Home            Blog

Thursday, May 25, 2017

10 HTTPS Implementation Mistakes

10 HTTPS Implementation Mistakes - SEMrush Study

Elena Terenteva
This post is in English
10 HTTPS Implementation Mistakes - SEMrush Study
Moving your website to HTTPS is a not a nice SEO bonus or prerogative of a big business, but it is a must for all kinds of websites. The volume of encrypted traffic is growing year after year and, according to Firefox telemetry, on January 29, 2017, half of all Internet traffic was secure, and that is a big deal.
The significance of this tipping point really can’t be overstated.
Ross Schulman, co-director of the New America Foundation’s cybersecurity initiative (Source).
If your website is still on the ‘dark side,’ you should reconsider your perception of encrypted traffic. In our previous article we talked about HTTPS’ influence and importance: it’s a heavy ranking signal, it’s a trust signal increasing  users’ credibility, and finally, it’s a guaranteed way to protect your website data from certain types of attacks.
Today we are going to talk about mistakes that can occur during HTTPS implementation and ways to fix and avoid them, so if you have already moved your website to HTTPS or are just thinking about it, this article will help you to avoid some of the most common pitfalls.
HTTPS Implementation mistakes

HTTPS Implementation with SEMrush

Is your website secure?

HTTPS implementation mistakes

All statistical data for this article was obtained during research conducted using the SEMrush Site Audit tool. We collected anonymous data on 100,000 websites in order to find out the frequency of  HTTPS Implementation mistakes. First of all, we should say that only 45% of the websites we analyzed support HTTPS and all data on the frequency of HTTS-related errors was collected during the analysis of those secure domains.
Google has very clearly specified HTTPS pitfalls which may occur and should be avoided. Now let’s take a closer look to each one and thoroughly examine ways that these errors can occur.  

Non-secure Pages with Password Inputs

Beginning in January 2017 (Chrome 56), we’ll mark HTTP pages that collect passwords or credit cards as non-secure, as part of a long-term plan to mark all HTTP sites as non-secure
Google Security Blog - Moving towards a more secure web
To identify the frequency of this error, we analyzed all 100,000 domains, because Google has strict requirements about ‘non-secure’ pages — any page that collects passwords should be encrypted. We hope that this initiative will facilitate the expansion of HTTPS. But for now, 9% of analyzed websites still have insecure pages a with password input.

Website Architecture Issues

Mixed Content

Mixed content occurs when your page is loading over secure HTTPS connections, but it contains elements (such as images, links, IFrames, scripts, etc.) that are not secured with HTTPS.
First of all, this may lead to security issues. Moreover, browsers will warn users about loading insecure content, and this may negatively affect user experience and reduce users’ confidence in your website.
And the extent of this problem is greater than you might think — 50% of websites have this problem. The thing is, manually evaluating this issue is very time-consuming — because one site can contain hundreds of pages, so this makes a mixed content error a real problem.

Internal Links on an HTTPS Site Leading to HTTP Pages

All internal website links, images, scripts, etc. should point to HTTPS versions. This is extremely important, especially if there are no redirects or HSTS implemented. Still, it is better to change links to their HTTPS version even if redirects are implemented. This is also one of the errors that can occur when moving a website to HTTPS. And, it seems like it’s the biggest problem, because it’s also time-consuming due to the amount of pages that need to be analyzed — for 50% of the websites we analyzed face this pitfall.

No Redirects or Canonicals to HTTPS URLs From HTTP Versions

When moving your site from HTTP to HTTPS, it is important to appropriately redirect canonical pages. This is important for several reasons — first, for supporting stable secure website experience, that is obvious. Second, not connected HTTP to HTTPS pages’ coexistence doesn't impede your SEO. Search engines are not able to figure out which page to index and which one to prioritize in search results. As a result, you may experience a lot of problems, including pages competing with each other, traffic loss and poor placement in search results.
Properly implemented redirects or canonicalization can improve a website's positions by combining all the signals.
This problem is not detrimental to websites using HSTS, because it is preventing web browser communication over HTTP, so we didn’t take them into account during our research. We have discovered that on 8% of the websites we analyzed (excluding ones supporting HSTS) HTTP home page is not corresponding to HTTPS version. And keep in mind, we are just talking about home pages here; can you imagine how many pages on the rest of these websites have not been properly redirected?

HTTP URLs in the sitemap.xml for HTTPS Site

Again, this mistake can easily occur when moving a website to HTTPS.
To prevent Google from incorrectly making the HTTP page canonical, you should avoid the following practices: including the HTTP page in your sitemap or hreflang entries rather than the HTTPS version.
Although this seems to be a clearly described requirement, 5.5% of websites have this mistake. When moving your website to HTTPS, you don’t need to create another HTTPS sitemap.xml file; just change the HTTPS protocol in the sitemap.
To learn how to properly migrate your site to HTTPS, check out this guide —  All you need to know for moving to HTTPS by Fili Wiese.  

Security Certificate Mistakes

Expired SSL Certificate

An SSL certificate (Secure Socket Layer certificate) is used to establish a secure connection between a server and a browser and to protect data on your website from being stolen. For some types of businesses that work with confidential data, like customers’ credit card and social security numbers, an expired SSL certificate brings the risk of credibility losses. Also, an expired certificate triggers a warning message for your users once they enter your website which will negatively affect your bounce rate. During our research, we found out that 2% of the analyzed websites have expired SSL certificates.

SSL Certificate Registered to an Incorrect Domain Name

This error occurs when the domain name to which your SSL certificate is issued doesn’t match the domain name displayed in the address bar.  This mismatch mistake appeared on 6% of the analyzed websites.
The higher frequency of this error, compared to the previous one, can be explained by the misconception that an SSL certificate issued only to the root domain (example.com) works for subdomains (info.example.com). This mistake can occur even if the certificate is installed correctly. For example, if a website’s SSL certificate is issued for www.example.com, entering example.com user will get to the website but receive an error notification.
This problem can be solved by using a Multi-Domain certificate, which allows you to use one certificate for multiple domain names or IP addresses. Note that unqualified names (www), local names (localhost), or private IP addresses violate the certificate's specification.

Server Issues

No HTTP Strict Transport Security (HSTS) Server Support

The HSTS protocol informs web browsers that they can communicate with servers only through secured HTTPS connections. Let’s say user typed in the address bar name of your website like  http://example.com, but HSTS instruct browser to use HTTPS version.
HSTS is a protection from downgrade attacks and cookie hijacking. This is a way to secure users from a man-in-the-middle attack.
A man-in-the-middle attacker attempts to intercept traffic from a victim user using an invalid certificate and hopes the user will accept the bad certificate. HSTS does not allow a user to override the invalid certificate message 
86% of analyzed websites don’t support HSTS. And it’s no surprise — the technology is quite new and browsers have only started to maintain it quite recent. Hopefully, in the next year we'll see a different picture with positive trend.

Old Security Protocol Version (TLS 1.0 or older)

Transport Layer Security (TLS) and Secure Sockets Layer (SSL) protocols, which provide a secure connection between a website and browser, must be regularly updated to the new strong versions — 1.1 or higher. There's no discussion — this is a must. An outdated version of a protocol makes it very easy for rogues to steal your data. It’s one of the critical error, nonetheless it appears on 3,6% of the analyzed websites. This means that even companies that care about timely SSL certificate prolongation can forget about updating their protocol versions. So don’t forget to check your website’s current state.

No Server Name Indication (SNI) Support

Server Name Indication (SNI) is an extension to the Transport Layer Security (TLS) protocol, and it allows you to support multiple servers and host multiple certificates at the same IP address.
SNI usage solving the problem we talked about previously - SSL certificate registered to an incorrect domain name. Let’s say you added a new subdomain, entering it your user will get a warning about insecure connection, because SSL certificate is issued to the the different domain name. And it’s difficult, or better say impossible, to foresee all possible names. So here comes SNI, which will prevent occurrence of this error.
It’s not a strict requirement, which is probably why SNI-related errors were discovered on just 0.56% of the websites we analyzed.

About the SEMrush HTTPS Implementation Report

All the mistakes we've been discussing can be detected by the SEMrush HTTPS Implementation report — a new report available via the SEMrush Site Audit tool. We want to add couple words about the technical realization of this report and the way it can detect you all HTTPS pitfalls.
When detecting errors related to an expired SSL certificate, the SEMrush HTTPS Implementation report doesn't just show you the certificate's expired status, but the date it expired. Moreover, it can help prevent this problem by sending a notification about an upcoming certificate expiration.
certificate's expired status
If a certificate is registered to an incorrect domain name, the report will show the subdomain the certificate is issued for, which will help to quickly discover the problem.
Tanking about server-related issues: report, will provide full information about exact subdomain, which need an upgrade of security protocol (specifying the current version) or implementation of HSTS and SNI support.
Server related mistakes
Speaking of website-architecture-related issues, one the most interesting checks in the report about mixed content detected on a page. The report will find any type of the detected HTTP element, which we extract from tag element. It means that report is available to find and specify literally any insecure element. Considering how time-consuming can me mixed content exploration, this report will definitely become a great helper.
Mixed content
There is also a severity level mark for all errors, which will help you set priorities and work with the most dangerous issues first, then move on to the less important ones.
SEMrush Site Audit
So we can say that these newest implementations, plus the high crawling speed, the 50 additional on-page and technical SEO checks and the friendly interface make the SEMrush Site Audit tool one of the most powerful website auditors available on the market and definitely the best one among SEO suites.
So what do you think? Share your thought about our new report and let us know what HTTPS errors have given you the most trouble as well as how you overcame them.


No comments: