Comment on "No, seriously. All those things Google couldn't find anymore? Top of the search pile. Queries that generated pages of spam in Google results? Fucking pristine on Kagi – the right answers, over and ov
AnActOfCreation@programming.dev 7 months ago
foggy@lemmy.world 7 months ago
Google stopped indexing all websites without SSL certificates in July 2018.
For example, darklyrics.com is a website I and many others grew up using as a resource to understanding lyrics. They’ve stubbornly not gotten an SSL because they transact 0 data beyond band name searches. However, without an SSL, they do not show up in Google search results.
This is one of literally millions of examples. Some more reasonable than others, but it still was a massive blow to the efficacy of their search.
SkyNTP@lemmy.ml 7 months ago
Even if sites do not store user account data, such as passwords, ALL websites, and I mean ALL, handle user data, because merely accessing pages (urls) is user data.
Stubbornness is not a good reason not to setup SSL. Encryption should always be on, all the time, for everything.
Bogasse@lemmy.ml 7 months ago
And it’s not only about user data, it would also expose the website to content spoofing in public wifi, which would for example allow the attacker to inject fishing content in the website. The SSL encrypts the data you’re sending but it also ensures that you’re communicating only with who you think you are. Without SSL you can’t be confident about any of that.
db0@lemmy.dbzer0.com 7 months ago
Ssl doest hide the url you’re visiting
rikudou@lemmings.world 7 months ago
It does. Anyone sniffing the traffic can only see the domain.
stsquad@lemmy.ml 7 months ago
Yes it does. You can derive the domain from snooping DNS lookups but the URL is part of the encrypted get header.
AnActOfCreation@programming.dev 7 months ago
Hmm I hate Google as much as the next guy and am actively trying to de-Google myself, but I’m not sure I can get behind the outrage here. Certificates are free and easy to obtain with LetsEncrypt, so there’s really no excuse for sites not to accept unencrypted traffic these days. I’m sure Google does lots of things to delist the small guys and promote their big payers, but I don’t think this is one of them.
foggy@lemmy.world 7 months ago
Free certificates expose your subdomains. It’s not more secure if you don’t transact data in a meaningful way such as the example I provided.
I don’t mean to insinuate that the example I provided is the majority of cases, and in the majority of cases, I do support sites with SSLs being indexed higher than websites without them, but I think the interstitial this website is not secure with the requirement of the advanced click followed by The continue anywaysclick…
Idk
Especially in 2018. Like, when we look at it from today’s perspective, it’s very easy to agree. And I do agree. But in 2018, it was not this way. Anyone who was a web developer with a bunch of clients, such as myself, was all the sudden in a very interesting hot seat. Not only did I need to try to upsell my clients, but I needed to convince them that not doing so was quite literally at their peril. It was difficult. And certain cases, it was impossible.
AnActOfCreation@programming.dev 7 months ago
If your subdomains being public is a security issue then I’d argue something else is wrong. Otherwise you’re using security through obscurity.
But I appreciate the insight and I see how this was a harder sell back when it happened. Thanks!
unautrenom@jlai.lu 7 months ago
Expose your subdomains as in having all of them bundled into one certificate?
AFAIK, you absolutely can request different certs for each subdomain (in fact, that’s what I’ve been doing for a while).
Bogasse@lemmy.ml 7 months ago
While I think the issue you raise does sort of make sense, it derivates from the initial concern : if you don’t want your domain listed in a DNS record you certainly don’t want it to be indexed by a search engine :p