Ned Poulter – CEO & Founder Pole Star Digital
Well I think, first off, one of the interesting things is exactly like you’ve just phrased it there, Juan, that they’ve changed Chrome really recently so it literally just says secure or not secure. So the wording itself is very different from what it used to be, where it identified whether it’s HTTPS – which is what we’re referring to if we’re talking about secure – and I think that, yeah it’s a subtle move, but I think that’s quite a big change in itself, it’s the way that it’s looking at it.
There’s a lot written about “secure websites will be a ranking benefit or a boost”. I know we were just discussing about some of the complications about switching over to HTTPS and I have definitely seen quite a few instances where that’s gone wrong, because it’s not been treated correctly, because it’s not just a switch off, switch on. There is a process, there should be a process. So from an SEO perspective, I think that’s definitely kind of something that should be observed and paid attention to.
Dixon Jones – Majestic Marketing Director – Receptional Founding Director
Yeah I think non-HTTPS is going to start getting, is getting penalties already – literally in your rankings – so it’s already a damping factor.
Dawn Anderson – Director Move It Marketing
I think what else is also happening, is that you have non-SEOs that are browsing the web and there’s this fear factor. People are afraid of going on to sites that maybe say in Chrome “Not secure”, because they are afraid of hackers and having their credit card pinched, etc.
But I think we also have the issue that there is an awful lot of implementation of HTTPS migrations that people think have gone well, but in actual fact you have this element of what they call mixed content, which means anything at all, even random images, that may be being served over a non-HTTPS connection. It means that you’re actually, strictly speaking, you’re not HTTPS yet. So you can think you have done a successful migration, in actual fact you haven’t.
It’s worth looking at your CDN as well, because sometimes that will serve a cached version from the non-HTTPS version, and that’s what’s been causing your mixed content.
I think you’re blowing off people with the word CDN there, really, because I think one of the big problems for people considering HTTPS is, they have to put money on the security certificate. It’s a huge level up for the one-man-SEO.
You’ve got Let’s Encrypt haven’t you? But it’s not that easy.
There’s lots of things you can do, but the point is, it’s not an entirely free process. And the number of people that think that the internet is completely free and HTTPS isn’t entirely free. There’s a number of hoops you’ve got to go through to, to get a certificate.
I feel like that’s kind of a good point actually, because it’s one of those where it’s not so much have your cake and eat it, all the time. And I suppose as SEO’s that’s a difficulty that you will see, because I suppose if you’re an SEO that’s working on a project, where you’re looking to put forward a HTTPS migration then there in itself they are paying for you, so it is costing them money. So yeah it is a cost implication.
It is a differentiator as well If you think about it, if you’re a spammer with like 50.000 websites are you going to buy SSL certificates for 30-odd quid a time on 100.000 websites? Probably not. It is a differentiator.
There is quite a big gap, even if we look at mobile rankings versus desktop rankings, in like SISTRIX, and that is the difference between those that are implementing mobile friendly sites, because there’s more effort involved, anything that requires more effort and more cost, begins to differentiate spammers from the “Cream rises to the Top theory”.
What I think is a bit dangerous about the way Google is forcing SSL or HTTPS down everybody’s throat is that there is a bit of a force equivalence between having HTTPS encryption and having a secure website. Because they are not the same thing, by any stretch to the imagination.
And there’s a lot of people who think “Alright I’ve got an encryption certificate, I’m fine I won’t get hacked” and that is absolutely not the case. In anything it adds nothing to your website’s ability to resist hackers.
So I appreciate what Google is trying to do with almost making the web, by default, HTTPS, but it doesn’t address the much larger underlying problem that we have a web which is massively compromised and compromisable by hackers on a massive scale, to be abused for all kinds of nefarious purposes. And some of them for SEO purposes, let’s be honest here.
That is just bad code though.
Go tell that to WordPress.
I don’t think that is just bad code because I mean, the thing about HTTPS is that it may encrypt the information between your computer and the web server, but it doesn’t encrypt anything on your computer!
So if you’re using Chrome, and Google as Chrome or you’re using Opera and Opera wants to do… or you’ve got Skype sitting in the background, then it’s all those running software programs can eat in and read things. So security, as a layperson would think of security, is no security.
That’s not going to stop and SQL-injection.
Then that’s the website end, then there’s no security on the website end either. So there’s only the bit in the middle that’s secure, if you trust the SSL company.
Somebody just coded something badly and allowed holes in places.
HTTPS itself is subject to vulnerabilities. I mean in the last 2 years there have been several high-profile vulnerabilities in the secure socket layer, that allows people to literally eavesdrop on traffic on the internet, which technically should be encrypted and should be gibberish.
So, the security is one thing, but the way Google is going about it I think it’s a bit ham-fisted, and I think there needs to be more resources on. It doesn’t benefit Google directly, which is why they’re really not that interested in it, in helping website owners become more aware of what actually makes for a secure website.
Well they do that.
It does benefit Google.
No they have a lot of stuff, they have like the whole program of tutorials that they’re doing, called “no hackers”, that actually tries to explain how hackers may be getting into your website. Maybe they’re trying to compromise your WordPress installation etc.
So they have actually started to do a full series, and regardless or not of whether they’re actually getting any benefit from it, that’s actually just being a good citizen of the web, trying to share information that will help people. I think we all try to do that.
I mean regardless of Google as such – whether they’re the good guys or the bad guys for bringing this forward – it’s a step in the right direction, broadly speaking, for a more secure web. And in terms of the implications for us SEOs, it’s certainly a consideration when it comes to migrations or migrations done badly and not planned for.
That’s the main thing that I’ve kind of seen, besides getting hacked. Often through obvious vulnerabilities which were exploited at scale or neglect and just lack of common sense when it comes to things like that. So it’s less the kind of 90’s film hacker, who’s got a black screen and green text…
And an anonymous mask.
Exactly! Yeah, thanks Mr. Robot.