HTTP: Chrome to start showing NOT SECURE October 2017!

[turbin3]

According to Google Search Console today:

Starting October 2017, Chrome (version 62) will show a “NOT SECURE” warning when users enter text in a form on an HTTP page, and for all HTTP pages in Incognito mode.

Although this may not necessarily apply to all HTTP pages, it appears at a minimum any pages with HTML input fields and forms will likely apply to this. Considering most sites have these, probably best to start making your plans to migrate to TLS-only for your sites. Also, if you're still on the fence, consider this clear statement from them as well:

The new warning is part of a long term plan to mark all pages served over HTTP as “not secure”.

Although I think it's important not to be so heavily-focused on Google alone as the primary traffic source, to the point where we jump immediately at their every command, this does highlight the importance of site security and taking worthwhile steps to improve yours.

For new sites that are still in the planning stages, I would pretty much always do TLS-only from this point on. The great thing is, with organizations like Let's Encrypt, the barrier to entry for TLS has been substantially reduced. Worst case, with a little bit of elbow grease (really just a few commands on your CLI, and a bit of copy/pasting plus some redirects), you can acquire a FREE TLS certificate through Let's Encrypt. With a bit of extra elbow grease on top of that, it's not difficult to do things like setting up a cron job to renew your certificates before they expire, automating the process for you.

The great thing is, it appears changing over and redirecting to TLS is not quite as much of an issue as it once was. I'll try to post some pics tonight or this weekend based on some recent results I've seen. Thanks to SERPWoo, tracking several domains changing over to TLS-only, I noticed the new TLS versions of ranking pages already appear in the rankings as fast as the same day, and in many cases within just 1-2 days! Pretty cool. On top of that, for a number of SERPs, I noticed a 10-30% improvement in rank. This is within the theoretical minimum 90 day window of ranking manipulation by Google based on page changes, so the results are still suspect for a few months. That said, promising results compared to the horror stories from even just a year or two ago.

 

[built]

Hasn't this been going on for months now?

 

[CCarter]

TLS-only

For those that don't realize: TLS = SSL.

The SSL term is just so commonly used, even though TLS is actually the successor of the real SSL, to make masses less confused about it all most people simply use the SSL abbreviation.

Hasn't this been going on for months now?

For Firefox Yes - think it was in Jan 2016 or 2017 when they started. Not Chrome - until this October.

 

[stackcash]

Yeah, Steve and I were talking about this the other day on our videocast.

Mr. Patel had made that ridiculous video saying that TSL/SSL isn't needed for SEO purposes. Even if that were true, I'm sure most site owners won't want the words "Not Secure" plastered up next to the address bar on Chrome.

It makes little sense to me as to why someone wouldn't want to use it. It's so easy to implement at this point that it's really a no-brainer. If you're on WPX hosting, they provide the certificates for free and will even install it for you. Can't go wrong.

 

[ari]

Yeah, Steve and I were talking about this the other day on our videocast.

Mr. Patel had made that ridiculous video saying that TSL/SSL isn't needed for SEO purposes. Even if that were true, I'm sure most site owners won't want the words "Not Secure" plastered up next to the address bar on Chrome.

It makes little sense to me as to why someone wouldn't want to use it. It's so easy to implement at this point that it's really a no-brainer. If you're on WPX hosting, they provide the certificates for free and will even install it for you. Can't go wrong.

The problem lies in the 301 redirect... Google treats them as different entities and it doesn't always work properly.

On top of that images break , links get messed up.

New site? Always ssl.
Existing ranking site? It's a lot of work with risk.

 

[built]

Am I the only one who's been getting "not secure" for a while now? Interesting

 

[Steve]

Am I the only one who's been getting "not secure" for a while now? Interesting

Its shown that for http sites with password or credit card fields for a while:

https://security.googleblog.com/2016/09/moving-towards-more-secure-web.html?m=1

This change will mean is shows on http sites with any form fields

 

[Ryuzaki]

The problem lies in the 301 redirect... Google treats them as different entities and it doesn't always work properly.

On top of that images break , links get messed up.

If you go through all of the steps of changing the property to HTTPS in Google Analytics, setting up the new property in Search Console and explicitly telling them on both the HTTP and HTTPS properties that the preferred version is HTTPS, set up your 301's correctly, it's zero issue. I've done it a handful of times on high risk properties now and had zero issue, and a possible rankings boost but I can't say it's only related to the change and not from past marketing campaigns finally fruiting.

Images and Links do break but if you use a database you should be able to do a simple MySQL command (or use a plugin) to search and replace your HTTP+domain with HTTPS+domain. And if you're hard-coding URLs like that in templates you can do a mass search with a text editor on all the files, and in the future you're better off using relative URLs that don't feature the domain at all.

I agree, all the things you're saying are true but are also fixable. I wouldn't even call it fixable though, it's just a part of the process of the migration that you can't escape.

I agree with all the sentiments too, new projects should always start SSL now. cPanel has a Let's Encrypt plugin now, so does WHM, you don't even need to do much but use the command line or have your hosting provider install the plugin. Then you click a check box and it generates, installs, and sets up the cron job to renew it.

 

[Darth]

easyengine.io, which is a fantastic wordpress installation command line manager, has lets encrypt integration built it. can't recommend it enough

 

[built]

Don't even need let's encrypt can just use whm built in auto ssl feature, uses a free comodo ssl

 

[shiftymcnab]

One.com

offer free SSL with all basic hosting packages. Cheap too for low budget starters.

I do have one question tho'.

They mention

To activate SSL for your website:

1. Log on your Control Panel
2. Click SSL
3. Select On
4. Click Save

I'm assuming this is just highlighting their simple SSL activation process or do you think this would circumvent the other required actions mentioned above regarding URLs, broken images etc?

Would switching to SSL impact sites on CDNs? If so anyone have any common issues/actions to highlight?

 

[Ryuzaki]

I'm assuming this is just highlighting their simple SSL activation process or do you think this would circumvent the other required actions mentioned above regarding URLs, broken images etc?

I interpreted that to mean "We will generate a certificate, sign it, submit it with the generated key, install it on the domain, and the rest is up to you." Maybe if you're using their 'Website Builder' will it do a search and replace for you and set up the 301's. But there's no way they have a catch all process for all CMS's or static sites. It's a different job for each site, even all on the same CMS.

Would switching to SSL impact sites on CDNs? If so anyone have any common issues/actions to highlight?

Yes. You either have to buy a nice certificate with 12 months of time on it, or if you do Let's Encrypt you'll constantly have to send the CDN the new certificate and risk problems. But the point is that not only do you have to have your own certificate, they can't fetch it from you so you have to send it and hope they set it up right.

Then on top of that you need a 2nd certificate for your CDN subdomain. The cheap way of doing it is using their shared certificate where everyone using that CDN company will also be using that certificate. Getting this done with a CDN is more complicated than without unless you don't care about the shared aspect.

 

[Darth]

I remember when this was big 6-12 months or whatever it was ago, people were making very nice and detailed guides on how to properly migrate a Wordpress site with DNS to https, step by step. I never saved them... Anyone got one bookmarked they can vouch for? The technicals I am not concerned with, just don't want to miss a step.

 

[Ryuzaki]

@Darth, here's the best one I've seen, from the Newsstand:

https://woorkup.com/how-to-migrate-from-http-to-https-complete-tutorial/

 

[Darth]

@Darth, here's the best one I've seen, from the Newsstand:

https://woorkup.com/how-to-migrate-from-http-to-https-complete-tutorial/

Just followed the guide, let's see what happens to the serps!

 

[Cash Builder]

I have been putting this off for months as I thought it would be a big job, but after reading this I decided to bite the bullet and get it done.

I was actually surprised how easy it was, and I didn't even have to buy a certificate as CloudFlare provides a free shared certificate.

Followed the guide that @Ryuzaki shared, and it was done within the hour, although I am still waiting for my Search Console details to be switched over.

 

[Ryuzaki]

For those reading this, here are some results I shared from a recent switch to HTTPS from my case study on post #144.

Index migrating:

Traffic over 45 days after vs. previous 45 days:

That's quite the increase in organic traffic but I'm constantly publishing and getting links too. So we can't attribute it all to the switch, but we can definitely conclude nothing catastrophic happened. I've made this switch several times now for myself and a couple friends, went fine every time.

 

[JasonSc]

Working at an agency during the day I get to see things in a little bit larger scale. Earlier this year we moved about 40 sites to SSL.

About half of the site we moved where in maintenance mode, meaning they already ranked so those sites get a miniumal amount of work during a month.

Typically a site would have 7-14 day dip in rankings, which was about the amount of time it took to fully index the SSL version (150-500 pages)

Converting a WordPress to SSL it super easy and can be done in 30 minutes. Find and Replace plugin is your friend.

The thing I would like to add is this is a really good time to clean up any lingering issues or messes you might have. For example:

1. KW stuffed slugs
2. Internal anchor text ratios are off
3. 301 and 404 issues
4. Silioing issues
5. missing alt tags

Basically, those small things you forgot or didn't know to do when you built your site out. This is a great time to do it.

Loosely speaking, Google sees the https version as a new site and from looking at server logs we noticed an increase in Google bot traffic, meaning a temporary increase in crawler allowance. So those 4-year-old blog post, which didn't have any internal linking, now are getting crawled again.

 

[turbin3]

That's fantastic advice @JasonSc. Considering Google is monitoring on-page changes and attempting to detect on-page manipulation, particularly it seems very small and specific changes, it's always great when you can roll a number of site improvements into one big batch.

 

[Darth]

Just followed the guide, let's see what happens to the serps!

As an update I did my site migration to HTTPS on 23 August (about 3 weeks ago). Technically there was no problem.

From what I can tell in Search Console, all the pages on the HTTPS site have been indexed (the number indexed is the same as the HTTP version and is the number that I would expect for this site - around 2K pages).

However in the last 9-10 days my search engine visibility has tanked. SEM Rush and suite.searchmetrics.com/en/research/domains/organic are both reporting much decreased visibility. I think it must be for long tail terms though, because the main terms that I monitor in Accuranker etc are much the same.

As a result my traffic has taken quite a hit (difficult to tell how much though, because seasonal factors have occurred in the last 2 weeks also).

I was hoping that the decreased visibility was because not all the HTTPS pages had been indexed, but they are. So now I am a little worried.... Or maybe something else has happened (e.g. general algo change that has affected me).

 

[Sutra]

I interpreted that to mean "We will generate a certificate, sign it, submit it with the generated key, install it on the domain, and the rest is up to you." Maybe if you're using their 'Website Builder' will it do a search and replace for you and set up the 301's. But there's no way they have a catch all process for all CMS's or static sites. It's a different job for each site, even all on the same CMS.



Yes. You either have to buy a nice certificate with 12 months of time on it, or if you do Let's Encrypt you'll constantly have to send the CDN the new certificate and risk problems. But the point is that not only do you have to have your own certificate, they can't fetch it from you so you have to send it and hope they set it up right.

Then on top of that you need a 2nd certificate for your CDN subdomain. The cheap way of doing it is using their shared certificate where everyone using that CDN company will also be using that certificate. Getting this done with a CDN is more complicated than without unless you don't care about the shared aspect.

@Ryuzaki I'm using knownhost and just found out AutoSSL was turned on. So I have the SSL certificate installed (still have to go through the other steps though).

I use a CDN (Amazon) for hosting images on my site. In your post above, are you saying that I have to purchase an SSL specifically for the CDN? Meaning, I'll have to two separate SSL certs, one already installed for free by Knownhost, and one I need to install on the CDN? If so, anything specific I need to know, like they have to be the exact same type of certification, etc?

 

[Sutra]

Okie dokie, did the migration yesterday by following those steps (in the guide linked earlier). Some of them didn't seem to apply to me but the whole thing took me about 8 hours, hah. Finally done though. Anyway, have 5 questions for you @Ryuzaki , haha. But I imagine the answers to some of these will help other members who go through this process later. So should benefit the group overall.

1. I installed the Search and Replace script mentioned in the guide above but when I ran it I got an Ajax error so I deleted it. Instead I installed the Really Simple SSL plugin and that seemed to work. But still want to make sure all HTTP stuff is changed. I tried checking via online sites like https://www.jitbit.com/sslcheck/ but they only check around 200 pages. I have over 1000 pages on my site. How do I see if there are any remaining HTTP links/CSS/JS/elements/etc left on my site?
2. Do I need to keep the Really Simple SSL plugin activated, or can I deactivate it and delete it?
3. Regarding the CDN SSL question in my previous message above, it seems like I don't need to worry about it. I use Amazon S3 for hosting images and media, and all my image links seem to be HTTPS already. How do I find out if I need to install HTTPs on my Amazon S3 account?
4. I have over 600 manually entered 301's via a plugin. This is because last year I changed all my paginated content to single pages. Those 301's point to the HTTP link, but since I've converted to HTTPS those links all end up going to the HTTPS version (I did a spot check on this to confirm), so it seems all good. However, should I remove that extra hop and change all those 301's directly to HTTPS, or is it a non-issue?
5. Some of the affiliate programs I'm with use HTTP links still (checked the dashboards and they don't have an HTTPS option), so those affiliate links on my site are HTTP. Is that going to affect my site? Is there anything I can, and should, do about that?
6. Ah fuck, editing this one in. Just noticed that all my article comments are missing. That's 1000+ comments missing. All the shares are still showing but the comments are gone. Saw FB help guide via StackOverflow (https://stackoverflow.com/questions...m-http-to-https-lost-all-facebook-likes-count) about adding an "OG property" to the top of the page to point to the http version of the page. But that's to A) Restores likes (doesn't say anything about comments) and B) with over 1000 pages I obviously don't want to do that to all them. Even if I do that only on the most trafficked pages it will be a pain. Is there an easier way to get the comments back?

 

[Ryuzaki]

In your post above, are you saying that I have to purchase an SSL specifically for the CDN? Meaning, I'll have to two separate SSL certs, one already installed for free by Knownhost, and one I need to install on the CDN?

It means you need a certificate for your site and then one needs to be on your CDN. So in one of my cases I wanted to use Let's Encrypt, so I installed that plugin on the server and enabled it. So my own server was being issued a certificate every 90 days and renewing it for me.

But the CDN would not do that for me on their end nor would they auto-retrieve any certificate information. This meant that every 90 days I'd be sending the CDN company the info and hoping they acted on it quickly without any mistakes. Alternatively I could buy a year long certificate for them, or finally just use their shared certificate, which seemed cheap and unprofessional to me. Along with other reasons, I ended up canceling the CDN altogether.

How do I see if there are any remaining HTTP links/CSS/JS/elements/etc left on my site?

The search and replace goes through the database itself and takes care of all of those instances. So that's posts, menus, comments, pages, etc. The other thing you need to check is the template files, like single.php, page.php, etc. If there are any left on your site, you can open your browser's developer tools and look for Console Warnings under the Console tab, which will tell you when there's any mixed content problems. You should only find these in the sitewide template stuff at this point. (Except you didn't use the search and replace).

Do I need to keep the Really Simple SSL plugin activated, or can I deactivate it and delete it?

I've never used this but it seems like it manages to scan the database for mixed content issues, set up your 301's, etc. It must be able to edit templates for any hard coded URLs (or it assumes there are none). I looked at it at a glance, and it seems like one you won't be able to delete, although I'm not sure. I'd search for an answer to that specific question. But it's not doing anything that wasn't already covered in the list of things to do.

I use Amazon S3 for hosting images and media, and all my image links seem to be HTTPS already. How do I find out if I need to install HTTPs on my Amazon S3 account?

Seems like you'll be good to go if you don't use a period in your bucket name, so it doesn't act like a subdomain in the eyes of the certificate: Source. If Amazon has a certificate going and it's valid, you should be fine as long as you always use the HTTPS version of the URLs.

However, should I remove that extra hop and change all those 301's directly to HTTPS, or is it a non-issue?

I would. The less hops, the better. Google says they no longer reduce the "juice" from 301 hops now, especially for HTTPS redirections, but they do say that their crawlers will give up after a certain number of hops. 5 I think. You may be thinking "I'm only at 2 or 3 now," but you also may decide to change the slug of a URL at some point which would introduce another one, etc. I'd always take these preventative measures, especially when it's like 3 clicks in a text editor for search all, replace all.

so those affiliate links on my site are HTTP. Is that going to affect my site? Is there anything I can, and should, do about that?

External links don't have to be HTTPS. Only links pointing to resources that are being actively loaded do. The reason you want to change internal links is so your users aren't going through a 301 redirect on each click.

Ah fuck, editing this one in. Just noticed that all my article comments are missing.

Are you using Wordpress comments or Facebook or Disqus or what? If Facebook I saw some discussion here that seemed to have the solutions.

 

[JasonSc]

But still want to make sure all HTTP stuff is changed. I tried checking via online sites like https://www.jitbit.com/sslcheck/ but they only check around 200 pages. I have over 1000 pages on my site. How do I see if there are any remaining HTTP links/CSS/JS/elements/etc left on my site?

If you have a paid version of ScreamingFrog you can use that to check for insecure items. Under the menu "Reports" select "Insecure Content". This will create a nice excel sheet you can check. It does have some limitations, such as in schema markup, it will flag urls that are not "https://".

I personally have not used the combo of ScreamingFrog, Really Simple SSL and a CDN, so your milage might very on this.

 

[Sutra]

@Ryuzaki Thank you you beautiful soul you. Transferred everything over and just updated all those 301 hops. Using the Simple SSL plugin pretty much did it. There were only a couple lingering things that were due to me using a couple of affiliate widgets in my sidebar. Took those out and then just loaded there image on my site and linked em and now it's all good.

I'm using Facebooks own code to use the comments on my site. Going through the thread you linked was helpful. If people want to just revert to showing the comments from HTTP a couple of people gave the code for that. But someone there also linked to a paid plugin that shows all the comments from both HTTP and HTTPS. Haven't tried yet but likely will (or another plugin that's similar).

Oh, as for traffic, so far so good. Did the migration on the 19th and no loss. Is it too early to tell though? Screenshot:

@JasonSc Thank you as well. I was going to do what you mentioned but then found the Simple SSL plugin had a premium version that did everything needed. I had a couple questions and the dev replied within 20 minutes each time, so good stuff.