Game Design, Programming and running a one-man games business…

The big old HTTP vs HTTPS nightmare

cliffski

In case you didn’t already know, Google is building up to giving a bit of an SEO smackdown to sites that do not use HTTPS, but simply use HTTP (Like most sites). If you notice sometimes you see sites with a big old green padlock in the address bar, thats because they are https, and thus ‘secure’ and you can be pretty sure the page you got was the page you thought you would get, compared to http, where pretty much any script kiddie/russian haxxor may have spoofed between you and the server and served up fake stuff.

It used to be the case that you only saw https when shopping, or entering passwords or logging in or handing over information in a form. It was assumed that other traffic was harmless, but the advent of man-in-the-middle attacks, and more sophisticated malware malarkey means that google basically want everyone to use https everywhere, and if we don’t, they will punish you in SEO, which for a small website and brand basically means death.

So I grabbed my SSL certificate ($90 / 2 years), and installed it on my server, and sure enough you can visit https://www.positech.co.uk and everything is padlocky and impressive:

The problem is, 99.99% of links to my site obviously point to http://www.positech.co.uk, and are thus technically insecure, so you have to ALSO set up a server-wide redirect to make all http calls https calls. So I got my managed server dudes to do that 9I have a dedicated server). And thats when EVERYTHING fucked up. Gratuitous Space Battles campaign mode log-ins stopped working, stats reporting for production line just ended, and various other things went BANG. I had not realized it, but a billion years ago when I coded my online integration into my engine, I had coded it to use HTTP and explicitly not accept any redirects to HTTPS (Which would have failed). This has come back to haunt me.

Combine this with the fact that you likely have, on any page you manage, a whole bunch of third party content that likely is NOT https, and things get ugly. In my case, the most common culprits were embedded youtube videos, which were defaulting to http. They are simple to change (just a URL edit) but there are lots.

So this morning I gave up and removed the default server wide http redirect and experimented with some internal changes. So if you just go to www.positech.co.uk, it has an explicit page-level redirect to force the https version, PLUS all the outbound links from that page now hard code in an https link. However, I have not done it everywhere. For example this url: https://www.positech.co.uk/cliffsblog/ will not automatically direct you to https://www.positech.co.uk/cliffsblog/ yet, even though the HTTPS version is fine.

I HOPE that google is sensible enough tom understand that getting a cert is easy, but converting every page so you can do server-side redirects is tricky, and actually checks for the legit serving of an https page before http, and doesn’t penalize the lack of server-wide redirects, but who knows. FWIW, I found this page really helpful for working out where my problems were, and if you are going to do the transfer yourself, you should bookmark it now.

I guess this opens up the wider topic of whether or not hosting your own html style site on a dedicated server makes any sense in 2018 for an indie games developer. I am not sure how I feel about this. My site has existed since 1998, so I have a lot of legacy stuff on there, and I am pretty old-school about the internet, in the sense that I think broken links and content removed from the net is pretty bad. HTTP has tech built in from the start to support redirects, it really is a last-resort that you should EVER hit a 404 page… but I digress.

I know many indies will think the cost (hundreds of dollars a month) for a dedicated server is nuts, but I spread that over this blog, my main site, my own metrics collection stuff, the online component of GSB, the update checking code and patch delivery for a bunch of older games, my forums (which are surprisingly large and busy for a single-dev company), a site I host for an old friend, and also showmethegames.com and other bits and pieces. This has all grown up over the twenty years that I’ve had positech.co.uk, and transferring all of that to some turn-key solution without breaking a load of stuff would be pretty bad.

I know many indies think that if they are PC developers, then their homepage is basically store.steampowered.com/yourgame  but I find that approach dangerous. I am an INDEPENDENT game developer, and the longer you hang around as an indie, the more you see the tides change around you. When I started, Download.com was THE STORE, then it became real games, or yahoo, then eventually steam & impulse, currently its just steam, but who will it be next year?

If your entire business model is based around a single company, whether its facebook, bigfishgames, steam or microsoft, then your independence is pretty marginal. You are in effect, a subdivision of that company only with no fixed salary or pension, but with considerable day-to-day freedom. Stores can change their royalty split when they feel like it, and their submission rules. If Microsoft buys valve, and decides that violent games aren’t what they want on their store, do you still have a business the next day? This should keep you awake at nights.

Anyway, enough doom and gloom, just my thoughts on why I’m such a dinosaur with his own http problems :D

 

11 thoughts on The big old HTTP vs HTTPS nightmare

      1. I don’t think your redirects are working at all sorry.

        I agree that the changeover to HTTPS is a huge hassle. I think everyone who has attempted it has underestimated the amount of work required.

  3. It seems like the hassle is that you’re using the same HTTP server (and domain name) for internal game logic and your main website? It should be possible in most server software to do a redirect on all paths except certain ones (something like “redirect everything except /gsb/game_stuff” to HTTPS). It’s a little distressing that the GSB login page is hard-coded to never use HTTPS though, since that’s probably the only part of your site that really should have it :\

    I’m guessing it’s not possible to fix this with existing games, but this sort of stuff becomes much easier if you make logically separate things have different domain names (even if they all point to the same server).

    (And I also don’t get redirected on http://www.positech.co.uk/)

  4. I just tried, and you have to force it (on Firefox 58.0.2 x64) on all of them, in regular and in private mode. Tried on Edge, same. Opera Neon same. Sorry Cliff.

    I love your rants by the way. Always eager to read them when they appear on my RSS.

    Have a nice day guys.

  6. In the case of niche areas and niche searches then you’re competing with a small pool of sites so HTTPS, from an SEO perspective, is perhaps not as important as you might think. For example, if I search for “Production Line game” then your site is likely to rank highest because of the number of inbound links that Google associates with “Production Line” and that may outweigh the slight SEO bump that HTTPS would give.

    Google’s own advice says:

    “HTTPS sites receive a small ranking boost, but don’t expect a visible change. Google uses HTTPS as a positive ranking signal. This signal is one amongst many others, and currently carries less weight than high-quality site content; you should not expect a major SEO advantage for moving to HTTPS in the short term. In the longer term, Google may increase the strength of the HTTPS boost.”

    See “HTTP–>HTTPS migration FAQs” at the bottom of:
    https://support.google.com/webmasters/answer/6033049

    However, the *real* issue is not SEO as there’s a much more significant push to a more secure web. SEO bumps and warnings in browsers will push this forward and ultimately the goal is to deprecate HTTP and (eventually) remove it. So using HTTPS is a good thing and something that anyone running a site should be thinking about moving to.

    A few other bits n bobs…

    Even a server side redirection from http to https isn’t necessarily the solution to the issue from a security perspective. The dropout before the redirection allows for a man in the middle attack unless you use HSTS headers and preload.

    https://security.stackexchange.com/questions/107101/is-an-http-301-redirect-to-https-insecure
    https://support.google.com/webmasters/answer/6073543?hl=en

    Admittedly the risk for a “read only” site rather than a site where you log in etc is tiny but may be important for logins for GSB etc.

    I agree with Brendan that you can apply different redirects/setups to different parts of the site and separate the game logins and stats logging from the main site…. and also agree that the logins are much more important to have over HTTPS than the main site.

    Google make it clear that it’s OK to migrate your site in parts and so I’d be looking to migrate all of your “public” web to HTTPS and to use 301 redirects and to do that separately from the other parts that are more problematic. To be honest, the problematic parts probably shouldn’t be in Google results anyway, but should be over HTTPS. so you can work on that over time and separately from the main site.

    Once you’ve started making part of your site available over HTTPS then you should add a new property to Google’s Search Console (was Webmaster Tools) so you can monitor it.

    I guess I’m a dinosaur too but I agree with you about running your own site.

Comments are currently closed.