

Facebook Starts Switching All Users to HTTPS Connections - derpenxyne
http://techcrunch.com/2012/11/18/facebook-https/

======
acabal
I was thinking about switching my sites to https-only also, because https-only
is a good thing in general, but after doing some research it seems that it's
unclear what will happen in terms of Google SEO. There's even a video on
Youtube from Matt Cutts addressing that specific question from July or so, and
his answer is basically something like, "I don't know for sure, but it I don't
see why it would make a difference."

What would be helpful is some sort Google-recognized meta tag that says, "this
site is https only, please index it as such." 301 redirects might work _in
theory_ , but theory isn't good enough when your business relies on how it
appears in Google's results. Even a temporary demotion could mean lots of
money and confidence lost.

~~~
Matt_Cutts
I think you're referring to this video:
<http://www.youtube.com/watch?v=xeFo4ytOk8M>

At the time of that video, the indexing team was still working on one (very
minor, corner case) type of issue, but I believe that was resolved. I'll
double-check with the indexing team, but at this point I'd say feel free to go
HTTPS.

As always, I'd test it out first, ideally with a lower-traffic domain name.
But if you like the results you get, you should be able to use our existing
tools like 301s and rel=canonical to help Google discover that the site has
gone HTTPS.

~~~
X-Istence
Does Google's bot do SNI?

------
X-Istence
The biggest problems I personally have with switching to HTTPS only for my
sites:

1\. I simply don't have enough IPv4 addresses to put each SSL site on its own
IP address, IPv6, sure, bring it on ... but generally if someone has IPv6
connectivity, then they have SNI (see 3)

2\. I don't have the money to get a certificate with X amount of domains on it

3\. SNI is still not a good idea simply because there exist still a lot of
Windows XP clients that are unable to use it.

I am not too worried about the extra CPU cycles for the encryption decryption
of connections...

Currently on my sites I don't have any reason to use SSL, other than that I
would like to protect certain resources such that my account username/password
for my personal blog don't go across the ether in plain-text. For that I
currently use self-signed SSL certs from a personal root that I can trust in
the computers I want to trust them in.

~~~
StavrosK
You don't have to have one IP per domain for SSL, I happily put multiple sites
on the same IP. nginx supports it very easily.

~~~
nivla
You don't understand, its not the web-server, it is the client's browser that
is the issue. Until SNI came out, the handshake was made and validity of the
key determined even before the "Host: xyz.com" header was sent in. Without the
host header your webserver can't determine which key among the multiple sites
it hosts should be used for authentication. The only way so far to support
non-modern browsers and to host multiple SSL sites on the same server is to
assign one IP per site; the server can use these IP's to lookup the respective
keys.

~~~
sk5t
You don't have to have SNI to host multiple unrelated SSL'd sites on one IP,
given a Subject Alternate Name (SAN) cert and an httpd that accepts such a
configuration.

~~~
X-Istence
Those generally cost a lot of money...

------
newman314
If you are considering going HTTPS only, please take the extra couple of
minutes and make sure that your SSL setup is configured optimally.

I often run into setups where someone has enabled SSL, gotten the cert
installed and just left things at that with no further work done to configure
versions/cipher preferences/http headers etc.

SSL Labs Server Test is a good place to start:
<https://www.ssllabs.com/ssldb/>

------
davis_m
"People will be able to opt-out of HTTPS for maximum speed if that’s how they
roll."

Why is that even an option? This entire article is written in such a way that
most users are going to assume that Facebook is going to start loading at a
snails pace.

Turning on SSL is technically slower, but it certainly is not going to be
noticeable. Perhaps if all Facebook was serving was a couple of small text
files, the overhead associated with SSL could be noticed, but with that isn't
the case.

------
dutchbrit
This reminds me of when Iran blocked ssl connections, but I agree that
security wise, they should of never been on http, but just https..

~~~
riffic
should have

~~~
dutchbrit
Shouldn't have

