Getting the Green Lock: HTTPS Stories From the Field — Google I/O 2017 Live Blogs
Bright and early on Day 3 of Google I/O 2017 and I find myself in the second row of a session on HTTPS Everywhere. I've blogged about the HTTPS Everywhere initiative a few times before, but I was eager to see how Google thinks the movement to a more secure web is going.
Approximate Read Time: 7 Minutes
Bright and early on Day 3 of Google I/O 2017 and I find myself in the second row of a session on HTTPS Everywhere. I’ve blogged about the HTTPS Everywhere initiative a few times before, but I was eager to see how Google thinks the movement to a more secure web is going.
Session Summary
She moved on to explain how WordPress.com has added HTTPS support for both free subdomains and custom customer domains (using LetsEncrypt on the custom domains).
c|net started discussing migrating to HTTPS in Q4 of 2014 when Google announced that HTTPS was going to be seen as a ranking factor. By early 2015 they had determined that at the time there were too many challenges, in particular with their providers for CDN, Ads, and Video. As such the HTTPS migration was put on hold until these challenges could be resolved, which happened in Q4 of 2015. They started the migration progress in February of 2016 by moving static assets used on various c|net sites to HTTPS. They finished moving all static assets by March, began A/B Testing of their first HTTPS site in June, 2016 and launched it in August of 2016.
They began a phased rollout process for each site (starting with the c|net Roadshow) starting with Rewriting links, updating sitemaps, updating the robots.txt, and then monitoring as they repeat the process with the next site. Once the migration process was begun, the process moved quickly. The Roadshow was launched in August 2016, by September 2016 they had launched 7 sections on HTTPS, and by October they had fully rolled out HTTPS. They had found that their main concerns with HTTPS (Performance, SEO Impact, and Advertising CPMs) had no negative impact by the migration to HTTPS and in fact they had actually seen increases in all 3 key metrics.
After John Sherwood left the stage, another company, Rakuten came up to discuss the challenges they had with their migration. Rakuten has a number of completely different web properties, which presented a different set of challenges as the properties were not tightly integrated with each other as c|net’s was. Rakuten made the decision to begin their rollout by focusing on sites that other sites depended on (for example sites containing shared resources like video and images). They have migrated 80% of their sites to HTTPS as of April, 2017
Trivago became invested in Progressive Web Apps to help reach these markets, and as a result had to migrate to HTTPS in order to accomplish that task. Performance was a major concern to them, so they decided to split their userbase and try 3 different options (in addition to the control test of their existing HTTP performance stats). In the United Kingdom and Germany, they tried simply switching to HTTPS and were pleased to discover that there was no major performance effect either positive or negative.
Finally they measured SEO over time and determined that there was no decrease in search engine originated traffic across mobile, tablets or desktop and in fact all 3 user groups actually showed a slight increase in SEO.
Once she finished talking about Trivago’s HTTPS migration, she ended her talk by talking about the progressive changes in the way Chrome treats non-https pages. Their goal is to one day show all non-https pages with a frightening looking red “Not Secure” warning message, but they knew that to make a switch so early in the HTTPS Everywhere movement could result in a combination of chaos first and error fatigue later (where people just get used to ignoring the warning resulting in the warning losing all meaning). As a result they decided to move in a progressive way.
As readers of this blog will know, this process started in January with a grey “Not Secure” warning showing up any time someone visits a non-https page that has a form asking for either a password or a credit card number. This coming October, the same grey Not Secure warning will show up on any page that has a form once the user has entered any content in the form. Also in October, the Not Secure warning will show up on any non-https page loaded in an incognito window.
She didn’t have any timeline to share beyond that, but I would expect the messages to become more prolific on non-https pages as time moves on until eventually the red “Not Secure” warning shows up on all non-https pages.
After the talk, I took a little time to talk with Emily Schechter about the concerns people have been having recently with the false sense of security that https pages can give, especially when you hear about the 14,000 domains containing “paypal.com” as part of the domain that LetsEncrypt has issued SSL Certificates for. While she agrees that this is a problem, she feels that phishing domains with ssl certificates are a problem for things such as Google’s Safe Browsing List to solve, rather than Certificate Authorities such as LetsEncrypt, and that the benefits that come from a more secure web overall far outweigh the problems of SSL Certificates being issued to fraudulent domain names.
The bottom line of all this is that, as we said last month, HTTPS is vital for your site’s ongoing success on the web, so make sure that your website is secured with HTTPS as soon as possible, but make sure you pay attention to the pitfalls that could cause your HTTPS site to cause more harm than good.
Session Video
Live Blog Transcript
- 08:35: Over 3/4 of chrome loads on windows and over 50% of chrome loads on android are now HTTPS
- 08:35: Primary reasons for HTTPS: Identity, Confidentiality and Integrity
- 08:36: A Vital piece of HTTPS is the certificate authority ecosystem
- LetsEncrypt, a free certificate authority, in January reported they had 20 million active certificates, in May they have doubled that by passing 40 million.
- 08:37: Another piece of the ecosystem is platforms. Wordpress.com has secured over 1 million unique customer domains
- 08:38: WordPress.com migration progress
- June 2014: Reset the net, all wordpress.com subdomains https
- Jan 2016: First 100k custom domains (Using LetsEncrypt)
- April 2016: HTTPS Everywhere (all customer domains on wordpress.com and custom domains)
- 08:39: HTTPS support on Top 100 sites
- January 2016: 39% support HTTPS, only 24% default to HTTPS
- May 2017: 60% support HTTPS, 56% default to HTTPS
- 08:39: Old Challenges to HTTPS
- $$$?
- Performance?
- Maintenance?
- 08:40: c|net, John Sherwood, VP of Engineering takes the stage
- 08:43: c|net was using HTTPS for secure stuff before, but after google made it a ranking factor they were motivated to go fully HTTPS
- 08:44: Why HTTPS?
- HTTP/2
- Geolocation
- 08:44: Challenges
- CDN Cost
- Ads
- Video
- 08:45: Unknowns?
- SEO?
- Ad CPMs?
- Performance?
- 08:46: By Q4 2015 they had resolved the challenges, so they started moving forward
- 08:46: In March, 2016 they moved their static assets first
- 08:47: June 2016 they did an A/B test
- 08:47: August 2016 they launched the first section on HTTPS (c|net Roadshow)
- 08:48: Phased Rollout
- Rewrite links
- Available sitemaps
- Robots.txt updated
- Monitor & Repeat
- 08:50: c|net’s first Progressive Web App (which requires HTTPS) in October, 2016
- 08:50: Now that c|net is HTTPS, parent Company CBS Interactive is starting to roll out HTTPS to their sites
- 08:53: @emschec is back on stage now to talk about Project Management during a HTTPS Rollout
- 08:55: rakuten focused on migrating sites that other sites depend on first
- 08:56: Progressive Web Apps
- Service Workers: performance improvements and lets your site work offline
- Add to home screen
- Push notifications: keep people coming back
- HTTP/2
- Brotli Compression
- All of these capabilities for Progressive Web Apps require HTTPS
- 08:57: trivago was motivated to move to HTTPS because they wanted to make a Progressive Web App
- 08:58: Performance Wins: Service Workers and HTTP/2 made a huge imact to trivago
- 09:00: HTTP 1.1 v HTTP/2
- HTTP 1.1 makes separate connections for each file to load a page
- HTTP/2 multiplexes using a single connection
- 09:00: HTTP/2 Server Push lets you send requirements (css, javascript, images) along with the initial request
- 09:01: trivago HTTPS (UK/DE): no major performance effect
- HTTPS + keep-alive (AUS): Response time improved 800ms
- HTTP/2 (in april), Average # of connections dropped considerably)
- 09:05: Browser Changes
- Chrome has started a goal to move to having non HTTPS pages marked as insecure, but if they went straight to the scary red warning, it can cause more harm than good
- 09:06: Jan, 2017: http pages with passwords or credit cards got a slightly less scary warning (grey “not secure” message)
- 09:06: October 2017: Warning will show up on any page that has a form (once a user has entered any data) and on all incognito window tabs
- 09:07: Spread the word: migrate to HTTPS
Justia offers premium website, blogging, and online marketing solutions for law firms. We have an unparalleled record in helping law firms grow. Regardless of whether you are just starting your online marketing efforts or have a fully developed website and blog, we have solutions to help propel you to the next level. In addition to our website and blog services, we also help clients with content, lawyer directory services, social media, local SEO, and PPC Management. Contact us for more information, or call us at (888) 587-8421.