HTTP versus HTTPS: How much of a difference can one additional letter make? As it happens, quite a lot. Ever since Google confirmed that it considers whether a site uses HTTP or HTTPS as a ranking factor, there’s been a lot of debate about the merits of making the switch. I don’t know about you, but I’m the type of person who likes to play it safe; if Google recommends something, I’m all for it.
Still, while switching to HTTPS makes sense for most websites, it’s not always worth it.
Is it time to switch?
Let’s face it: HTTPS has always been a smart idea. After all, users obviously prefer safe, secure websites, and running one helps to build trust. When Google announced that it would consider HTTPS as a ranking signal, many website owners immediately made the change.
Although Google does indeed count HTTPS status as a ranking signal, it only gives it a small amount of weight in its algorithm. Any boost that most sites get will be fairly minimal. With the exception of major sites that draw huge amounts of traffic already, most sites won’t see a noticeable improvement in ranking from switching to HTTPS.
Is it even worth it?
Google thinks so
Google’s announcement is just one of the many ways in which the search engine giant has chosen to espouse the virtues of HTTPS. The company has reportedly started indexing secure web pages over unsecured ones, and they ran an HTTPS Everywhere campaign a while back.
In fact, Google even offers a guide–“Securing Your Website with HTTPS”–to promote the technology and to encourage and help site owners switch over.
What is HTTPS?
HTTPS stands for Hypertext Transfer Protocol Secure. It has one primary advantage: it makes sites more secure for the people who visit and use them. If you pay attention to domains in the address bar of your browser, you’ll notice that some start with http:// while others start with https://. The latter denotes a secure website.
3 main benefits of HTTPS
As mentioned before, the most obvious advantage of HTTPS is that it creates a secure online experience for website users. This translates into many benefits for site owners. In particular, sites that are considered to be safe are also considered to be trustworthy. When a business is perceived as being trustworthy, it tends to excel.
With HTTPS, data is secured through what is known as Transport Layer Security, or TLS, protocol. This protocol delivers three layers of protection:
- Encryption – Via TLS, HTTPS encrypts data that is transmitted while a user is interacting with a site. As a result, it prevents hackers and others from tracking their activities and from otherwise “listening” to their transactions. To understand anything that’s being transmitted, the encryption key is needed.
- Authentication – This layer of security wards off “middle man” attacks, wherein a user thinks that they are communicating with a specific site but are actually communicating with a decoy. With this layer, a user can easily confirm that they are visiting the site that they are intending to visit. Even if a user has no concerns about the security of your site, they will feel reassured when they see the notification that they are, indeed, visiting the correct website.
- Data Integrity – As data is transferred through a website, whether through a user-submitted form, a payment or another transaction, it is vulnerable to attacks unless the site is secured with HTTPS. This layer helps to ensure that data cannot be modified or corrupted while it is being transferred. In addition to preventing annoying errors on your site, this helps to shield sensitive information from prying eyes and reduces the risk of it vanishing at random and going who knows where.
Does HTTPS make sense for your site?
If switching to HTTPS is unlikely to improve your ranking, should you even bother? Providing a secure online environment seems like reason enough, but that’s not always true.
For example, if you run a simple blog or other small website and never ask users to provide personal information or to submit payments, you can probably get away with not using HTTPS. If you do collect potentially sensitive information or payments, the applicable pages should be HTTPS at the very least. If you’re going to do that, though, you might as well switch the whole site over.
Will HTTPS make your site secure?
While HTTPS makes websites safer for visitors to use, it doesn’t actually protect your website. Even after switching to HTTPS, your site will remain vulnerable to hacking of the site, server or network; software vulnerabilities; downgrade attacks; DDOS attacks and other issues. Other steps must be taken to mitigate those other risks.
Making the switch: a step-by-step guide
You’ve given the matter a lot of thought and have decided that switching to HTTPS is right for your website. Maybe you’re holding off because you’re not particularly tech savvy. Here’s some good news: You don’t really have to be to switch a site to HTTPS.
While every hosting provider and situation is different, the basic process for switching to HTTPS is fairly universal. I’ve broken it down into simple, actionable steps for your convenience.
Step one: Use a test server, if possible
This step doesn’t need a lot of elaboration. If you have the technical know-how and a little extra time, consider switching to a test server before engaging in this process. In the unlikely event that something goes awry, no one visiting your site will be any the wiser.
Step two: choose an SSL certificate
One of the most important aspects of converting a site to HTTPS is choosing an SSL certificate. SSL, or secure socket layer, is the protocol that is used by HTTPS. There’s no getting around it: You have to install an SSL certificate to use HTTPS.
Fortunately, you don’t necessarily have to spend a lot to get one. However, you must decide between three different options:
Domain Validation Certificate – This type of certificate is the cheapest and fastest to get. Not surprisingly, it is also the most basic and only really provides encryption. Many hosting providers offer this type of certificate for free.
Organization Validation Certificate – Available in 128-, 256- and 2048-bit—FYI, Google prefers 2048 bit—an organization validation certificate can typically be obtained in about 24 hours. It provides verification by a regulated government entity and includes authentication. If you collect personal information, this is the one to get.
Extended Validation Certificate – Available only in 2048-bit encryption, this type of certificate is most commonly used by major e-commerce sites. It provides the best security, including the green status bar at the top of the browser that denotes that the user is visiting a secure site. This type of certificate can usually be obtained in three to five days.
Where can you get an SSL certificate?
As mentioned before, it’s often possible to obtain a free Domain Validation certificate from your hosting provider. Hosting providers usually offer other types of certificates as well. It is generally best to get your certificate from your hosting provider, as they will usually install it for you and can provide support going forward.
How are SSL certificates installed?
Again, it is generally best to simply allow your hosting provider to install your SSL certificate for you. Not all hosting providers will do so, though. If yours won’t, search Google for [hosting provider name] + “SSL certificate installation”. You should be able to find instructions that way. If you strike out, contact the provider for assistance.
Step three: Make a URL map
Next, you need to create a URL map for your website and redirect your old HTTP URLs to your new HTTPS URLs. The map itself can just be a basic spreadsheet. Make one column for your current HTTP URLs and another for their corresponding replacement HTTPS URLs.
This has to be done because http://www.example.com and https://www.example.com are two distinct URLs. All pages on your site must be copied and redirected from their old HTTP URLs to their new HTTPS homes.
Pro tip: While you’re doing this maintenance, it’s a great time to make any desired changes to your site structure or URL format.
Another tip: If you use WordPress, you can simply add all of the permanent, or 301, redirects to your .htaccess file. Everything will be handled in one fell swoop!
Step four: Update internal links
After completing the previous step, you will be left with a site that’s riddled with internal links that point to old HTTP URLs. Needless to say, you must address this issue to keep your site functioning properly.
With any luck, your site is already set up with relative URLs. This means that rather than providing an entire URL for each page, you just instruct the browser to add something to the end of the domain portion of the URL. A link in this case would be written as:
<a href="/page5">Anchor Text</a>
Meanwhile, an absolute link would be written as follows:
<a href="http://www.example.com/page5">Anchor Text</a>
If your site doesn’t use relative URLs, you’ll have to find and replace all of them yourself.
Update image files and other resources
Hyperlinks aren’t the only elements on your website that need to be updated when switching to HTTPS. Your site also links to images, scripts and other files, and their URLs must be switched to HTTPS URLs to keep things running smoothly.
Quickly see what you’re up against by right-clicking any page on your site and selecting “View Page Source.” From there, look for tags for various elements to see how many you will need to fix.
You may be able to handle this quickly if you have both HTTP and HTTPS URLs because you can use protocol relative URLs. For example, in:
…the browser knows to use HTTPS in the front because of the double-slash.
If you use a CDN, check to confirm that it supports HTTPS; most of them do. If not, contact support to find out how to implement HTTPS. Once that is done, check your new HTTPS site to ensure that the sources for all images and other files are pointing to the HTTPS image location on your site’s CDN.
Cut to the chase more quickly by using a tool like Screaming Frog SEO to crawl your site. At a glance, you can check all internal, external and image file sources to confirm that they all begin with https://.
You might also need to check the following:
- Most CMS systems do this, but update all canonical tags if necessary
- Update all hreflang tags; again, most CMS systems automatically do this
- Update modules, plugins and other add-ons
- Update your default URL in analytics, if required, to ensure that HTTPS is tracked properly
- Enable HSTS, which tells the browser to always use HTTPS. This eliminates the need to check the server side first, so your pages should load faster.
Step six: Re-add site to webmaster tools
Once everything has been switched, the next stop is Google webmaster tools. Add your site to it again to ensure that it is crawled quickly. You will need to submit a new sitemap, but you should also re-submit the old one so that Google recognizes the 301 redirect prompts and updates accordingly.
Step seven: quickly test the site
Never assume that the work that you did “took.” In the days following the switch, watch your traffic closely. Seeing no change in your ranking or a tiny bump is normal; seeing a big drop is not.
When issues arise after switching to HTTPS, they most often happen because Google is unable to crawl the HTTP version of the site, which usually happens because the test server was not set up to allow bots. There may also be content duplication issues because both versions are showing.
Are you ready to make the switch?
So, there is no reason not to switch to HTTPS and plenty of pretty good ones to do so. Although you are unlikely to enjoy a big surge in traffic or a higher ranking, doing this shows users that you care about providing a secure online experience for them.
Given how easy it is to switch to HTTPS, it makes sense for just about any site to do so. Go ahead and give it a whirl. Before too long, I won’t be surprised if Google ups the ante and makes this an even bigger ranking factor, so you might as well get on board now.