Mastodon

Don't Take Security Advice from SEO Experts or Psychics

As best I understand it, one of the most effective SEO things you can do is to repeat all the important words on your site down the bottom of the page. To save it from looking weird, you make the text the same colour as the background so people can't actually see it, but the search engines pick it up. Job done, profit!

I think this is the way we did it in 1999. I don't know, I can't recall exactly, but I know I don't know and I'll happily admit to being consciously incompetent in the ways of SEO. But that's cool, I know the things I understand well and those I don't and when I get the latter wrong (and believe me, that happens regularly!) I'm happy to be told so.

Which brings me to SEO experts and psychics, neither of which I would imagine are particularly well-equipped to offer security advice. But I've seen a bit of a pattern lately which seems to fly in the face of this wisdom and it dawned on me yesterday when my friend and fellow Microsoft MVP pinged me:

Naturally, I was curious and upon prompting, Sonia directed me over to a Facebook post by a bloke called Neil Patel with a description of Thinking about adding an SSL certificate to your site? Watch this first. The Buzzfeed-esque description aside, it's a reasonable question that many people are asking and Neil Patel takes a stab at it in this video. Now you need a Facebook account to watch it and I appreciate there are people who aren't too keen on that, so here's an image of the video and I'll repeat some pieces of it below that (does that help my SEO?):

Neil Patel talking about HTTPS. But it doesn't make sense. If I keep saying "Neil Patel" on this page does it increase traffic here? Would Neil Patel care? I'm no Neil Patel, but I think it might make a difference. I should ask Neil Patel. Neil Patel.

It starts out reasonable enough, but then Neil Patel gets a little bit lost about half way through:

If you don't have sensitive information on your site, you're not selling a product or a service, there is no checkout page, you don't need a certificate

Regular readers here will know the many problems with this, the most imminent of which is that as of October, pages with an input field will cause Chrome to warn people that the site is not secure. Neil Patel clarifies:

It doesn't help, you know, increase security

This is the classic misconception that HTTPS is only about confidentiality and it ignores the value of both integrity and authenticity. I really don't want any of my traffic being modified by a man in the middle (such as an ISP or airport wifi) or redirected to a malicious site courtesy of dodgy DNS somewhere.

Neil Patel reckons it really doesn't matter for blogs:

You're not really collecting any information if you just have a blog

And he lives by his word too, Neil Patel (I think it might help my SEO on his name if I keep repeating it), by not using it on his own site. In fact, even his contact page doesn't use it but what Neil Patel doesn't know is that he's just a couple of months off this being the experience people have on that page:

Neil Patel in his pyjamas on an insecure page. Neil Patel. I mentioned Neil Patel, right?

Perhaps Neil Patel is hoping that people will be too distracted looking at him in his pyjamas to notice the "Not secure" warning at the top of the browser? Because that's the experience people will start having in October and if I'm honest, I don't think a dashing pair of PJs will be sufficient to draw attention away from the warning. It won't be an unfamiliar warning to Neil Patel either, it's the same one he presently sees every time he logs into his Wordpress admin page:

This is actually really weird because Neil Patel could serve HTTPS traffic but he actively redirects people from there back to the insecure scheme:

No really - try going to https://neilpatel.com and it's bye-bye padlock (you may want to mute first before getting hit with the auto-play video bereft of play controls, I think it might be an SEO thing).

Neil Patel concludes his Facebook video with a pretty dire account as to the usefulness of HTTPS:

Trying to get more search traffic? Waste of time, don't use a [sic] SSL certificate

Now this differs from Google's view on HTTPS as a ranking signal but as we've already established, I don't know much about SEO so I won't push the point. But I do know quite a bit about HTTPS so I thought I'd leave a friendly, constructive and actionable comment for Neil Patel on his Facebook post:

My comment to Neil Patel

I probably took a good 10 minutes to write that up; gather up references, check my facts and spelling, make sure the tone didn't come off as too brash or derogatory and just to ensure that my intentions were seen as genuine and friendly, I added a smiley face ?

Job done, good deed for the day complete, on with the next thing. And then this morning, this:

Wait - what?! Really? I'm suddenly having flashbacks to only last week when Kids Pass decided they didn't want to listen either (incidentally, that didn't work out so well for them). But Gary's tweet said he had deleted "all the comments" that didn't agree with him, so who else got hit? As it turns out, I'd left the Facebook page open (which is how I was able to grab my comment in the image above) and I was also able to see Sonia's original comment:

Sonia's comment on Neil Patel

This seems like a perfectly reasonable, polite comment to me and yes, she's effectively disagreeing with Neil Patel and pointing him to a resource which explain why, but that should be fine.

And then there's Scott Helme - the guy who runs a training course literally called "The World's Best TLS Training" - and it seems that he got nuked too:

Now frankly, a random bloke on the internet deleting my comments wouldn't normally be sufficient to justify a blog post, but I had an epiphany this morning - SEO people fundamentally misunderstanding the point of HTTPS is not a new thing. I had this nagging feeling that I'd been down this road before and to my earlier observation, that would constitute a pattern which makes things quite a bit more interesting. And then I remembered self-professed SEO expert Maria Johnsen's post about HTTPS on multilingual websites:

Should multilingual websites use HTTPS by default

She's an interesting character, Maria, and as she explains on her about page, she also knows 18 languages. On its own, this sounds impressive but when you consider that she's had 18 past lives (or is that 17 past and 1 current?), it kinda makes more sense. Uh, she's had what now? Oh yeah, a couple of years ago she explained how a bunch of languages were familiar to her so this was the natural conclusion. Apparently, this was all discovered with the help of a psychic and it's my understanding that Maria believes that she herself is psychic. I may have misinterpreted that and instead she's merely been reincarnated 18 times (or is that 17 times?), but admittedly I did chuckle a little at how closely SEO appears to be entwined with dark arts in this case.

Like Neil Patel, Maria also has some pretty strong views on HTTPS. Amongst these are the following:

it will be more expensive for small businesses who run multilingual websites

(It's still free via the likes of Let's Encrypt and Cloudflare.)

Encrypting all pages on your website will only slow them down

(No, done right it's the opposite of this)

will not improve security on pages where you are not entering any sensitive information

(Neil Patel and I have already had this discussion.)

Website owners can use firewalls to secure data on pages which do not need encryption

(Uh, that's something completely different.)

Many content management system applications may have problem with HTTPS

(I have no idea why she would think this...)

There are also cost issues such as buying: SSL certificate and dedicated IP address

(We've covered cost already and SNI killed the need for dedicated IP addresses years ago.)

Remember! Your websites’ visitors use all kinds of browsers and apps on mobiles and smart phones. They are not ready for HTTPS.

(Yes they are!)

When all HTTPS testing by default is final and settled by Google, then do it after at least three months. In the online world, it’s all about testing.

(I don't actually know what this means, but I'm including it just to show how wacky things get.)

Some are on domain validation which is 2048+ BitSH42 SSL/TLS encryption the encryption key is limited which means you can use on a few pages and has a limited band weight

(Same with this one!)

A good SSL costs top dollar

(Nope.)

If you still want to use HTTPS remember, pages accessed by HTTPS can never be cached in a shared cache

(Yes they can, that's precisely what Cloudflare does.)

If sites used HTTPS by default and users were trained to avoid sites that use only the HTTP protocol, phishing would be almost useless

(Ironically, it's precisely the opposite of this that has commercial CAs upset at the moment, although as I point out, them being upset is kinda nonsensical).

I won't go on with Maria's insights here, but I do strongly recommend sitting back with either popcorn or beer and reading the rest of that post, particularly the update where she very authoritatively talks about TSL (yes, I know).

Actually, I recall when she originally posted the article and I went back and found some of my earlier commentary on it:

Now unfortunately, like Neil Patel she also likes deleting stuff and in this case, that included both her original tweet and the blog post I link to above which is why it's being served off archive.org. But the internet has an uncanny way of remembering things, including her commentary on the usefulness of firewalls:

Getting back to Neil Patel, as I said earlier, someone merely deleting my comments wouldn't normally even cross my radar and indeed the point was made that it barely even matters:

But it does matter, particularly when someone is influential:

Neil Patel has over 900k Facebook followers. Well done Neil Patel! Neil Patel

This should bother you because when someone with a following makes claims like Neil Patel's above, it's seen by a large number of people, many of whom will heed that advice:

Thanking Neil Patel for his bad advice

We all get stuff wrong and whether it's Neil Patel in his pyjamas or Maria in her 18th life, it's important to acknowledge this rather than attempt to silence it. I don't know if it's bad SEO that Neil Patel had very reasonable yet disagreeable comments on his post nor do I know if it's good SEO that I've now said "Neil Patel" 21 times on this page (not including alt tags). Heck, I don't even know if it's good SEO if everyone that reads this and is bothered by it then retweets this:

And for everyone else, per the title, don't take security advice from SEO experts or psychics any more than you should take SEO or afterlife advice from me!

Edit (the following day): Neil Patel has now deleted the Facebook post and the same video posted to YouTube. Thank you Neil Patel. Incidentally, I haven't heard anything from Neil Patel - no emails from Neil Patel, no tweets from Neil Patel and no Facebook contact from Neil Patel. But hey, at least Neil Patel has learned something new ?

Security SSL
Tweet Post Update Email RSS

Hi, I'm Troy Hunt, I write this blog, create courses for Pluralsight and am a Microsoft Regional Director and MVP who travels the world speaking at events and training technology professionals