Google and SSL

I’m not really sure if this topic belongs in this forum, if it needs to be moved some where else, please do so or let me know.

Regarding all of this push towards SSL for websites. I get the reasons why there is such a big push for this. But is Google (and other search engine giants) really going to try and index an HTTPS version of a website?

Say a website doesn’t have a secure certificate installed or they have a self-signed certificate. But if ALL of the links to that website from other sites are HTTP is Google really going to go out on a limb and try to index those links by changing it’s indexer to HTTPS?

I get and understand that Google may penalize a site that is not using HTTPS or value an HTTPS site more. But are they going to blatantly going to attempt to index an HTTPS version of the site even if there is no HTTPS links back to that site?

If all you have is an HTTP version of your site, then that is what Google will index. I won’t/can’t attempt to index an HTTPS version if it doesn’t exist.

Where did you hear that this was going to happen?

Some of the wording that cPanel (are you familiar with cPanel?) is issuing regarding their AutoSSL feature makes it sound like Google will try to index an SSL version of the site.

“When you create a new domain, cPanel will apply the best available certificate (CA signed); otherwise cPanel will apply a self-signed SSL certificate and request a new certificate via AutoSSL if it is enabled. Warning: If you disable this option, and a CA signed certificate is not available, when a user attempts to visit the newly created domain over https, the user will see the first SSL certificate installed on that IP address. Warning: If you enable this option and do not have a CA signed certificate or AutoSSL enabled, Google search results may point to the SSL version of the site with a self-signed certificate, which will generate warnings in the users’ browser. To avoid both of these concerns, we strongly recommend that you enable AutoSSL.”

Perhaps I’m just reading too much into this. I agree with @Gandalf and did not really think this to be the case. But the wording here makes it sound like that at least cPanel believes Google will go out and blatantly attempt to index the SSL version of the website. Although this could just be a scare tactic meant to push through cPanel’s AutoSSL feature.

Although, apparently this is indeed the case:

Specifically, we’ll start crawling HTTPS equivalents of HTTP pages, even when the former are not linked to from any page.

Although I’m not sure what they consider a “valid TLS certificate.”

I’m not sure that I agree with this policy. Again, I’m fine with grading HTTPS links higher. But to assume that every site has a secure certificate and lowering the grade because the site has a self-signed certificate but is never linked as HTTPS, that’s just bad form on Google’s part.

I’m not sure that I understand the message from your control panel. It’s confusing. Google’s message makes more sense. If there’s an HTTPS version available, they’ll index it.

1 Like

This.

Unfortunately, if your HTTPS version has an outdated, un-verifiable, or self-signed certificate, that could be bad news for you I guess.

Overall, I’m happy with the push towards HTTPS, as the end result is a safer Internet - but there will be some hiccups along the way that are annoying - like this :smiley:

1 Like

I don’t really agree with this, although I wouldn’t necessarily say that I’m totally against it.

Securing all websites? Is that really necessary? If a website is just giving you information, why does it need to be encrypted? If you go to reuters.com for news, why does that need to encrypted? If someone is listening on my connection and sees that I’m visiting reuters.com are they sitting there cursing themselves because they can’t see what I’m reading? Are they unaware that they can just go to reuters.com themselves and see what I’m seeing?

This is like a library having it’s doors locked, but always placing the key under the doormat. What’s the point of locking the door?

Now, if visitors are submitting data to the website - yes that should be over an encrypted means. Even if it’s just a simple login, like a WordPress backend login.

But this move to encrypt everything seems to have been born out of the idea of: “Explaining what should and should not be encrypted to everyone is too difficult… Let’s just encrypt everything and penalize those that don’t.”

2 Likes

[off topic]
I am surprised at how different browser’s display warnings on encrypted sites before showing any of the web page content. A virtually inconsequential http link to a favicon.ico sometimes displays an unsafe page warning with the preferred option of not visiting the page. Far too harsh and must lose a lot of traffic.
[/off topic]

1 Like

I’m not. My internet access from work is limited as it is. They do not allow HTTPS pages by default. Therefore, to be able to use a particular page I need to ask for that HTTPS website to be allowed by my company, and justify why I want to browse that page.

I don’t see the point to push HTTPS protocol when there’s no need to it. I do understand it for log in pages or content that will be visible only after you logged in. But no if it is not necessary. It just makes my life harder.

Rant over :slight_smile:

4 Likes

My site version is HTTP but google indexed HTTPS which i dont have and from last 30 days when ever i request google to index they always do with HTTPS. I think this is by default.

I wanted to chime in on this thread since I help manage cPanel servers, in order to provide some clarification to this topic.

“Warning: If you disable this option, and a CA signed certificate is not available, when a user attempts to visit the newly created domain over https, the user will see the first SSL certificate installed on that IP address.”

The way cPanel works if you are on a shared IP address (this depends on your host, or if you run your own VPS or dedicated server, how you arrange your cPanel accounts or vhosts on a single IP address) there will be one default httpd virtualhost. In cases where there are multiple cPanel accounts (or domains) on a single IP address with SSL certificates, requesting https://example-domain-without-ssl-certicficate.com will not resolve to a virtualhost, so it will fall back to the primary SSL-secured virtualhost on the IP address. In most cases this will be the first domain name to have an SSL certificate installed on it. This will result in a certificate mismatch error, so google might crawl the contents of another site this way since it will be directed to the documentroot of the primary virtualhost.

Back in the day (some hosts may still require it for this reason) a dedicated IP address was needed for using an SSL certificate, but with SNI on newer operating systems this is no longer a requirement, and cPanel happens to handle Apache configuration in such a way that this can be a potential problem. Offering free SSL certs through AutoSSL is their recommended workaround for securing all websites on a shared IP address.

SSL is cheap and easy to configure. It’s good for your visitors by helping to encrypt any sort of information transmitted to and from the site. And now on many servers which are compatible with http/2 (VERY FAST at serving files requested over https), and many which even offer free certificates through let’s encrypt or Autossl, using it should be a no-brainer.

Hope this makes sense and clarifies some of the questions in this thread.

2 Likes

cPanel’s way of wanting to manage everything gets to become a nuisance at some point. Sure it’s great for any average Joe that wants to be a web hosting provider without any server management experience. But less great for individuals that might know how to mange a server.

I’ve been including a static SSL virtualhost at the top of the Apache configuration files for years. Sure it still gives a hostname/common name mismatch if some random user tries to visit their site by adding https to their URL, but it doesn’t give some random website either.

Further from all of this - and this is the key point - who thinks that just adding https to their URL will automatically bring up a secure version of their site? That’s just where all of this went awry. If you want your VirtualHost to be secure, then explicitly request a secure certificate (whether that be a free DV certificate, a paid DV certificate, a paid EV certificate, or a free self-signed certificate). And now Google is wanting to stick their hand in the cookie jar and just automatically assume every site should have an HTTPS version.

If the idea is make everything, absolutely every website secure, then what’s the point of HTTP? Why not invest into some type of STARTTLS alternative for HTTP? Why require every website to have their own certificate? (Other than an EV certificate or OV certificate where there needs to be a trust that the website that is selling you something is actually a real certificate business). Or why vilify self-signed certificate, which offer secure connections (again, not to be used with websites selling something). If average Joe is just concerned with protecting his WordPress login page from outside packet sniffers, a self-signed certificate would likely offer just as much protection.

This move to force every website to get their own secure certificate was short-sighted at best. Was any thought ever put into adding an encryption layer into native HTTP? SSL for websites is meant to provide two things - encrypting data as it passes back and forth and a level of trust that the visitor of the website is a real business. DV and self-signed certificates provide no such trust, just encryption. If that is all you needing, if that’s what this push is for, why not look into baking all of that into HTTP?

This topic was automatically closed 91 days after the last reply. New replies are no longer allowed.