Time to Migrate to HTTPS – The Simple Way to Do It Right, And the Ways That the Bigger Companies Have Missed the Mark
•Télécharger en tant que PPTX, PDF•
2 j'aime•904 vues
From Click Consult's Benchmark Search Conference 2017, The Bridgewater Hall, 21st September. Presented by Gerry White, Just Eat.
Recommandé
Recommandé
Contenu connexe
Tendances
Tendances (20)
Similaire à Time to Migrate to HTTPS – The Simple Way to Do It Right, And the Ways That the Bigger Companies Have Missed the Mark
Similaire à Time to Migrate to HTTPS – The Simple Way to Do It Right, And the Ways That the Bigger Companies Have Missed the Mark (20)
Plus de Click Consult (Part of Ceuta Group)
Plus de Click Consult (Part of Ceuta Group) (20)
Dernier
Dernier (20)
Time to Migrate to HTTPS – The Simple Way to Do It Right, And the Ways That the Bigger Companies Have Missed the Mark
- 2. https – because it is 2017 Gerry White @dergal
- 3. I’ve got around – with 17 years in the business … Gerry White @dergal
- 4. BUT WHY!!! (https) Gerry White @dergal
- 5. Just Eat vs Deliveroo, vs HungryHouse HTTPS! SEO ? Gerry White @dergal
- 7. Wow free wifi? Wait, they are modifying pages to inject their adds, what else could they be doing…. Gerry White @dergal
- 15. TroyHunt.com
- 16. a …. PWA ? Gerry White @dergal
- 17. • pwastats.com
- 20. Progressive Web App – ShadowReader – https://amp.cards/
- 22. Erm … not what I wanted when I google SSL & AMP
- 23. Many URL values in AMP Require HTTPS
- 24. Forget SEO, simply put to secure your site – HTTPS is a critical step
- 25. A site on HTTPS CAN be faster than a site on HTTP …
- 26. Http2 … Gerry White @dergal
- 27. Http2 … For HTTP2 – use HTTPS, because …. It is required by most browsers. Gerry White @dergal
- 28. Google knows, that without HTTPS – your data, and the content on your site … might not be what the webmaster intends. Plus … tracking benefits (less direct more attribution!)
- 29. But we aren’t here to talk about cyber security, because I’m not that guy… Gerry White @dergal
- 30. Issues with your certificate?
- 31. Page loaded over HTTP with a password field on the page, OR where the page has mixed content, a big flag of “Not secure” Gerry White @dergal
- 33. Gerry White @dergal This page isn’t secure, but you can put the padlock as a favicon – not recommended unless you are a scammer
- 35. A green padlock = more trust
- 36. Google Recommendations • Decide the kind of certificate you need • Use 2048-bit key certificates • Use relative URLs for resources that reside on the same secure domain • Use protocol relative URLs for all other domains • Don’t block your HTTPS site from crawling using robots.txt • Allow indexing of your pages by search engines where possible. Avoid the noindex robots meta tag. • Use HTTP Strict Transport Security • Use SPDY (deprecated)
- 37. • Wildcard, Multi-domain? • Provided by a trusted organisation • 2048-bit key
- 39. SSL Vs TLS ? SSL was originally developed by Netscape and first came onto the scene way back in 1995 with SSL 2.0, Netscape owned SSL, so the next iteration needed to be called TLS … TL:DL It is now called TLS, SSL is out of date & insecure, so should be disabled, but you can still call it SSL if you want to. Gerry White @dergal
- 40. Relative & Protocoless URLs Drop the http:// & Start URLs with // or / or … https:// • Images, (particularly in WordPress posts. ) • JavaScript libraries hosted on CDNs (like jQuery), • CSS (including images or fonts loaded in using CSS), • Form end points (the target of a form) • Embeds such as Facebook, YouTube or other
- 41. Don’t block HTTPS Don’t worry about duplicate content, Google has your back
- 42. Use HSTS http strict transport security
- 43. Register HSTS Register for the HSTS Preload list … Chrome will go straight to https, but, only if you are sure … https://hstspreload.org/
- 44. Use SPDY - nope, go straight to http2
- 46. • Find the board at TakeItOffline.co.uk/https Trello Project Management
- 47. A Gradual migration A step by step approach to ensure (almost) zero risk.
- 48. 1. Test the Certificate –SSLlabs.com/ssltest
- 49. 2. Setup Google Search Console (GSC) access for HTTPS Gerry White @dergal
- 50. 3. Dual run http & https
- 51. 4. Track in GA using GTM You can track who is on HTTP and HTTPS easily if you are using Google Tag Manager as a built in URL Variable. This allows you to see the proportion of traffic not on HTTPS at a later date. This can either be setup as a content group or a custom dimension by editing the main tracking… Gerry White @dergal
- 52. 5. Fetch and Render (and repeat) All the templates, and for mobile
- 54. CSPs can dramatically improve security, however … A CSP can also stop GA
- 55. Setup Site Audit – DeepCrawl
- 56. Ready ? Tested ? Happy ?
- 57. 6. Change the canonical tags and Sitemaps
- 58. 7. 301 redirects
- 59. 8. HSTS
- 61. Simple Example 1. Apple ….
- 64. The tool box
- 65. Tracking down the elusive … green breaking thing
- 66. Browse your site with the console open (and do test buys) Gerry White @dergal
- 75. Logfile Analysis
- 76. GDPR – 2018 1 year, 8 months … ish ?
- 77. Some final thoughts • Add the renewal of the certificate to a calendar • URL changes? maintain the old site certificate • When moving to HTTPS don’t use the change of address feature in GSC. • Migrating in sections is ok! • Your Moz DA dropped ? Don’t worry about it…
- 78. Summary Track GTM, CSP & More… Test Browse with Chrome Console open How Do it step by step, test and test again Opportunities Migrate to HTTPS to take advantage of PWAs & everything else coming out soon Why Migrate to HTTPS for security, but get it right for SEO Gerry White @dergal
- 79. Q?S Find out more at takeitoffline.co.uk/https Gerry White @dergal
Notes de l'éditeur
- The best example of why HTTPS is so critical I have seen is where free wifi providers have been inserting scripts to push in adverts. HTTPS alone isn’t enough, but if as a user I feel like if they haven’t managed that part right, then would I trust them to manage the rest?
- Majority of sites span multiple subdomains, If you host blogs, forums or anything similar on a separate sub domain then I would recommend you use an appropriate wildcard. In the past I would have always recommend using a subdomain to load assets, particularly if mobile speed is important Most browsers limit the amount of files they can retrieve from a single host at once, so where files can’t be combined they should be split over multiple hosts. This solution is referred to “Parallelism”, you can also ensure that a subdomain is optimised for static assets (using cookieless and a 304 status header). This changes a little with HTTP2 – which if we have time to get to, we will chat about. For the required organic boost get the best certificate you can, as a minimum I would recommend that the cert has the following criteria; provided by a trusted organisation…. 2048-bit key
- It is critical when loading assets you use https, otherwise they will not appear in some browsers or where they do appear they will be not show the green padlock. There are a number of digital assets tend to present the most issues - Images, particularly where the image was loaded using a page editor such as in WordPress posts. JavaScript libraries hosted on CDNs (like jQuery), CSS (including images or fonts loaded in using CSS), Form end points (the target of a form) Embeds such as Facebook, YouTube or other In the past I would have recommend changing all absolute urls (where it would normally start with http) to being protocoless this means omitting the http prefix, for example ‘http://’ becomes simply ‘//’ . Today however, I would say push for HTTPS for assets rather than worrying about protocoless, After migration I would recommend that urls become exclusively “https” this is simply because I would increasingly recommend pushing towards 100% HTTPS. Further in this discussion we will take you through some tools to test this with …
- Sometimes to ensure that there is no duplicate content web managers would block the HTTPS version of the site. This is less common when it is a single site available on both http and https. If you block anything that stops Google from being able to tell you are on HTTPS, this won’t have the obvious benefit. Typically if you have canonical tags (which I always recommend), these will be pointing to the http version at this point.
- “…This mechanism tells the browser to automatically request pages using HTTPS even when the user enters http in the browser location bar. It also tells Google to serve secure URLs in the search results. All this minimizes the risk of serving unsecured content to your users…” https://support.google.com/webmasters/answer/6073543?hl=en This is an additional similar to your Content Security Policy (CSP) however this should be the very last step as it can create functional problems if something critical becomes blocked, however for the maximum organic boost, this step is required. Most sites don’t seem to have a CSP at all at the moment, but as this is a fun and interesting part – we should definitely make time to talk about it later…
- “…This mechanism tells the browser to automatically request pages using HTTPS even when the user enters http in the browser location bar. It also tells Google to serve secure URLs in the search results. All this minimizes the risk of serving unsecured content to your users…” https://support.google.com/webmasters/answer/6073543?hl=en This is a change to your Content Security Policy (CSP) however this should be the very last step as it can create functional problems if something critical becomes blocked, however for the maximum organic boost, this step is required. Most sites don’t seem to have a CSP at all at the moment, but as this is a fun and interesting part – we should definitely make time to talk about it later…
- SPDY is a protocol that incorporate TLS, which attempts to reduce latency when loading pages. It is not an HTTP standard but is widely supported, created by Google and can significantly improve HTTPS page speed, as this is a bit more technical, the best thing would be for you to read the details at - chromium.org/spdy/ Last year Google have deprecated support for Spdy as HTTP/2 becomes a standard. The core developers of SPDY have been involved in the development of HTTP/2. HTTP2 is cool and there are exciting things that are being done here, but this usually does require https in many browsers.
- So what is our best practice for moving to https
- Ideally moving to HTTPS gradually allows you to test along the way, avoiding any issues as you go. This approach minimises any potential for users (or search engines) to experience issues. At this point we will assume you don’t have a separate server for HTTPS, in fact we will assume you are running off one main server with a https cert installed, if this isn’t the case you will need to adapt these recommendations accordingly, (it can complicate the process). Now you have a acquired and installed a certificate the next steps are as follow;
- Test the certificate A quick test of the certificate is available online at SSLLabs.com/ssltest This free online service performs a deep analysis of the configuration of any https web server on the public Internet. This free service gives you a grading, aiming for an A is preferable, but many large companies only attain a C, it does tell you the steps required to improve. You know – before this step, test it in Chrome
- Formerly called Google Webmaster Tools (GWT), Google sees https and http as separate websites so within GSC both need to be authorised to see the complete picture. Depending on the authentication method you are using, simply adding the new site will ‘just work’. If you access has been given to you from another account, unfortunately you would need to ask them to do this.
- Running the site on both HTTP and HTTPS allows you to scan for any issues, checking internal links, giving you the opportunity to resolve any issues before pushing users and search engines to HTTPS. This is the point where you try to make URLs relative if possible.
- You can track who is on HTTP and HTTPS very easily if you are using Google Tag Manager as a built in URL Variable. This allows you to see the proportion of traffic not on HTTPS at a later date. This can either be setup as a content group or a custom dimension by editing the main tracking…
- Use Googles Fetch and Render within webmasters tools to ensure there are no issues with Google crawling the content - google.com/webmasters/tools/googlebot-fetch – EVERY SINGLE TEMPLATE TYPE REPEATEDLY!! Best way to check it is all working and on mobiles
- Chrome and Mozilla support the ability to push mixed content reports out to a 3rd party reporting tool. An excellent tool was developed by Scott Helme (which at time of publish is free). Scott has written an excellent post on “how to”ScottHelme.co.uk/fixing-mixed-content-with-csp/
- When your site is fully tested and you are confident that everything is in place then push organic value to HTTPS rather than HTTP Change the canonical tags across the site to ensure they are pointing to HTTPS Change the XML Sitemap Make sure that traffic on HTTPS stays on HTTPs by crawling it with Screaming Frog This pushes the organic traffic rankings to HTTPS consolidating the link equity and allows for further testing it also gives further time to update any inbound marketing. Within Screaming Frog there is an export called “insecure content” that is invaluable to tracking down where links to http are within your site.
- Redirect all traffic using a 301 (although Google have said that a 302 will carry 100% of the ‘PageRank’ I would absolutely go with a 301 otherwise you are potentially neglecting Bing).
- To improve security, something Google recommend “enable HTTP Strict Transport Security”, this significantly improves security. This is another change to your Content Security Policy (see above) and will enforce HTTPS for all content, protecting your content from injection and cookie hijacking which is one of the main reasons for this push from Google. When you are completely confident you are going to be able to maintain HSTS a final step is to get onto the chrome preload list - https://hstspreload.appspot.com/
- Add the renewal of the certificate to a calendar and make sure you renew it ahead of time (it might be worth making sure there are multiple people who are responsible for this) if you are on the HSTS list and the certificate expires, you can loose all traffic. Any site migrations become more complex with additional certificates required, if a domain name change is done then it is critical that the old site certificate is maintained. When moving to HTTPS you do not need to use the change of address feature in Google Search Console. Migrating in sections is ok! As mentioned above, blogs are sometimes more challenging so migrate the main site first!
- That’s all from Tom, Andy and myself Gerry