Archive for October 2017

Google recently announced that forms on web pages over HTTP will be marked as ‘not secure’ in Chrome starting this month. Columnist Fili Wiese believes this presents a good opportunity to make the switch to HTTPS — and that webmasters can take advantage of this switch to implement other SEO improvements.

Most SEOs have heard by now that moving web pages with forms to HTTPS is necessary to avoid being shown as “not secure” in Chrome 62. Moving to HTTPS is a good step to take for a number of reasons, but there is also an unique SEO opportunity which is often overlooked — an opportunity that can significantly help your website with its SEO rankings, if done properly.

So, what is the opportunity? Moving to HTTPS will encourage Googlebot to recrawl most of your URLs. Googlebot has its own mechanism for determining and prioritizing which URLs to recrawl; however, when Googlebot detects a move to HTTPS, it tends to temporarily increase the crawl rate in an attempt to crawl as many URLs as possible within a short time frame. As such, this is a unique, one-time opportunity to improve your overall website’s signals in the Google Index.

Crawl budget

Most sites have a certain crawl rate, based on a number of factors such as page speed, internal linking, external linking and popularity. For larger websites (i.e., those with more than 100,000 URLs), this often means that it can take a while before Googlebot picks up on new SEO signals.

What Is HSTS?

HTTP Strict Transport Security (HSTS) is a web security policy that ensures a user will always connect via an encrypted HTTPS channel to a website after the initial connection to that site. If the user then tries to connect to http://gmail.com, for example, the browser will automatically switch to https://gmail.com before sending out the request to Google.

Once the HSTS response header is received by the browser on the first connection, the user can no longer connect to that site using HTTP, which means any downgrade attacks (from HTTPS to HTTP) will also be prevented.

However, because HSTS still normally needs that first connection before it can be enabled in the browser for a given website, a small window of opportunity for an attacker can still exist to launch a man-in-the-middle attack against someone visiting a certain website.

This can be fixed for certain websites, if they are included in the HSTS preload list in the major browsers. Then, the browsers will be able to enforce HTTPS encryption from the very first connection.