Why securing your site is critical in 2017

Video Transcript

Afternoon, everyone. Thank you, Sam. Before we begin, as we now have an online audience, I feel we should introduce them to a RocketMill tradition. Each month during the company meeting, we acknowledge my history of losing game shows by setting you all a Countdown conundrum. I think we should set that to the web as well. This month’s SEO-themed Countdown conundrum, ITSGOOGLE, and your clue: an expert in organic science structures who knows nothing about SEO. I think this one’s probably like a seven and a half out of ten difficulty, so you’ll be doing well if you get it. An expert in organic site structures who knows nothing about SEO.

From one teaser to another: what do all of these brands have in common? You’ll find out in a moment, but I will say, this might give you a clue. Today’s presentation is called ‘Why Securing Your Site is Critical in 2017’. I want to take you back in time. Do you remember the year 1990? Dom does. Dom was about 40. Most of you weren’t born. It was the year that 200,000 protestors descended on London in the Poll Tax Riots, the Community Charge. It’s the year that Gary Lineker and the rest of the England squad reached the semi-finals of Italia ’90. Impressively, Gary Lineker, 16 years before Twitter was invented, invented Twitter trolling by pooing his pants on the pitch. On the 20th of December, 1990, as we enjoyed the sick beats and sickening clothing of Vanilla Ice at number one, an unassuming Briton called Tim Berners Lee was quietly changing the world.

Tim was a research fellow at CERN, who nowadays are probably best-known for the Large Hadron Collider, and to help researchers there share information, he proposed combining hypertext with the internet. By Christmas 1990, he’d come up with the World Wide Web, or a lot of the key points of the web. He’d come up with the addressing system, the URL; he’d come up with the language it was all written in, HTML; and he’d come up with the protocol over which we would share and retrieve information. You can see this in the address of the first public website, which went live the following year. This is still online if you want to have a look, http://info.cern.ch/. This quartet of consonants has been plaguing us ever since.

The thing with HTTP versus its secure successor, HTTPS, is it is fundamentally unencrypted. You can say, “Well, we’ve used it for 20-odd years and it’s all right.” Well, that’s a bit like saying we spent years using fossil fuels or leaded fuels. Just because we’re doing it doesn’t mean it’s the right thing to do. But just how persistent is HTTP? Well, to find out, the other day, I ran a list of the 500 most popular websites in the UK according to the Alexa rankings through Screaming Frog, preceded by ‘http://’ and ‘http://www.’, because I wanted to see how many sent a 301 redirect to a secure HTTPS URL. ‘http://’ redirected on 127 out of 500 and with ‘www.’, it redirected on 140 out of 500.

When I had a look in the browser, I found some were doing slightly different things. Some were getting you there by different routes, but it goes to show this is by no means a universal adoption of the secure web. As Adam correctly guessed earlier on, my little teaser…on Wednesday, when I checked, presuming none of them migrated in the last 48 hours, all of these sites, or at least their homepages, were being served over HTTP. Now you might say, “Well, their carts or their banking systems were being served securely,” and that’s okay, but here are some reasons why it’s not, and why even if you are already on HTTPS, you might want to just be aware of some of the opportunities which it opens you up to.

Issue number one: Goodbye carrot, hello stick. We found out in 2014 that HTTPS was going to be considered a ranking signal for Google Search, but a couple years later on our blog, I wrote the following: “Google take a carrot-and-stick approach to new ranking factors, and at first, taking advantage of a ranking factor results in a positive change, but eventually it becomes ubiquitous and they punish those who don’t use it.” We saw this before with Mobilegeddon, the mobile being a known ranking factor, being mobile-friendly, and then lo and behold, it became, well, if you aren’t mobile-friendly, that’s a bad thing. I think we’re close to seeing that with HTTPS. If you have a look at Moz’s data for HTTPS adoption, in the week after launch, it went from about seven percent on the first page of Google results to eight percent. Then, in two years, it went up to about a third of the web. When I checked again earlier this week, it was about 43%, so we’re getting close to half the first-page Google results being served on a secure HTTPS URL. It’s likely that we’re at a point where, lo and behold, soon enough, it’ll become a negative not to be secure.

Point two: even if the Google SERPs don’t get you, the browsers are certainly going to. They’re going to be frightening away your users. On our blog last year, I wrote, again, the following. “Pages served over plain HTTP could soon be demarcated with a big red X to highlight they might not be safe,” and lo and behold, you’ll have seen that Chrome 56, some of you are already getting this or you’re seeing this if you’ve got various settings set up in your Chrome flags, is starting to put a “not secure” message if you have a log-in form on your page, if you have a credit card form on your page. If you’ve got mixed content, that message I’ve seen even more aggressive. I’ve seen that with a big slash through the HTTPS.

Basically, what’s going to trigger these Chrome warnings? Well, in the short term, passwords and credit card details, but in time, you’ve got to consider that pretty much any personal information, if it’s transferred non-securely, we’re going to be discouraged from doing so on an HTTP page. It’s really important to get across as soon as you can if you aren’t already there. We’re going to see that message live in regular web-users’ browsers from this month, and it’s not just Chrome. Here’s a genuine user journey I had on the way to work recently. I wanted to have a look at something in the January sales, so I Googled ‘sainsburys’ and there they are in the Google results, https://www.sainsburys.co.uk/, all is well and good. Then I went through, and you’ll notice my page is not secure. It’s actually a mixed content page, so it’s a page which has got HTTP content within an HTTPS page, which therefore means it’s vulnerable.

Lo and behold, when I tried to do a search, I got a very scary message, and if I’m not particularly web-savvy, I’m not going to be submitting my information. Has my phone been hacked? As soon as you have a message like that on the screen being put there by the browser, it’s likely you might not convert, so that’s why it’s so critical to think about HTTPS in this year. Moreover, you’re just going to be missing out on the future. You can’t adopt HTTP/2 on a non-secure page, so what does this mean? Here is how HTTP/1.1, which is the kind of still de facto, most popular, most common way of transferring data over non-secure works.

If this was a restaurant, it would be the following conversation. “Good evening, sir. May I take your order?” “I’d like the spaghetti please.” “A fine choice, sir.” A little while later, the waiter would come back and say, “Here’s your spaghetti. Would you like anything else?” “Some grated cheese would be lovely on top of that.” “I’ll just fetch that for you, sir.” Another request later, the waiter comes back. “Here’s your grated cheese. Anything further?” “A little black pepper would be lovely.” “I’ll just get that from the kitchen.” By now, your food’s cold. That’s why you have this waterfall chart if you go into “Inspect Element” in Chrome. That’s why you get this row after row of HTTP requests that make the web seem so slow, whereas HTTP/2 is a bit more clever than that. It says, “Good evening. May I take your order?” “I’d like the spaghetti please.” “A fine choice. You’ll want grated cheese and black pepper, so I’ll bring those at the same time.”

If you’d like a real-world example, here’s a little GIF. This is from Cloudflare, 2.5 seconds on HTTP/1.1 and HTTP/2 is about a quarter of a second, significantly faster and supported by all modern browsers. The link’s in the presentation if you’d like to test this in your own browser. While HTTP/2 doesn’t strictly require security, no modern browser supports it unencrypted. You have to be on HTTPS.

In summary, why is HTTPS critical in 2017? Because if you don’t adopt it, Google’s going to punish you, browsers will berate you, and you’re going to miss out on the future, and no one wants to do that.