I received a client email that was riddled with misinformation someone had told them regarding SSL. This post has been on my mind for a long time and this seemed to give me the perfect opportunity. This also a timely topic with hacking being in the news and Google losing yet another 2+ Billion lawsuits in Europe, both of which related to this topic.
To understand the role of SSL in security and how it’s being co-opted, misused, as well as touted as the end game in cyber security as well as SEO, one must first understand how and what all these things are, as well as the proper application. Every day I see people throwing around a lot of words but most people don’t really know what they mean.
So, let’s first look at what hacking actually is and how to avoid it. Of course, the most understandable definition is breaking into a computer, network, or account and gaining control, usually for nefarious purposes.
Brute Force Hacks
is when a username and password combo are sent repetitively to a computer or server in hopes to gain access. This can be done via Shell Logins, FTP Logins, Email Logins and Website Logins (such as WordPress and Magento).
By way of oversimplification, there a few ways to slow a brute force hack. Usually, this is seen when the end user experiences a lock out because they have logged in wrong too many times. This slows up the process because often users are blocked for a period and the system administrator is notified. And of course, using a secure password is mandatory. When someone uses a password of password or qwerty1234, it almost guarantees a break-in. No SSL encryption can save stupid.
FTP, Telnet, SSH
These three protocols are ways people access remote systems. And are also weak spots used to access and gain control of networks. Often malicious code is uploaded that will allow the servers to be compromised with things that monitor keystrokes, opening or exploiting security holes or running a spam mail zombie or phishing email campaign, usually with an accompanying website hack that fools users into turning over their usernames and passwords.
Using an SSL encrypted protocol (SFTP, and SSH) will slow hackers down and are a front line of defense, but the way to stop exploits of these protocols is great security policies, patching servers and a hardware firewall with intrusion protection that protects the entire network (something our web hosting accounts receive free of charge).
Hackers use computer viruses to take over computers, networks and sometimes countries, such as the Ukraine experienced just this last week. Ransomware is just the latest iteration of virus that attacks mainly unpatched versions of Microsoft Windows and locks the owner out of the system until a ransom is paid.
In most cases, viruses are one of the simplest things to avoid. Unpatched systems and Email users are the two biggest failure points that allow the virus to infiltrate the computer or network. And in most cases, the viruses are designed to either help spread the virus or cause outages in things like DDoS attacks. I’m not even sure I want to say that SSL offers any level of enhanced security here because, in my opinion, most causes of a virus spreading are because of human ignorance or apathy.
So, what is encryption?
When speaking of encryption in regards to cyber security, the simple plain text is taken and scrambled so it is unreadable to a human. There are fancy words like ciphers involved in this process, but unless you’re a security wonk, there is no need to go into that.
Again, a way oversimplification (although important). Basically, when a file is encrypted, it’s scrambled and along with it is sent a key. If the file is intercepted it is of no value to the interceptor because they do not have the decryption key that is sent along with the file. Presently and 128-bit Encryption Key is the standard and believed not to be breakable, but as computing power and hackers advance in this war, it’s only a matter of time before we need to move to a 256-bit Encryption Key.
Encryption and SSL
SSL or Secure Sockets Layer is the connection that is opened between two computers, i.e. a website and your computer that allows sensitive data to be transmitted securely between the two computers.
The way SSL was intended to be used is when a website needs to pass sensitive data, the SSL is called (for a website its HTTPS, for FTP its using SFTP and so forth). Usually, that is things like credit card numbers and passwords. The SSL also confirms that the data that is sent is the same as what you receive, as well as validates the computer that is sending the data to your computer. Browsers are also programmed to alert end users when a connection is not TOTALLY secure, with totally being the operative word.
When SSL is activated on the page, it means that every file must be encrypted, including images and graphics or the browser will alert the end user if it is not. But Google has taken this to a whole new level.
Now before I go any further, I want to say that when SSL is used properly, it is a very good thing.
SSL, SEO, and Privacy
So, last week it was announced that Google was fined another 2.7 billion in the EU over manipulation and privacy concerns. This is the second time this has happened in the last few years and the lawsuits against Google continue to mount because of the amount of data it collects on each user, their query and how that data is used. And in my opinion, what in essences amounts to a demand of each website owner by Google that their sites be made secure is born out of this.
So let’s talk about the pros and cons of making your whole website secure regardless if you’re the one passing sensitive data. Nearly 2 years ago (and what seems to be around the time of the first EU ruling) Google came out saying that it was going to offer and organic SEO credit for any website that forced their website to respond as HTTPS in all cases regardless if sensitive data was being passed, such as a credit card or password. The whys they requested this is lost in the hyperbole of it all in my opinion.
So webmasters ran out, bought SSL certificates installed them, forced their site to HTTPS to activate the SSL in the browsers and their websites sunk like a rock. Word quickly spread that this was not a good idea after all and webmasters started to back off the idea.
Why Forcing a Website to HTTPS Breaks Organic Search?
Simply it breaks the link profile of a site for a substantial amount of time. It seemed that initially, there may not have been an adequate consideration of the effects on and impact of links in relation to how a website ranks. So, taking http and forcing it to https, even via 301, saw the effects of those links be devalued, thus causing smaller sites to tank. It is even possible that even Google underestimated the deduction a site would receive and did not provide adequate compensation via their magic SEO credit they said everyone would receive.
Eventually Google seemed to change the way the SEO credit and 301s and 308 codes were handled to give more credit for the process, trying to add better incentives to make the move to HTTPS. But it seemed that loss, although not as great was still not worth it.
So Google turned up the gas, and started using their browser, Chrome, to alert end users that the website was not safe. And even the simplest non-ecommerce websites were having end users alerted about the website not being safe. Now again on the surface, this sounds good but a small engineering first with 5 basic HTML pages that request no personal info really has no business being required to use and SSL connection without Google issuing a scary warning about internet security, especially when Americans are hearing nightly about hacking, ransomware and such.
This of course lowered conversion and forced many webmasters to convert to HTTPS, regardless of the reduction in organic search. Google continues to be aggressive in warning chrome users of sites that are not using HTTPS.
It has taken approximately 18 moths for our lower trafficked sites to stabilize after conversion.
From an SEO standpoint, there isn’t’ a great reason to do it. From a conversion standpoint, there are many reasons to do it. But from a system admin side, the side that is often overlooked there is a lot of negatives.
4 Sides of the SSL Discussion:
- SEO Viewpoint – To convert a site to SSL, there still isn’t enough ‘credit’ being offered to make this be worthwhile. Expect at least 8-12 weeks minimum of upheaval.
- Conversion Viewpoint – Big scary warnings about your website, make this an absolute slam dunk as to why this need to be done and outweighs all the other reasons in our opinion.
- Website Owner – There are security benefits from using SSL on parts of websites where passwords are involved, but to secure the whole site for a password is not necessary.
- System Administrator – They are not thrill with this improper use of SSL. SSL should only be used with something needs to be encrypted. So, if buying a product, and adding a credit card SSL great. Logging into a web account would be another great use. But using SSL just for the sake of doing it, it is a unnecessary burden put on any server and slows websites down. Honestly, from the hosting side of this, the imposed use of SSL really is maddening. It is an unnecessary blanket use of something. So why would Google go to such lengths to force webmasters to use SSL? Great question, isn’t it?
Why Google Why?
Noticeably missing from my viewpoints of SSL is the end user and that is where the truth lies. This is all being done to protect the end user so seems to be how the story goes.
But what are we protecting the end user from? Remember the proper use of SSL is to stop the user data from getting stolen. Google is going to great lengths to force website owners into the use of SSL, so much so they are using Chrome to cajole SEOs and website owners into using SSL by making the warnings about entering an http website more and more visible. And offering credits for better organic SEO results seem to reinforce that Google can manipulate search results by rewarding certain behavior that is unrelated to punishing people who operate outside its guidelines. It would seem this issue is very important to Google. And in my opinion, it transcends the ability to buy something on the internet.
One hypothesis and opinion may be that this is an actual legal strategy or defense. SSL protects user data. So with the myriad of lawsuits Google is facing all involving user privacy would the universal use of SSL blunt the privacy lawsuits? Will this still allow Google to collect and sell user data, but yet now be able to argue they are doing this securely? It would explain the big push to force everyone on the planet to make their websites SSL.
So is the juice worth the squeeze. From a pure SEO standpoint, no. The credit is not large enough to offset the loss of link juice on lower level sites and with Google now using your traffic as a ranking variable it’s a recipe for disaster. However, if Google is going to put big scary warnings on websites via Chrome which is now the most used browser coming in at just under 50%, website owners have little choice but to implement SSL on their sites.