HOL on HTTPS

[CodyJarrett]

The Hall of Light runs on both https:// and http:// but we're planning to make it https:// only.

This is required these days as Google doesn't like http:// websites, marks them as insecure in Chrome and downgrades them in search rankings.

https://hol.abime.net

Is this going to cause a problem for anyone who is viewing the site on Amiga browsers?

[phx]

Do you really care about Google rankings and let them dictate how to run your server? Http is an additional service for old browsers, which would be lost for no good reason. What security would be improved by watching HOL encrypted?

[daxb]

HTTPS should only be used if necessary. Google also like to force it because they can easy track. I would avoid Google wherever possible or at least don't follow blindly. And what phx said.

[clenched]

I'm still thinking... Is disliking the idea a problem? If so my vote would be yes. My 2004 PC default is IE8 (c)2009. It may render 1/100 HTTPS sites. Next is SeaMonkey and Chrome, both bloated, slow to load, ugly "skins" ie plenty to despise. These are "emergency" browers for HTTPS.

[Photon]

Quote:

Originally Posted by phx

Do you really care about Google rankings and let them dictate how to run your server? Http is an additional service for old browsers, which would be lost for no good reason. What security would be improved by watching HOL encrypted?

I think Cody asks because it can cause a problem with Amiga web browsers?

As for the HTTPS upgrade, there must be an internal server redirect from HTTP to the same URL with HTTPS, or a lot of links will die overnight. But I'm sure they know this

HTTPS is meant mostly only for websites with public logins. It's a wish from Google's side but not a requirement to be indexed. Nor should it be for any search engine worth the name. A search engine should want to index as much information as it can. If they stop indexing HTTP, they lose search results.

Quote:

Originally Posted by CodyJarrett

marks them as insecure in Chrome and downgrades them in search rankings

This is actually not true.

That said, there's no harm in changing to HTTPS. You get a certificate that you need to maintain, and if you slip up one year, any link to that website will give any visitor a warning in most/all web browsers right now, not connected to any search engine but even from a typed link.

[Radertified]

Should HOL keep http:// or go full https:// depends entirely on the goal of the site.

If it's to serve Amiga browsers, http:// needs to be kept.
If it's to rank on Google, redirect all http:// calls to https://

It's as simple as that.

Yes, Google DOES mark sites as insecure and drop their rankings. HTTPS as a ranking signal has been a known factor since 2014, and over the last couple of years Google has been pushing it extensively. I've seen http:// only sites drop rankings several times.

I would speculate that in a few years, browsers will disable http:// support and only make it available as a browser setting, much like they're dropping FTP and several other "insecure" features.

(I'm in the industry - I deal with this stuff everyday).

----

EDIT: I'll add that while there's evidence that Google favors https:// sites, as well as strongly hinting at it several times, it's also largely speculation because as anyone in the industry knows, Google's ranking algorithm is a pain in the butt to deal with and involves a lot of guesswork. You just have to roll with it so in this case, you want rankings, roll with https:// because they've been pushing it for years and have been getting more and more aggressive about it recently.

[jbenam]

What about letting HOL go full HTTPS and then setup a reverse proxy (nginx, envoy, etc.) with no SSL on something like port 6800 (68000 would be better but alas...) which can then be accessed by Amigas without compromising SEO?

[malko]

As long as eab & hol are intended for Amiga users the lowest common denominator must rule the thinking.
jbenam idea is interesting as well

[seuden]

Does it protect me from prying eyes when I'm looking at Amiga pr0n? Sign me up.

[dalek]

On the http site you could set permanent redirect for the Googlebot useragent to the https site, so it never "sees" or indexes the http only site. Or just plain block it in robots.txt for the http only site with a rewriterule.

The only downside is that all search results would be https but it sounds like google are going to do that regardless.

[tygre]

Quote:

Originally Posted by phx

Do you really care about Google rankings and let them dictate how to run your server? Http is an additional service for old browsers, which would be lost for no good reason. What security would be improved by watching HOL encrypted?

Hi Phx and all!

Besides old browsers, the energy cost of HTTPS (and here and here) is outrageous because, often, simply unnecessary (as in the case of HOL or so many other "non vital" Web sites ). Also, HTTPS has costs both in money and in time spent by maintainers to setup and update the certificates. It's a unnecessary burden...


Cheers!

[jbenam]

Quote:

Originally Posted by tygre

Hi Phx and all!

Besides old browsers, the energy cost of HTTPS (and here and here) is outrageous because, often, simply unnecessary (as in the case of HOL or so many other "non vital" Web sites ). Also, HTTPS has costs both in money and in time spent by maintainers to setup and update the certificates. It's a unnecessary burden...


Cheers!

Hi!

I think that white paper is most definitely outdated. I honestly can't think of a good reason to *not* use HTTPS except when dealing with old computers.

While I can understand that doing SSL isn't that easy for vintage machines, setting up SSL on a modern server literally takes only five minutes of your time and it's entirely free. certbot-auto (you can find more info on certbot.eff.org) takes care of everything (even configuring your web server!), renewals included.

[tygre]

Hi Jbenam

Quote:

Originally Posted by jbenam

I think that white paper is most definitely outdated. I honestly can't think of a good reason to *not* use HTTPS except when dealing with old computers.

While I can understand that doing SSL isn't that easy for vintage machines, setting up SSL on a modern server literally takes only five minutes of your time and it's entirely free. certbot-auto (you can find more info on certbot.eff.org) takes care of everything (even configuring your web server!), renewals included.

The paper may be old, but it's not outdated! If anything, energy consumption and costs went up... And there is still the need to maintain the site, manually, with certbot, or with any other solution. It's still add a layer of complexity, new bugs... and for what return/purpose?


Cheers!

[Jami]

Quote:

Originally Posted by dalek

On the http site you could set permanent redirect for the Googlebot useragent to the https site, so it never "sees" or indexes the http only site. Or just plain block it in robots.txt for the http only site with a rewriterule.

The only downside is that all search results would be https but it sounds like google are going to do that regardless.

It seems like a very good compromise.