Should multilingual websites use HTTPS by default

I have received many questions from multilingual website owners related to switching from HTTP to HTTPS by default and have decided to write this article so that the other eCommerce website owners take benefit of this information. Security is a top priority for website owners and Google has invested a lot of resources in order to create a strong HTTPS encryption by default. This means that when people use Google’s products, they automatically have a secure connection to Google.

HTTPS protects the connection to the website through authentication and encryption. HTTPS only secures data in transit, which exists for mere milliseconds.While HTTPS is definitely good to use where it is needed, there are millions of blogs and small business websites that do not collect user data, but now must invest in SSL/HTTPS to compete in search results. All the recent buzz seems to originate from the NSA eavesdropping on Internet communications.

Providers are running out of IP addresses, and they do not seem to be ready to fix that with IPv6. This will cause more scarcity and drive the prices up.Internet in general and search engines in particular should be neutral in terms of infrastructure, as long as it follows the HTTP standard.

HTTPS is a great move but it will be more expensive for small businesses who run multilingual websites.

drawbacks og using https
What are drawbacks of switching from HTTP to HTTPS?

Although Google  announced that HTTPS has become a part of ranking signals, however many browsers are giving a lot of warnings about self signed that the vast majority will not dare to surf into a page which uses a self signed certificate. Google is encouraging webmasters to use HTTPS and has made it as a part of ranking signals. However I recommend eCommerce business owners to wait until this is settled. Encrypting all pages on your website will only slow them down, impacting other signals like page-load speed, and will not improve security on pages where you are not entering any sensitive information. Most websites are running on different applications such as: wordpress, Joomla, magento and so on. Website owners can use firewalls to secure data on pages which do not need encryption. You can also use implement various security programs under your server.

Many content management system applications may have problem with HTTPS. Possible downsides are intermediate caching between you and the client will not be able to speed anything up (it’s all encrypted after all) and you cannot use virtual hosting – it’s 1 server, 1 domain due to the way certs work. Performance reasons do not really come into it these days. Same with browser support, unless you have got some visitors using esoteric browsers.There are also cost issues such as buying: SSL certificate and dedicated IP address.

Should multilingual websites use HTTPS by default?

If you run a multilingual ecommerce website, your concern is to use or not to use HTTPS by default. A recent HP Security Research study found that a surprising 18 percent of 2,000-plus mobile applications from Global 2000 companies send user names and passwords via HTTP rather than the more secure HTTPS. Further, of the 82 percent of apps using HTTPS, 18 percent had not implemented it correctly.

SSL issue IE

HTTPS issue on IE.

https

HTTPS in Chrome

What about the other browsers? Here are a few browsers.

Firefox-3-HTTPS-Certificate-Error-Page

HTTPS issue on Mozilla Firefox

opera and https issue

HTTPS ISSUE On Google Apps- Opera

Remember! Your websites’ visitors use all kinds of browsers and apps on mobiles and smart phones. They are not ready for HTTPS.I recommend waiting until this is settled or test drive and see the impact of using HTTPS by default in case if you see drop in sales, traffic, speed and loads on server. When all HTTPS testing by default is final and settled by Google, then do it after at least three months. In the online world, it’s all about testing.

SSL and digital certificant Pricing

There are several pricing plans for SSL and subdomain protection. Some are on domain validation which is 2048+ BitSH42 SSL/TLS encryption the encryption key is limited which means you can use on a few pages and has a limited band weight. There is one with green bar assurance and most trusted SSL protection which has unlimited licenses.This type of SSL is suitable for organizations such as banks, governments etc. You need at least one for every site that you secure, because the hostname (as it appears in URLs) forms part of the certificate.There is also the “hidden” administrative cost of applying for the certificate and of arranging for its renewal each year.

There are free SSL certificates out there. However, you have to make sure you know what you’re doing. It’s a little complicated. Validations for EV certificates is also difficult for webmasters.

A good SSL costs top dollar and small business owners can’t afford to implement on all their multilingual pages. There are many security functions which can be added under server and web hosting.If you run a multilingual website and write articles i presume you use wordpress. You can use a good firewall plugin to secure it against PHP and malware injections or just add security code in your .htaccess file.

If you still want to use HTTPS remember, pages accessed by HTTPS can never be cached in a shared cache. Since the conversation between browser and server is encrypted, intermediate caches are unable to see the content to cache it. Worse, some browsers will not even cache HTTPS documents in their local per-user caches. Worse still, since it is dangerous to mix HTTPS and HTTP content on the same page (there are some scripting attacks that can allow a script in one component of a page to read data from another), even embedded icons and pictures have to travel encrypted and therefore can not be cached. The lack of local caching can lead to problems in Internet Explorer that can make it impossible to save documents to disk or to open them in external applications (see for example http://support.microsoft.com/kb/812935)

The encryption/decryption represents a computation overhead for both server and browser. Most modern client systems will probably not notice this, but on a busy server handling multiple simultaneous HTTPS connections this could be a problem.

If sites used HTTPS by default and users were trained to avoid sites that use only the HTTP protocol, phishing would be almost useless.Multilingual website owners should make their move when all applications and browsers are compatible with HTTPS.

Update: Using HTTPS and SSL/TSL in 2016

The above article was written in November 2014 when Google announced HTTPS as a ranking factor. Today June 17th 2016, I have decided to add the following update in my article due to receiving a few harsh tweets on twitter from a SSL provider and his fellow content writer who claimed that the world will end if businesses don’t use HTTPS and not to buy SSL! These guys didn’t get it that i wrote this article 2 years ago. Things were different by then.

Apparently my article became commercially “ANTI TSL” for TSL/SSL providers which created noise in their community so much that they created a series of defamatory statement against me on Twitter. One of them read the article misunderstood the point, then he wrote something totally wrong on Twitter and the other ignorant SSL providers and their affiliates replicated the tweet and it became something totally different.

They bombarded my twitter account with various dogmatic statements, insults and inappropriate comments which were deleted.

They didn’t stop there; since I deleted their spammy and misleading links and rude tweets, they tweeted their slanderous comments on twitter and called me names. Those who supported my article went under their attack too. It’s hilarious they thought those people were me. These newbies went one step further and crossed the line,  they sent a huge bot attack to my website at the same time we saw a huge spike on server load, so we took action immediately and stopped them.

Then we reported  their domains, real names, company and ISP providers.

So here is a question: Would you trust such providers with your websites? Would you even hire such people at your company or negotiate with them?

Below is the proof of their attack. This is how they are trying to make a point. This is how they call themselves security “experts”. They may know some so called security mumbo jumbo, but they have no idea about SEO, sales and marketing. They do not understand business operations at small and large companies.

They don’t understand that businesses don’t look at their product the way these SSL providers see it. These snakeoil sales people see one thing “SSL/TSL”! It  must be sold and make profit of it.

They didn’t even bother to read the article and understand the issues from an end-user point of view. They have to learn to listen to users instead of being so hard headed and  unprofessional.

 

the IP 195.154.179.19 – – [17/Jun/2016:10:46:15 +0100] “GET /million-dollar-blog/ HTTP/1.1” 200 35373 “-” “Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Dragon/36.1.1.21 Chrome/36.0.1985.97 Safari/537.36″
195.154.179.19 – – [17/Jun/2016:10:59:09 +0100] “GET /million-dollar-blog/ HTTP/1.1” 200 35373 “-” “Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Dragon/36.1.1.21 Chrome/36.0.1985.97 Safari/537.36″
195.154.179.19 – – [17/Jun/2016:11:15:50 +0100] “GET /million-dollar-blog/ HTTP/1.1” 200 35373 “-” “Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Dragon/36.1.1.21 Chrome/36.0.1985.97 Safari/537.36″
195.154.179.19 – – [17/Jun/2016:11:27:58 +0100] “GET /million-dollar-blog/ HTTP/1.1” 200 35373 “-” “Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Dragon/36.1.1.21 Chrome/36.0.1985.97 Safari/537.36″
ss as per following server logs.

===================
195.154.179.19 – – [17/Jun/2016:10:46:15 +0100] “GET /million-dollar-blog/ HTTP/1.1” 200 35373 “-” “Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Dragon/36.1.1.21 Chrome/36.0.1985.97 Safari/537.36″
195.154.179.19 – – [17/Jun/2016:10:59:09 +0100] “GET /million-dollar-blog/ HTTP/1.1” 200 35373 “-” “Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Dragon/36.1.1.21 Chrome/36.0.1985.97 Safari/537.36″
195.154.179.19 – – [17/Jun/2016:11:15:50 +0100] “GET /million-dollar-blog/ HTTP/1.1” 200 35373 “-” “Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Dragon/36.1.1.21 Chrome/36.0.1985.97 Safari/537.36″
195.154.179.19 – – [17/Jun/2016:11:27:58 +0100] “GET /million-dollar-blog/ HTTP/1.1” 200 35373 “-” “Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Dragon/36.1.1.21 Chrome/36.0.1985.97 Safari/537.36″
====================

All of them were pointed to my blog and this article!

 

195.154.179.19 16,438 16,438 541.46 MB 17 Jun 2016 – 13:05
pc221-41.ktv.no 12,280 49,162 2.69 GB 17 Jun 2016 – 11:01

So here is a question: Why? They started all these defamatory games on Twitter because they were afraid of losing customers? What is it that they are hiding? In this article I suggested businesses to take precautionary steps. What part of it is against online security, besides why is it so difficult to agree with disagreement instead of running some defamtory statements about me on twitter?!  If they are so knowledgeable and right, why trying to attack my website? They couldn’t maintain a civilized conversation on Twitter. Then they hide the parts they insulted me and fetched the parts which was their own conversation and called it evidence?!

These SSL/TSL providers think of one thing: selling their service. They don’t care about your business or your sales. In fact they come up with all fancy reasons to convince you to buy their product.This alone proves something is not right.

Some users who have been using HTTPS protocol with their sites, had so many problems with it that they opted to go back to http. The thought of switching is a nightmare for so many reasons and at this point they outweigh the little bit of extra juice from Google.

My article is for business owners who care about traffic and sales. I  look at both technical aspects of products /services and their impacts on marketing and sales.

Your concern as a business owner is to drive in traffic and sales. How would you do that with a cheap SSL on a cheap web hosting or cheap server? A key should therefore be large enough to prevent a brute force attack.

HTTPS is good, nobody is disagreed. But Switching from HTTP to HTTPS will cause some link building SEO and browser issues for old domains. Yes, there are cases when HTTPS and a long SSL key certificate work fine, but we need to look at it at global perspective.  I talk about all size of multilingual businesses who wish to sell their products hassle free to prospects in other countries. If you run a new website or blog and want to have extra expense, well it’s your choice, by all means buy SSL/TSL and make these guys rich. But when you have an old domain with established link profile, it’s tricky.

If you wish to switch back to HTTPS and can afford paying for SSL/TSL certificate, then go for it.

HTTPS designed only for service and user oriented features. Like transaction, encryption data like email/passwords and make it more trusted to the search engine.

In terms of SEO, Google have confirmed that any working SSL is fine and there is no SEO benefit of a more expensive certificate. But if you want people in other countries view your websites, then you have to buy extra band weight, disc space and a long TSL key in order to have the same benefit of using TSL in your country.

Websites with short band weight won’t be visible in other countries. When you use up your band weight the website at the end of the month will be down during some hours of the day.Your website will not be up 24 hours a day.

 

Cons:

  • Danger of losing keyword ranking (if implemented incorrectly)
  • It may cause revenue loss due to advertising networks such as: Adsense and other ads
  • Can be a little technical and tricky, so even moderately technical people may struggle with implementation when installing a cert on server
  • If you get things wrong or forget to renew your certificate, users will get nasty browser errors
  • Your reference links and backlinks will be affected by switching to HTTPS: If you can afford building links all over again, be my guest!

Do you still want to switch to HTTPS?

Here are some tips:

  • Generate a CSR on your webserver
  • buy SSL certificate
  • Screen your website code for absolute URLs. Your links should all use relative paths.
  • use protocol relative URLs
  • Update Google analytic URL
  • Update social media links
  • redirect traffic from http to https by using 301 redirect rule
  • Install SSL certificate on your web server

If you have a .htaccess file make sure to write the rewrite rule.

HTTPS to HTTP sites will not pass referral information in Chrome.

If you do it right the transition to HTTPS will go well and you will not encounter bigger problems.

If your website is built on WordPress do the following:

  • Go to WordPress admin and change setting from http to https
  •  Buy certificate on WpEngine and check the following boxes: force https for wp-login and wp-admin. You should allow non-SSL configured pages to use https

In this article I argued both pros and cons about switching from HTTP to HTTPS from SEO and end-user perspective. When a business focuses only on positive aspects of their products, they won’t be able to innovate and as a result lose customers.

 Instead of shooting the messenger improve your product/service and FIX the issues!

These are the problems in the market. I and my team deal with businesses’ SEO, sales, content management systems and applications. My team on social media reported number of complaints from businesses who switched to HTTPS and use SSL certificates. We see the problems and let the providers know of the issues so that they would be able to improve their products and services.

Your CEOs and CFO’s are working their ass off to find out why they can’t increase their sales and share of wallet while you’re sitting in front of computer drinking coffee, playing with codes or writing on Facebook and getting your monthly paychecks. They wonder why people don’t switch to HTTPS and buy SSL/TSL certificates?! If it was easy then everybody would have done it long time ago.

You may know web security and application development. But you don’t know what small and major player businesses are dealing with and going through. I didn’t write this article for you to mock me either. We have numbers and know what’s going on in the market on global level.

I helped big cooperations with their sales and not just small companies. For example my sales and technical strategies helped a small German company. They were a small clothing ecommerce business back in 2013 and I turned their company to a multibillion euro ( 20 billion to be exact) business.

When I see a problem I talk about it and you, SSL provides can’t stop me from telling the truth. In fact you should thank me for letting your business owners and investors know what your real problem is in the market.

This is why people don’t buy your SSL certificates because it is expensive, complicated and they save the headaches. This is why they don’t switch.

A multilingual ecommerce owner who spent a few thousands of dollars on his or her ecommerce application, doesn’t care about how much you brag about your SSL/TSL simplicity, they won’t do it. because it cost them customers. Businesses don’t waste their time on your commercial SSL/TSL mambo jumbos either.

Most businesses use PayPal. Using creditcard payment is too risky for businesses.Users/prospects have trust issues when seeing creditcard payment on a website, they prefer PayPal and/or other legitimate payment gatway. I personally don’t buy from a website which has only creditcard payment option, If they have PayPal, I buy the product  otherwise i clickaway. These business owners don’t need your product. IF they swtich to SSL/TSL, they just use on their login and payment pages. Because using it on all pages requires buying a larger key. So they spend their money on something else maybe another Facebook PPC ad or Google Adwords ads who knows. This is why you keep losing your money on Adwords promoting your SSL and don’t see much sales that you expect.  Trolling me and my hardworking social media agents on Twitter won’t fix your sales problem.

My advice to ecommerce owners, web shops and all small business owners is this: some users may have problem with viewing your websites. So if you switch from HTTP to HTTPS and buy SSL/TSL certificates, then be prepared for it. As you see in the image below, this is what most people see your website from other countries, if you use free HTTPS and cheap SSL certificate. These are problems which SSL and TSL providers don’t want you to see. And this is the problem users see when trying to view your websites through their applications or portals in other countries. Thus not everybody is able to view your websites. Therefore you lose leads and potential sales.

Back in 2014 I recommended multilingual website owners until this problem settled, either wait or test it and see what happens. Now in 2016, although these providers “may have fixed “some applications’ problems which had problem with compatibility a few years ago, but the problem still stands.

I am not against website security and browser security, I am against lies they feed people and try to hide the real issues from businesses. I worked on information systems projects  and used to fix a lot of errors. I also worked as a freelancer for Google cleaning web from spam and porn a few years ago. Google wants to rank trust worthy websites online, but do these websites’ owners who use this protocol and certificate, aware of the fact that their websites are not visible to all users/prospects who live in other countries?  You spend a lot of money on advertising so people land on your website, right? If people in other countries see the below image, they click away from your website and you lose money on advertising and customers. When people see the below image on your multilingual website, they choose your competitor and buy from him or her.

The image below is an example of a website using HTTPS SSL in Asia which is viewd in Europe. Source: June 18th 2016

My message to SSL/TSL providers:

When you solve the issues, let me know so I do the research and testing and write a new article, otherwise I won’t remove this article. Your bot attacks to this article, defamatory comments on Twitter and private emails in regards to article removal won’t help anything. I can’t censure the truth.

Nothing is 100% secure! Everything is hackable. My 2 cents!

 

 

It's only fair to share...Share on Google+44Tweet about this on Twitter85Share on Facebook14Share on LinkedIn3Pin on Pinterest16Share on StumbleUpon0Share on Reddit0