Yesterday Troy Hunt posted a brilliant article: Don’t take security advice from SEO experts or psychics
If you haven’t read it yet I recommend that you do (I’ll wait).
Here’s a refresher: Neil Patel gave some bad advice about SSL certificates (Ahmed Khalifa has written a much more comprehensive post than this one about why Neil’s advice isn’t the best – and some other bad advice he’s given).
Neil says “if you don’t have sensitive information on your site, you’re not selling a product or a service, there is no checkout page, you don’t need a certificate” and Troy points out that come October, Chrome will mark sites without certificates as insecure. In fact, Troy wrote a brilliant article about this too:
Life is about to get harder for *all* websites without HTTPS https://t.co/B0iMDcShYW
Search boxes and all data inputs not secure. pic.twitter.com/igPvtqCVwc
— Stephen Kenwright (@stekenwright) July 12, 2017
Troy also counters Neil’s assessment that HTTPS doesn’t actually increase security:
This is the classic misconception that HTTPS is only about confidentiality and it ignores the value of both integrity and authenticity. I really don’t want any of my traffic being modified by a man in the middle (such as an ISP or airport wifi) or redirected to a malicious site courtesy of dodgy DNS somewhere.
…and to Neil’s point that HTTPS doesn’t matter for blogs, Troy uses Neil’s site as an example:
In fact, even his contact page doesn’t use it but what Neil Patel doesn’t know is that he’s just a couple of months off this being the experience people have on that page:
Perhaps Neil Patel is hoping that people will be too distracted looking at him in his pyjamas to notice the “Not secure” warning at the top of the browser? Because that’s the experience people will start having in October and if I’m honest, I don’t think a dashing pair of PJs will be sufficient to draw attention away from the warning.
I’m also in agreement with Troy that:
- Neil should probably have read (or at least have tested) Google’s advice that HTTPS is a ranking signal
- That Neil redirecting traffic from the HTTPS version of his site back to HTTP is something he should maybe sort out
- That deleting all the comments on his post that disagree with him was kind of a dick move.
What I disagree with
- Every SEO I know has been working to move their websites/their client’s websites to HTTPS because it’s secure, it’s faster and conversion rates are higher. The SEOs who aren’t confident with the practice of actually implementing this are usually working with developers and people who know more about it.
- I’d go so far as to say that there’s enough examples of the fact most companies don’t really care about security to assume that traffic-and-conversion-increasing recommendations from SEO agencies and teams is one of the biggest reasons HTTPS adoption is as widespread as it is today.
- This is akin to reading a (now ex-) Googler’s anti-diversity “manifesto” and writing off all developers’ opinions on equality. I’m not suggesting that the subject matter is the same or equally serious – just that most of us are reasonable people working towards doing right by our customers, peers and everyone else.
I’ve no problem with Troy Hunt calling out Neil Patel and I’m sure he realises that the title of this post is completely tongue in cheek. But a quick Google shows just how suspicious (and confused) we are when it comes to Neil.