Hacker News new | past | comments | ask | show | jobs | submit login
Facebook Starts Switching All Users to HTTPS Connections (techcrunch.com)
28 points by derpenxyne on Nov 18, 2012 | hide | past | favorite | 25 comments

I was thinking about switching my sites to https-only also, because https-only is a good thing in general, but after doing some research it seems that it's unclear what will happen in terms of Google SEO. There's even a video on Youtube from Matt Cutts addressing that specific question from July or so, and his answer is basically something like, "I don't know for sure, but it I don't see why it would make a difference."

What would be helpful is some sort Google-recognized meta tag that says, "this site is https only, please index it as such." 301 redirects might work in theory, but theory isn't good enough when your business relies on how it appears in Google's results. Even a temporary demotion could mean lots of money and confidence lost.

I think you're referring to this video: http://www.youtube.com/watch?v=xeFo4ytOk8M

At the time of that video, the indexing team was still working on one (very minor, corner case) type of issue, but I believe that was resolved. I'll double-check with the indexing team, but at this point I'd say feel free to go HTTPS.

As always, I'd test it out first, ideally with a lower-traffic domain name. But if you like the results you get, you should be able to use our existing tools like 301s and rel=canonical to help Google discover that the site has gone HTTPS.

Does Google's bot do SNI?

We use all https and there is no notable problems in indexing or SEO that I can see. We get indexed quickly and show up well I search results.


(Disclaimer: I work for Google, but not in websearch, and this is my personal opinion only)

If this is a serious statement, then let me give you a serious answer: any minor increase in processing power won't inconvenience Google in the slightest. And even if it did, that still wouldn't matter. If it is good for web security and users - which I believe it is - then we're in favour of it.

The consideration here is whether the algorithms are going to do the right thing, forwarding people, pagerank, referers, etc in the same way as before. That's not a question I can answer, but I'd go with whatever Matt Cutts has said.

The biggest problems I personally have with switching to HTTPS only for my sites:

1. I simply don't have enough IPv4 addresses to put each SSL site on its own IP address, IPv6, sure, bring it on ... but generally if someone has IPv6 connectivity, then they have SNI (see 3)

2. I don't have the money to get a certificate with X amount of domains on it

3. SNI is still not a good idea simply because there exist still a lot of Windows XP clients that are unable to use it.

I am not too worried about the extra CPU cycles for the encryption decryption of connections...

Currently on my sites I don't have any reason to use SSL, other than that I would like to protect certain resources such that my account username/password for my personal blog don't go across the ether in plain-text. For that I currently use self-signed SSL certs from a personal root that I can trust in the computers I want to trust them in.

Single domain SSL certificates don't cost a lot of money or are even free[1] which are ideal for small/personal websites. Won't solve the three problems you listed, but saves you the trouble of installing your own personal root across your devices.

[1] StartSSL.com offers free 1 year single domain certificates.

> Won't solve the three problems you listed, but saves you the trouble of installing your own personal root across your devices.

They why respond? You're missing the point about requiring an IPv4 addy for each cert. That's the big issue.

> requiring an IPv4 addy for each cert

Why not just offer HTTP and HTTPS on the same IP?

HTTP and HTTPS are served on different ports so using a single IP for both typically isn't an issue. The issue here is that HTTP allows you to host multiple sites from one IP address, whereas HTTPS can only deliver a single certificate per IP address. This requires 1 IP per SSLed hostname. SNI lets you send multiple certificates on one IP, but client support isn't good enough yet. Multi-name certificates work better but can be more expensive.

> but client support isn't good enough yet.

I'm aware of SNI (and rely on it myself), but haven't found it to be an issue yet.

As far as I can see it's IE < 7 and XP. How big can that market really be? http://en.wikipedia.org/wiki/Server_Name_Indication#Browsers...

If it's the "some corporations require IE6" argument, then it sounds like it's a business, and should be able to charge for the extra IP needed. But maybe I'm just horribly modern.

Anything using Microsoft's built-in crypto support, will still not work, I have a .NET based application I am supporting on Windows XP which still doesn't support SNI.

Also, my sites that I would want to enable would be public sites ... ones that I don't charge for since they are mostly public sites (but I still want to protect credentials for people posting comments and the like). So charging for an extra IP is simply not an option.

startcom (startssl.com) offers unlimited multi-domain and wild card certificates for users who have verified their identity.

verifying your identity is a once yearly cost of $60


no more excuses :)

Awesome =).

That is very much inside my price range.

You don't have to have one IP per domain for SSL, I happily put multiple sites on the same IP. nginx supports it very easily.

You don't understand, its not the web-server, it is the client's browser that is the issue. Until SNI came out, the handshake was made and validity of the key determined even before the "Host: xyz.com" header was sent in. Without the host header your webserver can't determine which key among the multiple sites it hosts should be used for authentication. The only way so far to support non-modern browsers and to host multiple SSL sites on the same server is to assign one IP per site; the server can use these IP's to lookup the respective keys.

I do understand, I just wasn't aware that there are still browsers that don't support SNI. That's too bad.

You don't have to have SNI to host multiple unrelated SSL'd sites on one IP, given a Subject Alternate Name (SAN) cert and an httpd that accepts such a configuration.

Those generally cost a lot of money...

This uses SNI (which as mentioned in the parent lacks support in certain popular old clients, most notably Windows XP)

If you are considering going HTTPS only, please take the extra couple of minutes and make sure that your SSL setup is configured optimally.

I often run into setups where someone has enabled SSL, gotten the cert installed and just left things at that with no further work done to configure versions/cipher preferences/http headers etc.

SSL Labs Server Test is a good place to start: https://www.ssllabs.com/ssldb/

"People will be able to opt-out of HTTPS for maximum speed if that’s how they roll."

Why is that even an option? This entire article is written in such a way that most users are going to assume that Facebook is going to start loading at a snails pace.

Turning on SSL is technically slower, but it certainly is not going to be noticeable. Perhaps if all Facebook was serving was a couple of small text files, the overhead associated with SSL could be noticed, but with that isn't the case.

This reminds me of when Iran blocked ssl connections, but I agree that security wise, they should of never been on http, but just https..

should have

Shouldn't have

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact