HTTP deprecation is another nail in the coffin of Shared Hosting, are we ready?

democrates

The tide has turned to requiring SSL for all domains, hence HTTP is being deprecated in favour of HTTPS.

Mozilla will flag http sites as security risks:

Today we are announcing our intent to phase out non-secure HTTP.

Google are putting http sites lower in the rankings:

...over the past few months we’ve been running tests taking into account whether sites use secure, encrypted connections as a signal in our search ranking algorithms. ... over time, we may decide to strengthen it, because we’d like to encourage all website owners to switch from HTTP to HTTPS to keep everyone safe on the web.

'Let's Encrypt' now offer free certs as a solution, great, but, it requires the ability to run a command-line script on the web server (every 3 months), which most shared hosting plans understandably don't offer.

Granted, shared hosting plans already allow upload of SSL certs, and free SSL certs are available, but, it's an extra task for devs (especially on reseller plans), and charging a higher price risks losing a few clients on the margin.

Hosting companies are remarkably silent on the topic, a wild guess is that it's being seen as a golden opportunity to upsell VPS, but the other take from that silence is the implication that shared hosting will indeed be left to wither. Maybe I'm wrong.

I had hoped for big announcements of free ssl for all which seems like a no-brainer, but, tumbleweed, which is as regrettable as it is short sighted. A lot of small businesses who have already seen hiked domain hosting fees will opt to forget the domain and website entirely, opting instead for a self-managed social media page.

So, it looks like devs need to review our use of shared hosting/reseller plans. Obviously hosting providers will rush to push VPS, but I suspect many devs would be financially more prudent moving marginal clients to other platforms with free ssl included, rather than risk losing them.

Taking a step back, we seem to be heading back to an AOL closed-garden world dominated by a handful of giant cloud providers, a very disturbing trend. If a diverse web-development ecosystem is to survive, web devs and small hosting providers need to support each other, but in this case I think devs are being let down. Thoughts?

Graham

I expect CPanel, Plesk et al will enable it through their existing offering before long. Job done.

It's worth pointing out Lets Encrypt is still in public beta., hardly surprising that commercial operators are waiting to see where it goes.

mneylon

Graham wrote: »

I expect CPanel, Plesk et al will enable it through their existing offering before long. Job done.

If they can enable the version of SSL that supports multiple certs per IP then that might be viable, but until they do the shortage of IPv4 addresses is a major problem

Graham wrote: »

It's worth pointing out Lets Encrypt is still in public beta., hardly surprising that commercial operators are waiting to see where it goes.

Shared hosting by its very nature has to be relatively conservative in terms of which technologies are available. Beta software isn't going to be something that most providers would consider on their primary shared platforms

Graham

Blacknight wrote: »

If they can enable the version of SSL that supports multiple certs per IP then that might be viable, but until they do the shortage of IPv4 addresses is a major problem


Shared hosting by its very nature has to be relatively conservative in terms of which technologies are available. Beta software isn't going to be something that most providers would consider on their primary shared platforms

I understand cPanel are already looking at this (amongst others) using SNI to allow shared IP addresses where browser support permits.

I can't say I've looked too closely into it but I don't think it's anywhere near the doomsday scenario painted by the OP where the web is a walled garden and shared hosting ceases to exist.

democrates

Well, maybe cPanel et al will reduce it to a patch and it'll be rolled out for Linux and other shared hosting plans, that would be great. Let's Encrypt is of course new, but other free cert providers are well established so they could be considered. This is not unsolvable, and the push to deprecate http is well on, but we still have no firm commitment from hosting providers to upgrade shared hosting.
So far it's a "might be viable", which is far from a slam dunk but more than we had, so thanks Blacknight poster for saying as much as you can at this point.

Time will tell if my prediction is exaggerated and warrants a doomsday label, but the trend toward big cloud is clear and widely recognised.

Web devs used to put ALL sites on hosting providers like Blacknight, Hosting365, eircom Net, Indigo, IOL etc. Now we see simple sites increasingly hosted on Wordpress, Weebly, Google Pages etc., while CDN's and cloud platforms from Amazon, Google, Microsoft, Akamai etc. eat market share at the top end.

That needn't spell the demise of small hosting providers, they have had to pivot and adapt, so for example Blacknight now resell Office365, have a new datacentre and resell colo rackspace in Dublin, all admirable and why I've been a supporter for so many years steering customers their way.

On the deprecation of http a commitment on enabling free certs would be good, it's a board decision and they ought not wait too long to make a statement, even if it's "we're working on it", anything. Leave a vacuum and all sorts of nuts will fill that space with wild doomsday scenarios. Seriously though, it's something we need to know.

Graham

You might be right, this may be a pivotal moment in the move from http to https but I don't think for a second it requires immediate attention. Google aren't deprecating http results, if I remember correctly they have stated they may use the presence of https as one of the quality indicators.

I do expect the control panel providers will introduce it over time. I don't think 99%+ of shared hosting provider customers will have even heard of LE, let alone be clamouring for its implementation. There maybe a very very small subset of shared hosting customers having a hissy fit because LE isn't available to them yet, it is these customers that should be moving to a VM/cloud solution if it's important to them.

As to the demise of small hosting providers (which I doubt for the reasons already stated), if it clears some of the back-bedroom operators from the market then it's probably no bad thing. Standards would rise across the board.

daymobrew

A friend who maintains a big data centre commented that https is overkill for many situations. He also said that it will slow things down as the browser has to negotiate with the server for each item downloaded, to establish the secure connection.

democrates

daymobrew wrote: »

A friend who maintains a big data centre commented that https is overkill for many situations. He also said that it will slow things down as the browser has to negotiate with the server for each item downloaded, to establish the secure connection.

Yes I'd tend to agree with him, it's pointless added cpu and bandwidth for a benign banner image for example, even though google claims it's only around +2% thanks to caching. Mix http and https sources and it causes a browser security alert, last I checked.

democrates

Fair points, though at the other end of the spectrum needless delay isn't the best option imo.

Graham wrote: »

As to the demise of small hosting providers (which I doubt for the reasons already stated), if it clears some of the back-bedroom operators from the market then it's probably no bad thing. Standards would rise across the board.

That's a welcome silver lining I hadn't though of

mneylon

What's a hell of a lot more concerning are:

• lack of adoption of IPv6 by ISPs
• Lack of Safe Harbor / Implications of Schrems

amen

democrates wrote: »

Yes I'd tend to agree with him, it's pointless added cpu and bandwidth for a benign banner image for example, even though google claims it's only around +2% thanks to caching. Mix http and https sources and it causes a browser security alert, last I checked.

so for 2% why would you not want to use https? If your server is so stressed that an additional 2% overhead makes a difference that you have other issues.

Using a mixture of http, https on a site is confusing to users and prone to developer error. Just move everything to https.

ED E

SPDY and then HTTP2 mean that HTTPS is actually often faster than HTTP for the end user. Crazy not to adopt HTTPS everywhere when it'll hurt your SEO.

@Blacknight v6 is turning into a bit of sad joke at this point. The places where we are seeing it is DS-Lite CGN causing more problems than its solving. Wonder if it could be another topic where google shifts its weight around to kick the industry forward.

alex.middleton

looks like its time to move all my sites to ssl not that the ones i have tracked with https have appeared to benefit in search rankings

Graham

alex.middleton wrote: »

looks like its time to move all my sites to ssl not that the ones i have tracked with https have appeared to benefit in search rankings

Over the long term the benefit could be your sites stay where they are in the search rankings.

Talisman

alex.middleton wrote: »

looks like its time to move all my sites to ssl not that the ones i have tracked with https have appeared to benefit in search rankings

Realistically switching to HTTPS is not going to do anything for your rankings. Google have stated that it's treated as a 'quality' signal not a 'ranking' signal.

Because of the extra hoops involved in having a SSL certificate for a website, Google considers it an indication that the website is better quality than a site without a certificate. Lets Encrypt has almost completely removed the barrier to entry so the next logical step for Google is to determine the type of secure certificate a website is using and use that information as the true quality signal.

An automated freebie certificate versus the bells and whistles type that requires you to produce a DNA sample to verify that the website owner is an actual real 'live' human. Which is Google likely to consider better?

democrates

Talisman wrote: »

Realistically switching to HTTPS is not going to do anything for your rankings. Google have stated that it's treated as a 'quality' signal not a 'ranking' signal.

So it's said, but I'm confused Ted.

Quality Rater:

One thing I think the SEO community is missing is that this program has nothing to do with SEO or rankings. What this program does is help Google refine their algorithm.
...
How does your work affect Google’s search results — do they tell you anything about that?
They don’t talk about that; however, I know that what it really does is perfect the algorithm instead of changing actual live search results. I gathered this from the way that Side-by-Side are the most important tasks because they show the old algorithm versus a change in the algorithm that they are testing.

So, they just use the quality ratings to refine their search algorithm. Quality is not directly a ranking indicator and doesn't affect the results, those differing side by side result sets from different versions of the search algorithm are purely down to that refinement process.

This means the ranking algorithm can determine a sites qualityness for ranking purposes by using some genius googly mojorithm, but without using any quality indicators which are of course completely different things and never to be conflated with qualityness. Impressive!

Talisman

democrates wrote: »

So it's said, but I'm confused Ted.

Don't be - it's a numbers game. Think of quality as a long term indicator, ranking is the here and now.

Following recommended best practices such as using SSL certificates on your website today won't affect your ranking now but it may do at some point in the future. If Google decides that the people who have historically followed the good path should be rewarded then you will get the benefit.

I think this is lost on/never considered by the snake oil sales men that are out to game the SEO system when they try to exploit some element of the search algorithm. Google has the ability to keep track of which sites have engaged in such naughty activities, curbing such activities is the main focus of their spam team.

tricky D

Talisman wrote: »

Don't be - it's a numbers game. Think of quality as a long term indicator, ranking is the here and now.

And the number is 1% of queries are affected by this. So to me it looks like the hit is being overstated and implementation for just the SEO aspect would be down the priority list imo.