Since Google began promoting the widespread adoption of HTTPS in a kneejerk reaction to disclosures by Edward Snowden that the NSA was analyzing their users’ activity, a lot of people in the tech industry have jumped on the bandwagon and promoted the initiative despite the severe reservations expressed by engineers and security specialists who actually have to make HTTPS work. Anyone with a smidgen of skepticism should have paused to ask, “Why we would want to trust our ‘privacy’ to a protocol that protects virtually nothing?” And indeed there were a few voices who echoed such sentiments.
Nonetheless, here we are in 2017 and according to Mozilla, half the pages their Firefox browser loads are served via HTTPS. All of the browser vendors support the idea of converting the Web to use HTTPS even though they know very well that it’s not yet practical. I mean, I follow their discussions very closely and they have yet to solve the most glaring flaw in HTTPS, which is “mixed content”. So far they are moving toward a complicated solution that requires virtually everyone to update their security policies. Why is that complicated? Most of you don’t even know what security policies are, let alone how to set them. And there are already conflicts within the implementation of security policies.
Reflective Dynamics, Inc. has officially held the position that no one should be converting a Website to use HTTPS for the purpose of improving their search engine optimization. Consensus among Web marketers seems to favor that view even though a growing number of Web marketers are advocating the adoption of HTTPS.
We are concerned by some recent announcements from Google and the browser vendors that effectively change the game for everyone. If by the end of this year you have converted your most important Websites to use HTTPS you will probably see negative performance in user experience and search referral metrics.
If there were some useful, practical benefit from using HTTPS we would feel better about making the move. As it is, HTTPS is about as safe as a 5-year-old playing with a loaded gun. We’ll go into the problems with HTTPS below.
Reflective Dynamics is Now Advising People to Adopt HTTPS for SEO
There really is no other good reason to change your site to use HTTPS at this point. Google has been promoting its Accelerated Mobile Pages project for mobile search benefits, and if you want to participate in AMP you should be running on HTTPS. I’m not saying we want to be part of the AMP index but we have already converted some sites to HTTPS and AMP and we have not run into any significant problems. The only real annoyance is having to renew the certificate. No one has yet automated the process.
Added on update: There are a number of AMP components that must be served via HTTPS. If you just convert your entire Web inventory to HTTPS you’ll have an easier time complying with AMP requirements. You can create AMP pages for content served over HTTP but you won’t be able to take full advantage of AMP markup unless you serve required resources via HTTPS.
Some Web hosting companies allow you to use third party certificate authorities but a lot of them, way too many, are forcing their customers to buy certificates through their own hosting services. Whether these certificates are over-priced is beside the point. If you don’t want to use your Web hosting company’s certificates you have to change hosting providers.
If you lease dedicated or co-host servers you can probably do whatever you like, but a growing number of companies are moving into cloud-based hosting. Although low-end cloud hosting is pretty cheap (virtually all the shared hosting providers we have worked with now run their shared hosts on the cloud) any company with a large enough resource need to pay for premium cloud hosting isn’t worried about its security certificate. And reportedly the White House Website went almost a year without renewing its certificate.
Despite these rough spots in the implementation landscape, we strongly urge everyone to get their most important sites up and running on HTTPS by the end of the summer. Technically you have until around November before the shit starts hitting the fan.
We have been warning subscribers to the SEO Theory Premium Newsletter for the past few months to make the move as soon as possible. What happens in November? The browser vendors and Google start cranking up the heat. Expect warnings for invalid certificates to become more stern. But things will only get worse after that.
The Many Problems with HTTPS are Hard to Fix
The most widespread issue with HTTPS is probably the mixed content problem. You can look at it this way. You convert your site to run on HTTPS but you still use a mix of third party fonts, analytics, widgets, images, and other things that are served over HTTP. That is mixed content. Worse, if you don’t review the code you grab to use these things you may be inadvertently handing over more permission to grab your user’s browser than you should.
Mixed content completely destroys all the perceived value of using HTTPS to deliver content in the first place. HTTPS advocates tell you (falsely) that encrypting the traffic between browser and Website prevents so-called “man in the middle attacks” and also prevents anyone from sniffing or reading your content while it is in transit.
If all you are doing is reading a blog post or news article then it doesn’t matter if the contents are encrypted while being transmitted to your browser. Every encrypted packet is sent with an envelope that identifies the Website you are browsing. The bad guys can see WHAT you are reading and visit the same site and get the same content.
If you are transmitting a credit card number and other private information then using HTTPS provides you with a brief, ephemeral moment of encryption. Most credit card numbers are stolen by hacking the database behind the Website, and most databases are not encrypted. So your hanful of milliseconds of encrypted protection is vastly outweighed by the permanent exposure an unencrypted database inflicts upon your private information.
There is no way that HTTPS can fix the hacked website problem. That is not what HTTPS was designed for. If you are a Web marketing consultant or corporate officer and you don’t raise these issues to your decision-makers, you are no one I would want to hire. I discuss these security issues with every client and every subscriber to our newsletter knows why we don’t like HTTPS.
But HTTPS itself has inherent problems. The encryption is managed by the SSL/TLS layer, which has been revised and updated a number of times through the years. Web browsers and Web servers have to agree on which encryption method they will use to transmit content back and forth. If both browser and server don’t have the latest encryption mechanism they have to fall back to their first common encryption scheme, which will be an older one. Many of the older encryption schemes can now be broken or have been found to have inherent flaws in them.
If the fallback procedure fails for any reason (and this should happen in an extremely low percentage of cases) then the browser and Web server have two choices: either switch over to an HTTP version of the site or just tell the user the connection cannot be established. Using some older proxy servers I have been able to see this failsafe kick in. The proxy servers reject the URL you’re trying to visit.
Speaking of proxy servers, most people don’t know this about workplace VPNs: Your company can monitor everything you see and do on the Internet if you are surfing the Web via their virtual private network. Whether you log in from home or the office or while traveling on the road, all of your “secure, private” communications are not. The boys in the lab can see it all. So stay off the porn sites and don’t use your business VPN to send leaked information to yourself or your partners in crime. If you do, only the inattentiveness of your company’s network admin team protects your privacy.
By far the largest number of “man-in-the-middle” attacks are conducted by corporations as they monitor their employees’ Internet usage. HTTPS means nothing in that environment, and the courts have already ruled that if you are using company resources you have to play by company rules. So good luck with all that privacy. It doesn’t exist.
There are other ways that MitM attacks work against HTTPS: If you enjoy a good cup of coffee leave your laptop where it won’t see the routers in the coffee shop. There are two ways that free Wi-Fi works against you.
First, anyone can set up their own rogue Wi-Fi network. There are reports of hackers setting up shop in airport and hotel lobbies and coffee shops and restaurants, especially in areas favored by business travelers and tech industry employees (those smart people who know so much about how to protect their privacy). If you see a network named “Starbucks1” it might be running from their back room or it could be the non-descript girl sitting next to you pretending to read the Wall Street Journal on her laptop. Always ask the business staff what their free Wi-Fi name is and if there is a password.
Second, even if you log into a legitimate free Wi-Fi router it could have been compromised. So-called “security experts” used to yell from the rooftops that routers could not be compromised by malware. Well, that dog up and died a few years ago. Wireless routers can pass viruses to each other wirelessly and hackers know how to do this. All your anti-malware software will detect nothing when you look for viruses, trojans, or whatever. A compromised router can perfectly execute an MitM attack against even the most savvy security expert because he has no tools to detect the flaw in the system.
But let’s say you personally inspect your client’s free Wi-Fi system and reboot the router (the only known cure for router malware at this point, and it only works against most router malware). So now you are reasonably sure you can connect to a private free Wi-Fi that won’t betray you.
That cute girl sitting next to you could be using a device to read the energy emissions from your computer as you type on your keyboard. Researchers have demonstrated that this technique accurately interprets everything typed on every computer manufactured up through the end of 2015, and I have yet to hear that laptop manufacturers are shielding newer models against this type of eavesdropping. When this technique was first announced the experts estimated it could take 10 years to replace 90% of all the vulnerable computers in the wild. I don’t think much progress has been made on that front.
But fortunately for you the publicly proven technology to interpret your energy emissions only works within a very close proximity. So much as you would like to chat with that girl, you could prudently move to the far side of the coffee shop. She is no longer a threat to your and your HTTPS-protected attempts to surf the Web.
Of course, that drone hovering about 15 feet outside the coffee shop window could be scanning your hard drive. The technology to do this through steel and concrete walls (or roofs) built around data centers has been proven. Drone technology can suck everything off your hard drive up to about 30 meters. So unless you encrypt your hard drive you have a problem. You had better start getting paranoid about any drones flying within 100 feet of your computer.
But that’s not all! Thanks to Edward Snowden and other “security experts” we know that there are all sorts of little devices you can plug into your USB ports or connect via Bluetooth that will download malware onto your computer. So keyloggers can copy your credit card information and send it off to a command server somewhere, or let the hackers see that you are secretly watching those kinds of porn videos. They might target the sites you visit for hacking so they can implant their MitM attacks on the server side.
Yes, a compromised Web server that has properly implemented a “legitimate” security certificate could still be sending everything you send to someone else. After all, your browser decrypts all encrypted content it receives and the server decrypts all encrypted content it receives.
Encryption only lasts a few miliseconds, and even then it may not be doing you any good.
This is Not Simply Worst-case Scenario Gloom and Doom Rhetoric
All of these methods for bypassing HTTPS are already in use in the wild. They have rendered the whole concept of HTTPS obsolete. It’s a burden that provides virtually no benefit, except that it gives many people some peace of mind even though that is a false feeling of security.
So Why Are We Advising People to Switch to HTTPS?
We are now advocating the adoption of HTTPS to comply with the requirements imposed upon the Web publishing community by the browser vendors and the search engines (specifically Google).
They have painted themselves into an ethical corner with their errors of omission (try getting a Googler to explain or even admit to all the stuff I just shared above). HTTPS advocates fall into several groups of people with different degrees of knowledge. There are some people who are so ignorant and naive they honestly believe that adopting HTTPS protects your privacy. But most of the advocates I have cornered have either blocked me so they don’t have to deal with the facts out in the open or they have grudgingly admitted that, yes, there are “some problems” with HTTPS but “it’s better than nothing”.
Whatever. We’ll be converting our most important sites (including this one) later this year. We do so with the full knowledge that no one’s privacy will be protected, but we’re not promising you that your privacy will be protected.
Read More about Search Engine Optimization
Follow Reflective Dynamics
Click here to follow Reflective Dynamics on Twitter: @refdynamics.
Click here to follow SEO Theory on Twitter: @seo_theory.
Reflective Dynamics' RSS Feed (summaries only)