
    Come to think of it, not only forums, but also forum users! I can't tell you when the last time I've heard of a forum user being hacked because the forum didn't use SSL. The instances I've heard of where user accounts were compromised its generally compromised by:

    - a "friend" getting access to a computer
    - logging into an ex-spouse's (or boyfriend/girlfriend) account to cause havoc
    - admin account compromised via the methods I listed in my previous reply, and the user database obtained.
    - guessing passwords
    - brute force and/or dictionary password attacks
    - In the very early days, forging cookies
    - Bad settings in the forum allowing HTML in posts and rouge user embeds hidden script or plugin code in post. Not as much of an issue these days as it used to be since basic XSS protection is included in most browsers.

    Attacking a user's session/account directly requires access to one of the hops along the way. Difficult to do, and frankly in most cases there's not a payoff to make it worth the cracker's effect --- someone with those skills usually go after bigger fish like taking an entire database.

    There is an exception, and that is browsing with a plain text session over a non-secure connection where someone can easily snoop like setting up a fake public hotspot or using (foolishly) a legit public hotspot which doesn't have encryption and not using a VPN.
     
  10. esquire

    esquire Habitué

    1,588
    642
    +629
    Originally the issue with https was on sites that should be using it, e.g. storefronts, commercial transactions, etc. My advice is to keep your eye on the Google Webmaster Central blog and not blow this off. It doesn't matter whether you think you're right. It's all about what is and isn't being implemented. And if they do go forward further, there will be very good reason. Much is thought out and not so easily dismissed.
     
  11. eva2000

    eva2000 Habitué

    1,722
    857
    +798
    HTTPS for me is all about web performance and page speed. HTTPS via HTTP/2 benefits page speed as does using HTTPS allows web servers that support Brotli content encoding compression to serve smaller static file sizes than the regular default gzip/deflate content encoding compression to web browsers that support Brotli https://community.centminmod.com/th...algorithm-coming-to-chrome-browser-soon.5806/

    For me on js files it's between 7-25% smaller file sizes on Brotli (br) vs Gzip (gzip) and for css files up to 10-33% smaller files. Smaller size = faster page loads :)

    My forums on my own Centmin Mod Nginx web server built with Brotli support in latest beta, https://community.centminmod.com/ uses Brotli compression for web browsers that support it and fall back to default Gzip compression for web browsers that do not support it :)

    upload_2016-7-30_10-51-15.png

    Xenforo js files ~19.7% to ~20% smaller via Brotli compression compared to Gzip compression

    upload_2016-7-30_10-54-3.png

    FYI, brotli compression is only supported over HTTPS ;)
     
    Last edited: Jul 29, 2016
  12. sgray

    sgray Aspirant

    36
    13
    +26
    Since Let's Encrypt has gone live, I have aimed to enable and prefer TLS on my sites. Not because of Google's reported preference or other "hype", but there is near zero cost for me to make this little bit of security available to my visitors. My web servers are already regularly optimized such to support it, it takes less than 10 minutes to set up, and I've never seen a negative impact on a site I manage. I'm not going to block one of the most common web protocols just because other webmasters haven't gotten around to supporting it or are being stubborn how they don't need it (not referencing anyone specific, just some sites completely block TLS, not even redirect).

    In regards to security, it is more about protecting your visitors' transmitted data from snooping and interruption than preventing misc kinds of attacks on web sites. When my ISP decides interrupting my page request with an ugly service announcement is more important than me reaching the intended webpage, it's always while I'm browsing a site via plain HTTP. That is one of the most mild examples of how non-secure connections can be a problem and still it is annoying no matter how much I try to understand it's probably the best way for customers to receive such communication. I wouldn't want someone to get the same kind of speed bump visiting one of my sites and think I am trying to doing something bad to them.

    I don't pull out the pitchfork on a site that prefers plain http as long as they don't expect me to send unprotected sensitive data, but please at least redirect connections from the non-preferred protocol. Otherwise, don't be surprised to later find out you've been losing people that, for whatever reason, prefixed your site with https.
     
    • Like Like x 1
    • Agree Agree x 1
    • List
  13. smirkley

    smirkley ID'mazing

    1,167
    667
    +137
    I converted to ssl early this year.

    I understand googles position and dont want to touch the suggestion of whether or not it can still be hacked or not.

    But I did it for my members exclusively. I cannot quantify if my serps recieve any bennies or not. I honestly dont care.

    But I certainly do 301's to https from http as well as to www. As opposed to non www. (My preference). All done in htaccess of course.
     
  14. mysiteguy

    mysiteguy Devotee

    2,943
    887
    +2,267
    Question, what did the SSL switch contribute to the misery, verses splitting that out from the other issues at the time?
     
    Last edited: Jul 31, 2016
  15. Monkey Wrench

    Monkey Wrench Enthusiast

    131
    33
    +59
    I lost 90% of my indexed links when I switched in february, my setup was perfectly fine. Now half a year later I gained all my indexed links back plus many more. Also due to my small niche I notice quite some advantage from the "slight" boost for Google ranking.
     
  16. GTB

    GTB Tazmanian

    4,038
    862
    +1,045
    Just looked at your forum and images are not showing up, I'm using FireFox.

    Capture.PNG
     
  17. smirkley

    smirkley ID'mazing

    1,167
    667
    +137
    The ssl switch was added during the rebuilding from a major crash as part of the rebuild process.

    Exclusively the only misery caused by the switch itself was, 1- the loss of search engine coverage and traffic until which time my 301s took effect in the serps, and 2- the many many internal links in posts that have to be sought out and corrected in posts, which is still ongoing to date.

    But that was all reletively minor considering the totality of the rebuild.
     
  18. eva2000

    eva2000 Habitué

    1,722
    857
    +798
    you caught me messing and tweaking the style :D
     
  19. kontrabass

    kontrabass Participant

    76
    63
    +24
    Agreed. I was under the impression (from a video I watch a long time ago and don't have a link to), that Google was going to increase the ranking signal of https more over time. Besides the http/2 benefits, the fact that Google likes https is reason enough for me to stick with it. Never know what the future will hold. Google is my master. :love:
     
  20. eva2000

    eva2000 Habitué

    1,722
    857
    +798
    remember not all HTTPS setups are equal
    • HTTP/2 HTTPS fastest/best
    • SPDY/3.1 HTTPS EOL deprecated
    • HTTP/1.1 HTTPS slowest
    Then not all web servers' HTTP/2 implementations are created equal
     
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.