HTTPS or staying with HTTP?

[Ben Thomas]

Best part of two years and hundreds of websites later, I've never seen a problem with their auto renewals that's been through fault of Let's encrypt, the few that did experience auto renew problems were faults with my configuration mishap when moving expired paid certs to Lets encrypt. Maybe I was just lucky

I've not experience any issues with them, been using them for around 8 months now.

 

[pugyrob]

We have been https ing our sites rapidly. Had a few people comment that they were not and that is from general public which surprised me.

For the sake of what it takes it is a no brainer. In my niches 90% of sites that rank have https and I expect that to increase. Not suggesting every site does it but if in doubt I would do it.

N.b. make sure you do it properly! We didn't see any temporary ranking drops or gains so far.

 

[RobM]

Basically they have problems with htaccess files that redirect http to https. They can't get their authorisation through to be read sometimes. It's easily fixed - you move the htaccess file, rerenew, then move it back. However it is tiresome as it's not always and not on every server. This is a known problem. If you don't catch it though you can have sites not resolving until you manually renew. Pointless poll though really as you don't have a choice - some people like not to have a choice. I've always been a bit more discerning about my time and the reasoning behind unnecessary external uses of it. Still no probs - as my time investment increases I'll simply raise prices to cover it. I'm sure people won't mind..... they don't seem to bother about things.

 

[Adam H]

Basically they have problems with htaccess files that redirect http to https. They can't get their authorisation through to be read sometimes. It's easily fixed - you move the htaccess file, rerenew, then move it back. However it is tiresome as it's not always and not on every server. This is a known problem. If you don't catch it though you can have sites not resolving until you manually renew. Pointless poll though really as you don't have a choice - some people like not to have a choice. I've always been a bit more discerning about my time and the reasoning behind unnecessary external uses of it.

Must depend on the redirect/rewrite, not had that problem myself. For reference this is the redirect I use on the majority of sites for https

RewriteEngine On
RewriteCond %{SERVER_PORT} 80
RewriteRule ^(.*)$ https://www.domainname.com/$1 [L,R=301]

 

[tocku]

FWIW I share RobM's weary resignation about this.Of course any website collecting sensitive data should use SSL, and there's a pretty strong case for the current situation of browsers warning people of an insecure connection when entering any data into a form.

But an entirely static website that does not send any data at all? Chrome will claim that a non-SSL site is insecure, when it is neither secure nor insecure. Website owners are being strong-armed into SSL based on a non sequitur.

And as Rob pointed out - Let's Encrypt might be free, but it's not without cost. How many domain outreach emails could one send in the time it takes to set up and maintain LE (or any other SSL solution)?

Interestingly, the Search Engine Land article that Adam linked to also mentions that mobile site speed is becoming a stronger ranking signal. Given that SSL negotiation is one of the biggest lags in a page load time, which factor will win out? Static, non-data-submitting-site owners are penalised for trying to make the web a faster place.

But yes, my sites have all been migrated to SSL, whether or not data are being transmitted :sigh:

 

[Ben Thomas]

First post? Since 2012? Lol. You must feel strongly about this

LE is quite easy to set up and manage through AutoSSL with cPanel, it's quite literally a one click solution. As for the mobile site speed becoming a factor, I believe Google are now putting mobile first for ranking, as in, they will rank your mobile responsive website first before a desktop site. Modern standard is to build on a responsive framework, rather than having a separate website for mobile - so I can't see this being much of a problem, aside from old/outdated websites.

 

[Adam H]

Interestingly, the Search Engine Land article that Adam linked to also mentions that mobile site speed is becoming a stronger ranking signal. Given that SSL negotiation is one of the biggest lags in a page load time, which factor will win out? Static, non-data-submitting-site owners are penalised for trying to make the web a faster place.

https is faster than http unless your running some pretty old server config. http://www.httpvshttps.com/

And as Rob pointed out - Let's Encrypt might be free, but it's not without cost. How many domain outreach emails could one send in the time it takes to set up and maintain LE (or any other SSL solution)?

What cost ? If you are using something like Cpanel most hosts already have it readily available and takes less than 10 seconds to activate. If you manage your own server and use cpanel you can run the following from SSH which takes seconds :

/scripts/install_lets_encrypt_autossl_provider

You then configure it to AutoSSL and again it then takes any Cpanel account enabled to install it in 10 seconds. What costs are you speaking of ? Even without Cpanel it doesnt take long to setup

 

[Ben Thomas]

https is faster than http unless your running some pretty old server config. http://www.httpvshttps.com/

I did find it slightly amusing that they're still using http to serve that website, lol.

 

[Adam H]

I did find it slightly amusing that they're still using http to serve that website, lol.

Thats the whole point, you can't present a test for http with out it being on http , press the https button at the top and it will switch to https

 

[Ben Thomas]

Thats the whole point, you can't present a test for http with out it being on http , press the https button at the top and it will switch to https

Oh my mistake, I didn't realise it was actually changing the website itself I thought it was running the test on remote sites or something! (Give me a break, it's still morning! JUST!)

 

[RobM]

First post? Since 2012? Lol. You must feel strongly about this

LE is quite easy to set up and manage through AutoSSL with cPanel, it's quite literally a one click solution. As for the mobile site speed becoming a factor, I believe Google are now putting mobile first for ranking, as in, they will rank your mobile responsive website first before a desktop site. Modern standard is to build on a responsive framework, rather than having a separate website for mobile - so I can't see this being much of a problem, aside from old/outdated websites.

Some of us don't rely on control panels for many servers. Currently I run over 30 most of which have no control panel and I maintain the lamp stack, patch, code, secure etc using apache and bind for serving pages. It is a pain in the ass being forced to use a certificate where one isn't necessary, especially with documented and known random issues that can actually be detrimental. 'One click cpanel' solutions are not relevant to many of us who do this for a living. Again I am all for 'choice' - something that it seems more of you are willing to throw away just because something works for you.

 

[Edwin]

Does going https break Adsense, Analytics or affiliate programs? (I count them as broken if people get shown security warnings or similar afterwards)

 

[tocku]

First post? Since 2012? Lol. You must feel strongly about this

Ha! Not that strongly. More a first post since a rekindled interest in domaining. I've been lurking for a while

https is faster than http unless your running some pretty old server config. http://www.httpvshttps.com/

Not quite. HTTP/2 would be faster if it didn't force connections over SSL - another example of being strong-armed into it based on a non sequitur. SSL adds overheads to the https://httpvhttps.com page load time:

https://www.webpagetest.org/result/...069aeffd045a0/1/details/#waterfall_view_step1

What cost ? If you are using something like Cpanel most hosts already have it readily available and takes less than 10 seconds to activate.

I don't use a control panel. But even if I did, the tasks for some sites would include:

• log into cPanel, navigate to SSL and turn it on
• auditing cross-domain links for SSL
• changing site URLs in any CMS
• changing hard-coded URLs from http to https (e.g. media embeds, analytics etc)
• redirecting all http traffic to https
• adding and verifying https site to Google Search Console & Bing webmaster tools
• updating & submitting XML sitemaps
• reviewing site for mixed content errors, other errors
• monitoring error logs for 404s lest I missed some hard coded
• changing adwords/FB ad target URLs
• reaching out to key partners who link, asking them to change incoming URLs to https

That might be a good hour or two. So like I said - LE might be 'free', but it's not without cost.

 

[tocku]

Does going https break Adsense, Analytics or affiliate programs? (I count them as broken if people get shown security warnings or similar afterwards)

Changing to https can lead to 'mixed content' warnings. Most (if not all) 3rd-party providers will support SSL by now, so you might need to edit hard-coded URLs.

In an ideal world URLs would be protocol neutral (e.g. //www.mysite.co.uk rather than http://www.mysite.co.uk), but that's not always the case!

 

[Adam H]

Does going https break Adsense, Analytics or affiliate programs? (I count them as broken if people get shown security warnings or similar afterwards)

Would depend on your provider, if your embedding affiliate code into your site which isnt https ready then you could get mixed content warnings which would stop the embed from showing .

Analytics you can switch in the settings to read HTTP, Adsense has no problem with the switch. Other things to consider is your affiliate referrer where https can block tracking of affiliate codes. Something like this is used generally to help with that :

  <meta name="referrer" content="unsafe-url">

But its the same with every change you make, if its planned well and due-diligence is done prior then you shouldn't run into any surprises.

 

[Adam H]

I don't use a control panel. But even if I did, the tasks for some sites would include:

• log into cPanel, navigate to SSL and turn it on
• auditing cross-domain links for SSL
• changing site URLs in any CMS
• changing hard-coded URLs from http to https (e.g. media embeds, analytics etc)
• redirecting all http traffic to https
• adding and verifying https site to Google Search Console & Bing webmaster tools
• updating & submitting XML sitemaps
• reviewing site for mixed content errors, other errors
• monitoring error logs for 404s lest I missed some hard coded
• changing adwords/FB ad target URLs
• reaching out to key partners who link, asking them to change incoming URLs to https

That might be a good hour or two. So like I said - LE might be 'free', but it's not without cost.

That's fair, time spent can be hugely different depending on the site and/or duty of care/responsibility.

 

[Ben Thomas]

Some of us don't rely on control panels for many servers. Currently I run over 30 most of which have no control panel and I maintain the lamp stack, patch, code, secure etc using apache and bind for serving pages. It is a pain in the ass being forced to use a certificate where one isn't necessary, especially with documented and known random issues that can actually be detrimental. 'One click cpanel' solutions are not relevant to many of us who do this for a living. Again I am all for 'choice' - something that it seems more of you are willing to throw away just because something works for you.

Right. Because "some of us" like to do things the hard way. Because running cPanel/any other control panel means everything is automated, right? Wrong. I still have to maintain the server, as does any one using a control panel. It just makes life easier, freeing up time that can be spent doing better things - like making money.

 

[RobM]

Lol you do know how much 30+ licenses would cost? It still doesn't alter the facts that a) the LE certificate system is flawed and b) it is only 'necessary' to have an SSL certificate for a static site because google told you to.

I give up - you obviously know everything.... providing you have a control panel. This seems to be the way the uk industry is headed with newbies who have no clue but thinking they know everything and openly enabling people to screw us like lambs on the way to the abbatoir. For that reason I am out. People know what my email is - there is nothing left to learn on this forum. I'm sure inteldigitial and the like can give you all the knowledge you need. It's clear from his past posts how vastly knowledgeable he is about the domain and uk industry.

 

[Ben Thomas]

Lol you do know how much 30+ licenses would cost? It still doesn't alter the facts that a) the LE certificate system is flawed and b) it is only 'necessary' to have an SSL certificate for a static site because google told you to.

I give up - you obviously know everything.... providing you have a control panel. This seems to be the way the uk industry is headed with newbies who have no clue but thinking they know everything and openly enabling people to screw us like lambs on the way to the abbatoir. For that reason I am out. People know what my email is - there is nothing left to learn on this forum. I'm sure inteldigitial and the like can give you all the knowledge you need. It's clear from his past posts how vastly knowledgeable he is about the domain and uk industry.

Damn, Rob. People like you are the reason this industry suffers. You sound so bitter, what's the issue? As for cost of licenses, why are you running 30 servers if you're concerned about cost?

Although, I'm amused by your fervent need to try and belittle me (and presumably anyone who is "new" on these forums) because you've been here since 2012 - I have plenty experience in this industry and I've come across hundreds of people like you. It's heartbreaking to see you leave (really, I'm touched), but I doubt you really mean what you say. As anyone who feels the need to grab attention in such a way is only ever after just that - attention.

Also, for the record - I do this for a living, quite successfully. So yes, "one click solutions" are extremely relevant to the industry we're in. Manually handling 30+ servers single handedly is irresponsible and a downright waste of ones time.

 

[tocku]

Ben, I'm not sure that anyone's belittling you. I don't know Rob, but it's safe to assume that domainers come from a range of backgrounds - servers, design, coding, marketing, general business - each with our own perspective and bringing value in our own way.

Someone has to run the servers that our sites run on. You outsource this to Krystal Hosting (either directly or indirectly) and use cPanel which either they provide or you separately licence and maintain. Rob chooses to forego a control panel and manage his servers himself. Either way, there are servers to maintain. "The cloud" is just other people's computers.

You don't provide any added value through servers, Rob does. Perhaps you offer more value via design and marketing. There's nothing intrinsically wrong, irresponsible or a waste of time about either approach - they're just different.

What does add value is cross-pollination of views and perspectives (not insults!). Listening to why Rob does things in a certain way (and vice versa) can only challenge and improve our respective understandings.