0

Background

I manage several websites which have no SSL certificate, hosted on a LAMP shared environment, alongside some that do.

The shared environment has an SSL certificate for all sites, but it's an invalid domain unless connected to with a specific URL that the hosting provider provides.

This creates the uncomfortable environment that any site with no SSL can still be connected to over HTTPS, and be served an invalid certificate (rather than no certificate / no response).

For some reason, google has recently started linking to these non-ssl sites with https:// rather than http:// despite an invalid cert being served. Clicking on this causes a security warning and is probably scaring away 99% of potential clicks.

Question

My question is, given limited server access, what can I do to prevent search engines from linking to an HTTPS version of a website unless there is a valid SSL certificate installed?

totallyNotLizards
  • 8,489
  • 9
  • 51
  • 85
  • Why don't you use https for these websites ? – Tom Mar 15 '17 at 16:24
  • @Tom because the SSL cert is an additional cost that the client who owns that site would need to pay, they typically aren't interested. – totallyNotLizards Mar 15 '17 at 20:27
  • 1
    Note that with Let's Encrypt certificates are free and renewals can be automatized (so the cost is only the time spent for the first set-up). I hope these websites doesn't handle any personal data. In most countries protection of personal data is a legal obligation. – Tom Mar 16 '17 at 09:27
  • 1
    @Tom Thanks for the info. I agree that SSLs should be used anyway, though these sites are mostly brochure sites. Unfortunately my restricted hosting environment doesn't allow Let's Encrypt certs, only alpha ssl certs, so my situation is that the client needs to swallow the cost. – totallyNotLizards Mar 17 '17 at 17:43

1 Answers1

0

Use 301 redirects to accomplish this.

The search bots don't check SSL cert validity in the first place, so they will connect unlike browsers which check validity and show the warning before a redirect can take place.

The bot will see the redirect and update the index appropriately given time.

Example in .htaccess (also works in wordpress):

<IfModule mod_rewrite.c>
    RewriteEngine On
    RewriteBase /
    RewriteCond %{ENV:HTTPS} on
    RewriteRule (.*) http://%{HTTP_HOST}%{REQUEST_URI} [R=301,L]
</IfModule>
totallyNotLizards
  • 8,489
  • 9
  • 51
  • 85