HTTPS in Mexico - Asegure Sus Datos

Google's Chrome browser is now displaying "Not Secure" for sites that load on HTTP, and with Chrome, at over 75% market share in Mexico, there is an even greater urgency in making the switch to HTTPS--especially for sites that need high user trust and data security. From a marketing perspective, SEOs have been advocating for the switch to HTTPS since 2014 when Google revealed it was a positive ranking signal, giving a boost to sites that help prevent man-in-the-middle attacks. Especially on mobile and in public network settings, encryption contributes to data remaining secure. So whether a domain decides to use encryption for the best user experience, a marketing boost, or to stay on top of best practices, all sites can benefit from switching over to HTTPS. Below is an analysis of several hundred sites in Mexico as a sample of what methods are currently in place.

About the Data

The full list of domains crawled is available here in a public Google Sheet.

Tools for checking Redirection, HTTPS, HSTS, and More

Several tools were used in the creation of this report. These include: https://httpstatus.io, https://www.webconfs.com/http-header-check.php, https://hstspreload.org/, Screaming Frog SEO Spider, and HEADmaster SEO.

No Redirection from HTTP to HTTPS

Of the 293 domains surveyed, 124 load on HTTP without redirecting to HTTPS, even though 39 of those 124 domains have functioning sites working on HTTPS as well. The remaining 85 domains that do not redirect to HTTPS and either serve an error when attempting to access the domain on HTTPS, have their HTTPS connection timeout, or redirect back to the HTTP domain.

No Redirection from HTTP to HTTPS Examples

Detail-orientated readers will notice that second from the top is a Google.com domain, and it's a great example of the problems that arise when redirection to HTTPS is missing from the very first request for the domain. While many of the links on the HTTP-version of the site lead to Google services or other pages that are HTTPS, other pages remain accessible from the non-secure domain. One of the problem pages for this site is its "Comunícate con un experto" page: https://edu.google.com.mx/intl/es-419_mx/contact/ as it is collecting data while on HTTP.

Another issue for all domains that serve from HTTP and HTTPS is that they're presenting duplicate content on the two versions of the site. In the Google for Education example, they are addressing the issue by using a canonical link element to point to https://edu.google.com/intl/es-419_mx/ as the preferred domain for search engines which shows up in the results in both content searches, and those of the edu.google.com.mx domain (the third result in the image below).

Finally, this site and all the others from the research could be using Google Search Console to set their preferred domain and parameter handling to help push out the HTTPS and canonical-linked URLs, however, that's not a feature that is measurable from the user side and does not force HTTPS usage.

Other examples include several Mexico Government subdomains (ejemplo.gob.mx) that have HTTPS running but do not force the 301 redirection, as do sites like: www.espn.com.mx, www.autotrader.com.mx, www.cinemagic.com.mx, www.dailytrend.mx, www.eluniversal.com.mx, www.tiendadeportes.com.mx

301 Permanently Moved Redirection from HTTP to HTTPS

The next block contains 87 domains that are using 301 redirection to indicate that the HTTPS version of the domain is the permanently preferred version of the site. Of those 87, 53 domains also utilize the canonical link attribute to further confirm the usage of the HTTPS as their default.

Sites using both the 301 to HTTPS and rel=canonical declaring the HTTPS version of the domain the preferred domain for search engines include: walmart.com.mx, toyota.mx, pinterest.com.mx, expedia.mx, mercadolibre.com.mx, forbes.com.mx, telmex.com, ferelectronics.mx, unitec.mx, and a few dozen others.

An HTML element, rel=canonical requires a page to load so should be placed on the redirect destination page in the head like so, using https://www.walmart.com.mx as an example:

<link rel="canonical" href="https://www.walmart.com.mx/" />

Also, as mentioned earlier, any of these sites could be using Google Search Console and other site-specific webmaster tools to set their preferred domain. However those settings--and rel=canonical--do not impact user behavior. In other words, users still might try pulling data from the HTTP version of a domain and--unless redirected at the server level--could do so.

On HTTPS? How Are Secure Domains Implementing HSTS?

Beyond HTTPS usage is HSTS (HTTP Strict Transport Security) which further helps prevent serving unsecured content. This feature helps to protect websites from protocol downgrade attacks and cookie hijacking. Several of the HTTPS sites crawled above serve unsecured cookies, causing them to be open to hijacking.

Of all the domains researched using HTTPS, only one was found to be using HSTS correctly: pinterest.com.mx. All the rest either had no HSTS header, had too short of a max-age specification, served insecure cookies, served cookies over HTTP instead of HTTPS, didn't redirect HTTP to the HTTPS root domain, missed the includeSubDomains directive, or missed the preload directive.

Other Cases: Meta Refresh, 302 Object Moved, 307 Temporary Redirect, and Fails

The remainder of the domains crawled either implemented some other form of redirection that will cause issues with HTTPS indexation or served errors (403, 502, 521, Connection Timeout, DNS lookup failure, and so on.)

Conclusions

In short, unless you're Pinterest, your website could use work securing its data. And one site, out of 294 analyzed, leaves a lot of room for improvement. Each one of the domains in the list makes for an interesting case study, and could be expanded here later on. The Takeaway with Pinterest's dedicated approach to getting HTTPS and HSTS right also indicates their user-centric positioning and rapid adoption of best-practices. It also doesn't hurt their efforts that an enormous amount visitors to their domains arrive via search and their HTTPS domains are being correctly crawled and indexed in Google.

Also of note in closing is the ever-growing percentage of users loading pages on HTTPS. For Mexico, and Chrome users, that's 78% of all pages. If your site isn't on HTTPS then you're likely experiencing an ever smaller percentage of visits.

About the Author

Ryan Purkey works to make websites better in Mexico and around the world helping clients locally as well as those looking to expand internationally.