Since the August 2014 announcement from Google stating HTTPS is a ranking signal and the launch of the HTTPS Is Everywhere campaign, we at SEJ transferred our website from HTTP to HTTPS. While security and privacy provide our users with a sense of relief, HTTPS is much more than an online refuge from hackers. HTTPS reinforces trust and further develops our traffic data from referral sources to help improve our overall SEO strategy and website structure.
As your business grows and Google updates its algorithms, it’s essential to tweak your site and SEO just as you would your products or services.
If your products or services are the heart of your company, then your website is the vein that determines how fast you can get blood to other parts of your body. A lack of trust, security, and data can lead to high bounce rates, lower conversions, confusion about where traffic is coming from, and misaligned goals.
So, how do small businesses gain trust, security, and accurate data from Google? Let’s start with HTTPS.
One way Google is going to take the reigns of this HTTPS transition is with its Chrome team. Google’s Chrome team hinted they might start to shame websites not using HTTPS with a big fat red “X” mark over the padlock icon in the URL bar for Chrome users. Parisa Tabriz, Google’s Director of Engineering who also works on security and Chrome, tweeted that Google’s intent behind the red “X” is to “call out” HTTP for what it is: “UNSAFE.”
— Security Princess (@laparisa) January 26, 2016
However, not all have experienced the red “X” mark on sites. As you can see from Chrome itself, they don’t mention the red “X” mark.
However, this feature isn’t set by default. To see the red “X” visit “chrome://flags/” using your Chrome browser. Scroll down to “Mark non-secure origins as non-secure” and click “Mark non-secure origins as non-secure.”
Let’s take Wal-Mart, for example. Using this tool or viewing the source of the homepage, you can check if a website is using HTTP or HTTPS. Or, take a look at this image below. Can you guess if Wal-Mart is using HTTP or HTTPS?
If you answered HTTP, high-five!🙌 Wal-Mart is not currently using HTTPS. Let’s try another one, take a look at Best Buy. Can you guess if they are using HTTP or HTTPS?
That’s right; Best Buy is using HTTP.
Okay, one more! Is Disqus using HTTP or HTTPS?
Ding, ding, ding! You’re right. Disqus is using HTTPS.
If you want to stay up-to-date on what brands are transitioning to HTTPS, check out HTTPSWatch.
So, why the change in the UX experience for Chrome’s URL bar? Because Google wants users to know when a website is not secure. It’s logical to assume if someone is browsing Best Buy for a new pair of Beats by Dr.Dre headphones in a Starbucks and found out that anyone on the same network could see what they were searching, they might not be too happy. That’s why HTTPS is great; it protects us from others tampering with our information (addresses, credit card numbers, browsing history, etc.).
Without HTTPS, it’s a bit like signing up for AshleyMadison.com and sharing all your account information (description, password, credit card, etc.) your friends and family on Facebook. Oh, wait! That already happened. Here’s an example of a description from a member in Ottawa that was publicly shared after AshleyMadison.com was hacked:
“I’m looking for someone who isn’t happy at home or just bored and looking for some excitement.”
Not really something you want your friends and family to see blasted all over the internet, huh? It’s a good thing Ashley Madison has opted for HTTPS to ensure this type of event doesn’t happen again. It’s not to say that if you have HTTPS, you’ll never get hacked, you just have a less likely chance.
Since HTTP and HTTPS both have a stigma attached, let’s analyze and weigh the advantages and disadvantages to using one or the other.
The Positive Impacts of HTTPS on SEO and Your Website
HTTPS gives websites trust, security, and a rankings boost!
Let’s be honest here: HTTPS is HTTP. It’s a more secure version of itself. As you noticed in the above examples, when a website is using HTTPS, you can see it in the address bar. The URL will begin with “https://” and you’ll see the lock icon indicating you’re in a secure, protected environment.
Here’s what the HTTPS connection looks like when I visit Amazon in Chrome:
If you click the green lock icon, it will tell you if the site is private.
Once you click the “details” section confirming the site is private, you’ll discover the HTTPS certificate.
Many websites are using HTTPS today. Let’s take a peek at what other industry experts have seen:
- September 2014, Cyrus Shepard noted only 4.2% of the top 10,000 websites were using HTTPS as their default.
- April 2016, Patrick Stox reported less than 1% made the switch to HTTPS.
- June 2016, Ahrefs stated they saw the percentage of HTTP secure pages in positions 1-3 were higher than in positions 4-10.
- July 2016, Moz reported 30% of websites were using HTTPS.
While these numbers and percentages may hurt your head, note all of these were based on different data samples. But, they are all heading in the same direction with HTTPS moving forward as an actionable, needed SEO tactic.
You can see it with companies like Let’s Encrypt coming along. They offer free secure certificates and are hoping to get businesses to 100% HTTPS. So far, they’ve issued 5 million certificates since December 2015. Let’s Encrypt has helped big businesses like WordPress, Shopify, and Bitly make the transition.
If you think about a company that makes you feel secure and safe, you’re likely to think of The Brinks Company, ADT, NorthStar or even the CIA. Now, what if these companies were breached? How would that make you feel?
Now consider this in the context of your website, and the use of HTTP doesn’t seem like such a good idea anymore. Do you really want to risk your user’s private information? Feelings of trust, safety, and security offer many different benefits, and they all contribute to a repeat customer. This is at the core of every business. We want our users to come back.
So, we know HTTPS benefits users for security. But, let’s talk about the advantages for SEO purposes.
Security and Privacy
Yes, I think I hammered home this above. But, there are some crazy awesome benefits for SEO purposes:
- HTTPS verifies your website is the one the server it is supposed to be connecting to.
- HTTPS uses its superpower shield to prevent tampering by 3rd parties.
- HTTPS encrypts all your communications to protect your users browsing history, passwords, credit/debit card numbers, etc.
As I mentioned above, Google has confirmed they are giving a little ranking boost to HTTPS sites. This is not a magical potion for seeing a spike in rankings. But, it could weigh more down the road.
Lots of Referrer Data
When traffic comes to your HTTP site, it looks like “direct” traffic in your analytics report. When traffic comes through your HTTPS site, your referral traffic data is saved. Whoo hoo! You can determine where your traffic is coming from.
C’mon, if the The White House Office of Management and Budget has become an early adopter of HTTPS, then I’d say it’s time to set-up your game. Other heavy hitters have stepped up to transition to HTTPS. Mozilla is moving away from non-secure HTTP, Wired tells how they plan to make the switch and Apple talks to app developers about using HTTPS.
I mean, Gary Illyes tells it as it is on Twitter:
If you're an SEO and you're recommending against going HTTPS, you're wrong and you should feel bad.
— Gary Illyes (@methode) August 18, 2015
Okay, okay, I’ll stop nerding out over HTTPS. I know this is a big ask for smaller companies. You may not have the resources or support to move your site from HTTP to HTTPS. So, let’s take a look at some of the challenges that come with making the transition.
The Negative Impacts of HTTPS on SEO and Your Website
When transitioning from HTTP to HTTPS mistakes can happen.
As much as modern companies love to boast about switching to HTTPS, I’m not seeing it. If there were, I would be seeing more consistent data from industry experts. Remember from above where the number crunching made your brain swell? There was a range of 1% to 30% of websites making the change.
Even companies with unlimited marketing budgets and web development resources still haven’t made the transition. So, what’s the reason we haven’t see websites jump all into HTTPS? Let’s take a deeper dive into some of the disadvantages that may occur when transitioning your site from HTTP to HTTPS.
Site Speed Issues
If you’re an SEO, you know that site speed is a ranking factor. If you don’t implement HTTPS correctly, you can run into site speed issues. HTTPS requires a lot of back and forth communication between servers. So, if your site is already slow and not set-up properly, you have the potential to lose some speed.
Personally, I’ve have worked with multiple clients making the big leap from HTTP to HTTPS. The majority of my sites took the transformation quite well and had seen the positive impact. Those that wanted to skip on best practices for site speed before making the switch, well let’s just say they don’t the results they had hoped for. For small businesses, this can lead into a longer timeline which many do not have the budget.
This is another pain point for small businesses. These costs can rise into the hundreds per year, and if you’re starting out, this might not be ideal. For example, GeoTrust costs range from $149 to $745 per year depending on what certificate you get. Or, you can use Let’s Encrypt for free! But, another pain point is this requires you to renew every 90 days.
You’re Just Not Ready for HTTPS
Moving your whole site from HTTP to HTTPS requires a lot of time, planning, and having the right resources. You don’t want to miss any steps. Otherwise, it could cause you a significant amount of loss in traffic and conversions. If you’re a smaller business, you might not have a development or SEO team that can guide you with canonical tagging and chained redirects. There are a couple of big mistakes that can happen during this transition. Let me warn you about a few I’ve run into:
I recently worked on a client site with tons of legacy redirects. In my perfect world, I’d like all my redirects to have one hop. In my experience, I’ve noticed Google stops following redirects with 3 or more hops. So, in this case, where do I start? First, I tackled the HTTPS redirects; then I updated the legacy redirects to the HTTPS.
Another issue I ran into with the chained redirects was preserving my old HTTP robots.txt and sitemaps. I was placing redirects from HTTP to HTTPS on the server level, so I had to exclude them on my robots.txt and sitemaps also. This answer on Stackoverflow helped guide me.
Moving the entire site at one time
With the similar client from above, they had a giant beast of a website. I’m talking a bajillion pages! The client wanted to move the entire site at one time, but myself being on the cautious side decided to move the website into separate parts.
We were able to take small chunks of the site and move it over to HTTPS. Then, give ourselves a month to review the damage, if any. I wanted to see the impact HTTPS would have on our redirects and referrals. It was the right choice in the end.
Do I turn on HSTS?
Matt Cutts tweeted the about turning on your HSTS stating “HSTS implies “*always* use HTTPS.” If your website doesn’t serve *only* HTTPS, you’re going to have a bad time.”
This can be a tricky situation for many businesses looking to make the transition. You often hear that HSTS can improve your site performance, but in reality, if you’re not using HTTPS only, it can cause you more bad than good. This also includes subdomains.
HTTP to HTTPS Checklist
If you’re still nervous about making the migration to HTTPS from HTTP, below is a quick overview of my personal checklist. I created this list around this super helpful guide written by Chris Palmer from the Google Chrome team. And, don’t forget to reference Google’s site move support.
1. Get and Install Certificates
- Purchase a secure certificate from a Certificate Authority (CA)
- Or, opt for the free certificate from Let’s Encrypt
- Get the documents to the CA so they can give you a signed certificate
- Copy certificates all of your servers
2. Enable HTTPS on Your Servers
- Get your server for ready for HTTPS. Mozilla offers some great tips on configuration.
- Check to make sure you implemented HTTPS correctly. I use this tool.
- Put a note in your Google Calendar to remind you when your certificate is going to expire.
3. Make Intra-Site URLSs Relative
- Use a script to implement protocol-relative URLs.
- Make sure your internal links are pointing to HTTPS.
4. Redirect HTTP to HTTPS
- Update Ads to work with HTTPS.
- Update tools to work with HTTPS.
- Update Schema to work with HTTPS.
- Update social buttons for HTTPS.
- Update legacy redirects for HTTPS.
- Add the <link rel=”canonical” href=”https://…”/> tag to all your pages.
- Exclude items in your robots.txt and sitemap (remove rules from HTTP robots.txt file, except for sitemap link).
- Verify new HTTPS sitemap in Google Search Console.
- Create a new robots.txt file for HTTPS sitemap.
6. Turn on Strict Transport Security and Secure Cookies
- Use SSL Check double check your site for non-secure items.
- Double check that HTTPS redirects and legacy redirects work.
- Use “Fetch as Google” tool to speed up the indexing process.
- Monitor the Index Status in Google Search Console. Ideally, HTTP will drop to zero and HTTPS will rise.
- Watch the Crawl Errors in Google Search Console.
- When most new URLs are indexed, delete the legacy sitemap link from robots.txt.
- Once your site is working in all HTTPS, use HSTS to increase performance.
Which One is the Best?
So, have you decided which solution is best for you? Are you going to make the switch to HTTPS? Both options have their limits. But, when you’re trying to play the SEO game where everything is changing every day, I say every little bit counts.
Understanding every possible aspect available to you to increase trust, authority, and rankings in the SERPs can help you make a better decision. Yes, the connection between HTTPS and ranking is minuscule when compared to the labor involved. But, if you’re thinking long-term, I say go for it!
But now over to you!
Have any of you made the transition from HTTP to HTTPS? What challenges did you face? Was it worth it to you?