
Don't Take Security Advice from SEO Experts or Psychics - tomwas54
https://www.troyhunt.com/dont-take-security-advice-from-seo-experts-or-psychics-neil-patel/
======
justusw
I've noticed that a lot of the hostility towards HTTPS comes from those who do
really shady things online. Like pop-under advertisers that are unhappy that
they have to update their own infrastructure, otherwise their unsafe mixed
content won't be loaded by a browser.

So no, not HTTPS is a threat, but company's unwillingness to innovate. So
Chrome's and Firefox's public shaming of unsafe websites is really doing
everyone a service.

The best thing I've ever done to serving HTTPS was to use Caddy with Let's
Encrypt. Seriously. It was incredibly easy to set up. And I've never used
Caddy before. [https://caddyserver.com/docs/automatic-
https](https://caddyserver.com/docs/automatic-https) describes how to have TLS
available right from the first request served.

~~~
headmelted
You and this Troy Hunt guy have completely missed the central point that Maria
is making.

"Some are on domain validation which is 2048+ BitSH42 SSL/TLS encryption the
encryption key is limited which means you can use on a few pages and has a
limited band weight"

What about THESE people? The ones on limited band weights that can only use a
few pages?

This is a 100% valid complaint about 2048+ BitSH42 protocols that I've had for
some time and no-one ever acknowledges it or suggests a solution.

~~~
CaptSpify
I'm not sure what that quote means. Can you explain it?

~~~
Ajedi32
It means nothing. The whole quote is pure nonsensical technobabble; headmelted
is joking by sarcastically bringing it up as a valid concern.

It's funny because that's an actual quote from Maria Johnsen's article
["Should multilingual websites use HTTPS by default"][1], and the fact that
she actually wrote that in a supposedly serious article discussing the merits
of HTTPS makes it pretty clear she has no idea what she's talking about when
it comes to security. (Especially compared to "this Troy Hunt guy", who is a
well-known expert in the information security industry.)

[1]:
[https://web.archive.org/web/20160621124800/https://www.maria...](https://web.archive.org/web/20160621124800/https://www.maria-
johnsen.com/million-dollar-blog/multilingual-seo/should-multilingual-websites-
use-https-by-default)

~~~
headmelted
Sincerely, thank you. I was panicking for a moment there.

I appreciate the save!

(Not being sarcastic!)

------
dzink
There is a reason those guys actively denounce SSL. They use snip.ly and other
tools that hijack the clicks from their social media references with an
overlay to promote their products. The users see the WSJ or NYT article they
clicked on with a free ad for the person who shared it underneath (possibly
data too). Those overlays don't work over SSL pages.

------
seane
1\. I agree with this criticism of Neil Patel, and the things written about
why SSL matters.

2\. Neil Patel does not speak for all SEOs :) ...I've read several comments
from other SEOs who strongly disagree with what he said.

3\. JFC, people, stop linking to his site. Links are currency--it does not
matter to him, big picture, if the link is framed by a sentence that says
"this person is an idiot." Links only help increase his authority and ability
to reach new people.

~~~
overcast
The redirection of https to http on neilpatel.com is amazing. That's something
I've never seen in my life.

~~~
heinrich5991
Really? Another popular example is
[https://store.steampowered.com/](https://store.steampowered.com/).

~~~
mschuster91
Lol they're HTTPS on the login form but plain HTTP immediately after... what a
joke? That _invites_ people to do cred fishing on bigger LAN parties or
conferences...

~~~
seanwilson
Yeah...you could just replace the HTTP landing page with your own containing
your own login form.

------
SnacksOnAPlane
As long as neverssl.com still exists so I have some way to pop up the login
page from captive wifi portals, I'm fine with everyone else going SSL.

However, I basically agree that if you're just hosting a blog with no user
interaction, there's really no need for it. The threats (for example, somebody
hijacks the request and returns different content) are minimal.

~~~
lol768
> so I have some way to pop up the login page from captive wifi portals, I'm
> fine with everyone else going SSL

Isn't this the fault of those deploying the captive portal for not
implementing RFC7710 and advertising a secure login URL?

~~~
qb45
First time I hear of RFC7710, all I see is HTTP hijacking. Does anybody
support it, in particular OS vendors? I suppose some new UI or a new API for
browsers would be required.

------
groundCode
I'm always happy to read Troy's writing and heed his advice. I'm not sure
about the whole "Perhaps Neil Patel is hoping that people will be too
distracted looking at him in his pyjamas to notice" thing though. I do feel
one can offer counter arguments without resorting to that kind of insult and
teasing. Especially when you are right.

~~~
Finnucane
I'd say if you put a picture of yourself in pjs on your supposedly
professional website, it is fair game.

------
jjude
Whatever Troy says is true. But for bloggers, please know this. The RSS 2.0
spec specifies that the feed url must be http url (and not https). So if you
want your feed url should validate (which is a requirement for certain
aggregators like AllTop), then it has to be http.

I wrote my experience of moving my blog to https about it here:
[https://jjude.com/cost-of-https/](https://jjude.com/cost-of-https/)

~~~
cratermoon
That's incorrect. Prior to 2.0 yes, but since 2.0 https is allowed. see
[https://validator.w3.org/feed/docs/rss2.html](https://validator.w3.org/feed/docs/rss2.html)
in the Comments section.

------
nerdponx
Made me think of
[http://n-gate.com/software/2017/07/12/0/](http://n-gate.com/software/2017/07/12/0/)

~~~
cjsuk
Ugh it's like anti vaxxers of the technology sector.

~~~
Finnucane
Kinda dig the Lynx-friendly layout, though.

------
Taniwha
I kind of suspect that someone who has 909442 likes and 909143 people
following him knows how to game the system .... And sadly while he may know
little about security he may know how to pretend that people like him, which I
guess is some form of SEO

~~~
CaptSpify
SEO isn't about doing the right thing, it's about looking like you are doing
the right thing

------
AJ007
Step 1 - Make outrageous claim

Step 2 - Receive lots of inbound links from people upset with your outrageous
claim

Step 3 - Cash in on your increased audience (or become elected President)

------
rmason
FYI Neil Patel is the co-founder of both CrazyEgg and Kissmetrics. He blogs,
has a popular podcast and gives away some pretty valuable marketing
information for free. I follow him and have never thought that he was
primarily an SEO expert. He speaks about startup marketing and SEO is
certainly a big part of that.

He does preach that unless you have the capital, blogging and SEO are one of
your few alternatives for marketing in the beginning of your startups life. He
may very well be wrong on SSL but surprised he doesn't have other fans on
here. I personally have learned a lot from the guy.

[https://thestartupchat.com/](https://thestartupchat.com/)

[http://neilpatel.com/blog/](http://neilpatel.com/blog/)

~~~
ssharp
I dropped him off my regular rounds quite some time ago and am generally wary
of clicking his site when it comes up in organic searches. I find his site
incredibly annoying and very rarely is the information so unique that it
couldn't be found elsewhere.

~~~
bhartzer
I stopped following Neil when one of his posts (written by one of his writers)
plagiarized someone else's post and he was publicly called out on it.

Neil has been around for a long time... I remember him from the old SEO
conference days (PubCon), and at that time he was putting out good material.
He's turned into a content marketing organization, the majority of content
written by people who he hires to write in his name.

------
jaclaz
>Don't Take Security Advice from SEO Experts or Psychics

Maybe the "Security" is redundant?

~~~
JoshMnem
SEO is a shady field in general, but not all of it is shady. It can make or
break a company and is well worth understanding. There is a lot of bad
information out there (like the HTTPS advice above), so it's difficult to find
accurate information.

------
zb3
Note that unless you're using a wildcard certificate, all your subdomains are
public when you use HTTPS thanks to Certificate Transparency.

~~~
willstrafach
Wildcard certificate would not help, that only refers to validity, not
destination host.

~~~
ceejayoz
Wildcards do help.

If you've got super-secret-subdomain.example.com, a wildcard for *.example.com
doesn't expose its existence. A non-wildcard certificate does.

There's a bit of security-via-obscurity going on here, but sometimes the need
for such a thing is out of one's control.

~~~
LambdaComplex
Couldn't you use a separate certificate for super-secret-
subdomain.example.com?

~~~
ceejayoz
No:
[https://en.wikipedia.org/wiki/Certificate_Transparency](https://en.wikipedia.org/wiki/Certificate_Transparency)

The TL;DR version: Every certificate goes into the log. *.example.com going
into the log is no problem for hiding a particular subdomain.

------
mijoharas
Has anyone else noticed the "Right to be forgotten message" in google (in
europe) upon searching the guys name?

~~~
pbhjpbhj
I always think "what did they do" as if they're a criminal when I see this.
But, realistically they're probably as likely to be a victim!?!

~~~
mijoharas
Given that this guy seems to delete comments that show he's wrong, my first
instinct was to assume that he was trying to silence detractors. That may be
unfair on my part though.

On a more general point, does anyone know how to find what pages that are
delisted are? I seem to remember some newspaper publishing the pages of theirs
that had been delisted.

------
wnevets
Doesn't google care about TLS for rankings? Why would any SEO advise against
what google wants?

~~~
MBCook
The article says that's going to start in October.

~~~
wnevets
That was talking about not secure warnings in chrome, I'm talking about google
rankings.

~~~
MBCook
My mistake.

------
danesparza
Without certificate pinning, I'm not sure that SSL everywhere is really going
to help. Larger ISPs or corporate networks will just get pushed more into the
arms of companies like Bluecoat that provide proxies to effectively man-in-
the-middle SSL traffic.

~~~
tomjen3
An ISP would have to get you to install a cert if they tried something like
man-in-the-middle.

------
NKCSS
You should check the tweet threads

[https://twitter.com/troyhunt/status/895800744787546114](https://twitter.com/troyhunt/status/895800744787546114)

[https://twitter.com/troyhunt/status/895758193896202240](https://twitter.com/troyhunt/status/895758193896202240)

[https://twitter.com/troyhunt/status/895757970729979904](https://twitter.com/troyhunt/status/895757970729979904)

------
RileyJames
Well a big thank you to Michael James Field in the comments section. I forced
http -> https in cloudfront over the weekend and my traffic from google has
been down 20% and falling since. I didn't realise google treated different
protocols as different sites. Thank you.

~~~
shanecleveland
Absolutely. Not sure how its handled by cloudfront, but make sure you 301
redirect from http to https. And if you monitor your traffic in Google's
Search Console tool (why wouldn't you?), you have to set up the https version
as a completely separate site. Data for the http site is not reflected in the
data for the https site, and vice versa.

~~~
pbhjpbhj
So if you add HTTPS to your site you lose continuity of stats and have to
amalgamate statistics across "2" sites from then on? .. there's a really good
reason for Google to do this, right?

~~~
shanecleveland
Technically you can serve different content on http and https (same as with
www and non-www). Search Console also allows a way to group together sites to
view data/stats together.

~~~
pbhjpbhj
Have you ever heard of anyone serving different content on http vs https pages
with the same URL?

~~~
shanecleveland
I certainly have not considered a reason for doing that myself. I'm just
saying that is the case and it is important to be aware of it to ensure you
get credit for backlinks to your site and avoid duplicate content penalties.

------
puranjay
For what it's worth, my largely ignored website ranked for 3x as many terms in
Google Webmaster after I switched to SSL

------
GlennS
What does this mean for intranet sites? Will those need to be HTTPS from
October as well?

~~~
sasas
If you want to avoid a warning, then yes. That said, is it such a bad thing
for enterprises to ramp up the use of HTTPS in their internal networks? This
can help prevent some MITM attacks from attackers to breach the perimeter.

Enterprises have the luxury of installing their own certificates on managed
workstations.

~~~
somedumbguy22
If other enterprises are similar to the one where I work, the warning will not
come up in October. Like all software, we're a few versions back on Chrome.
It'll take some time to get up to Chrome 58 :)

------
sadlyNess
Sidenote: Which parses better: buzzfeed-esque, buzzfeedesque or buzzfedian?

------
bacheson1293
Neil appears to be deleting any negative comments

~~~
Sleeep
I think he deleted his Facebook post. I got "the page you requested can't be
displayed right now..." message when I clicked the link.

