In case you didn’t already know, Google is building up to giving a bit of an SEO smackdown to sites that do not use HTTPS, but simply use HTTP (Like most sites). If you notice sometimes you see sites with a big old green padlock in the address bar, thats because they are https, and thus ‘secure’ and you can be pretty sure the page you got was the page you thought you would get, compared to http, where pretty much any script kiddie/russian haxxor may have spoofed between you and the server and served up fake stuff.
It used to be the case that you only saw https when shopping, or entering passwords or logging in or handing over information in a form. It was assumed that other traffic was harmless, but the advent of man-in-the-middle attacks, and more sophisticated malware malarkey means that google basically want everyone to use https everywhere, and if we don’t, they will punish you in SEO, which for a small website and brand basically means death.
So I grabbed my SSL certificate ($90 / 2 years), and installed it on my server, and sure enough you can visit https://www.positech.co.uk and everything is padlocky and impressive:
The problem is, 99.99% of links to my site obviously point to http://www.positech.co.uk, and are thus technically insecure, so you have to ALSO set up a server-wide redirect to make all http calls https calls. So I got my managed server dudes to do that 9I have a dedicated server). And thats when EVERYTHING fucked up. Gratuitous Space Battles campaign mode log-ins stopped working, stats reporting for production line just ended, and various other things went BANG. I had not realized it, but a billion years ago when I coded my online integration into my engine, I had coded it to use HTTP and explicitly not accept any redirects to HTTPS (Which would have failed). This has come back to haunt me.
Combine this with the fact that you likely have, on any page you manage, a whole bunch of third party content that likely is NOT https, and things get ugly. In my case, the most common culprits were embedded youtube videos, which were defaulting to http. They are simple to change (just a URL edit) but there are lots.
So this morning I gave up and removed the default server wide http redirect and experimented with some internal changes. So if you just go to www.positech.co.uk, it has an explicit page-level redirect to force the https version, PLUS all the outbound links from that page now hard code in an https link. However, I have not done it everywhere. For example this url: http://www.positech.co.uk/cliffsblog/ will not automatically direct you to https://www.positech.co.uk/cliffsblog/ yet, even though the HTTPS version is fine.
I HOPE that google is sensible enough tom understand that getting a cert is easy, but converting every page so you can do server-side redirects is tricky, and actually checks for the legit serving of an https page before http, and doesn’t penalize the lack of server-wide redirects, but who knows. FWIW, I found this page really helpful for working out where my problems were, and if you are going to do the transfer yourself, you should bookmark it now.
I guess this opens up the wider topic of whether or not hosting your own html style site on a dedicated server makes any sense in 2018 for an indie games developer. I am not sure how I feel about this. My site has existed since 1998, so I have a lot of legacy stuff on there, and I am pretty old-school about the internet, in the sense that I think broken links and content removed from the net is pretty bad. HTTP has tech built in from the start to support redirects, it really is a last-resort that you should EVER hit a 404 page… but I digress.
I know many indies will think the cost (hundreds of dollars a month) for a dedicated server is nuts, but I spread that over this blog, my main site, my own metrics collection stuff, the online component of GSB, the update checking code and patch delivery for a bunch of older games, my forums (which are surprisingly large and busy for a single-dev company), a site I host for an old friend, and also showmethegames.com and other bits and pieces. This has all grown up over the twenty years that I’ve had positech.co.uk, and transferring all of that to some turn-key solution without breaking a load of stuff would be pretty bad.
I know many indies think that if they are PC developers, then their homepage is basically store.steampowered.com/yourgame but I find that approach dangerous. I am an INDEPENDENT game developer, and the longer you hang around as an indie, the more you see the tides change around you. When I started, Download.com was THE STORE, then it became real games, or yahoo, then eventually steam & impulse, currently its just steam, but who will it be next year?
If your entire business model is based around a single company, whether its facebook, bigfishgames, steam or microsoft, then your independence is pretty marginal. You are in effect, a subdivision of that company only with no fixed salary or pension, but with considerable day-to-day freedom. Stores can change their royalty split when they feel like it, and their submission rules. If Microsoft buys valve, and decides that violent games aren’t what they want on their store, do you still have a business the next day? This should keep you awake at nights.
Anyway, enough doom and gloom, just my thoughts on why I’m such a dinosaur with his own http problems :D