In this information age, users have access to infinite repository of information. However, it has its own challenges i.e., Data Security & User Privacy.
Google added a blog post in its official blog on August 2014 & explained its take about Internet security and how it invested in making its services secure like strong HTTPS encryption by default. It further announced that users accessing its services like Gmail, Google Search, Google Maps & Google Drive will automatically have a secure connection to Google. Google also provided an in-depth guideline for webmasters about how HTTPS will also be considered as a ranking signal for Google Search Results.
Apart from security feature, HTTPS increases your visitor’s trust in the website and if you are running an ecommerce website or anything which deals with storage of user’s information, content etc.. then you definitely need to have a HTTPS website.
What’s the difference between HTTP & HTTPS?
HTTP (Hypertext Transfer Protocol) is an internet communication protocol which allows data communication over various types of device. In simple words, if you need to access Google.com through a web browser, you need to enter its address in the address bar as “http://www.example.com” Just incase you entered ONLY “example.com” in the address bar, your browser automatically interprets and adds “http://www.” to ensure that your computer interacts with Google’s server through HTTP mode.
HTTPS on the other hand is similar to HTTP but adds a layer of secure communication over HTTP. The main motivation of HTTPS is authentication of the visited website and protection of the privacy and integrity of the exchanged data. If you try to enter “google.com” only in the address bar of your web browser, it automatically interprets and adds “https://www.” before “google.com”
You can also notice the text “Secure” along with a lock which ensures that your interaction with the website is safe & secure 🙂
How HTTPS works?
HTTPS is successfully implemented by installing SSL Certificate in the web server which creates a secure tunnel through which information including usernames, passwords, credit card numbers and more can pass safely.
An SSL creates a secure tunnel through which information including usernames, passwords, credit card numbers and more can pass safely.
First, the SSL “handshake”
When a website visitor enters an SSL-protected area of your website, your SSL certificate automatically creates an encrypted connection with the visitor’s browser.
The padlock icon appears
Once the connection is complete, a padlock icon and HTTPS prefix appear in the visitor’s browser bar to show them they’re safe to share personal details. If you have a high-assurance EV Certificate, your visitor’s status bar will also turn green.
You’re good to go
All information passing to and from your website is now scrambled by 2048-bit encryption that’s virtually unbreakable by hackers.
How HTTPS implementation can help businesses?
The migration of HTTP to HTTPS for data communication can help a business achieve the following benefits:
- Better Security: The data sent using HTTPS is secured via Transport Layer Security Protocol (TLS) provides 3 key layers of protection.
a) Data Encryption: HTTPS encrypts the exchanged data to keep it secure from any third party. This ensures that nobody can “listen” or “access” user conversation, track their activities or steal the information which is being passed from system to the other.
b) Data Integrity: Exchanging data over HTTPS ensures that it can’t be modified or corrupted during the process which is quite critical for businesses.
c) Authentication: It validates & proves that users communicate with the intended website only. This protects users from man-in-the-middle attacks.
- Gain Brand Trust: With the help of HTTPS you can safely accept credit cards on your website. Most people look for the https:// prefix in their browser bar before submitting personal information like their name, credit card number and address to a website. Thus HTTPS adds brand trust to business websites and enabled them to boost their sales.
- SEO (Search Engine Optimization) Benefits: In December, 2015 Google’s Zineb Ait Bahajji mentioned that Google will try to index HTTPS pages first, before an HTTP equivalent page.
- Improved Data Analytics: Migrating to HTTPS also helps with the loss of referral data in Google Analytics that happens when the referral value in the header is dropped when switching from a secure website to an unsecured website. Google Analytics as well as several other Analytical softwares attribute traffic without the referral value as direct, which accounts for a large portion of traffic generally termed as ‘dark traffic’.
How many websites are currently using HTTPS?
According to the latest statistics, 35 million websites are currently using HTTPS and this figure is gradually increasing since 2016.
Companies issuing SSL Certificates for implementing HTTPS has also shown a growth in terms of number of SSL certificates being issued since 2016.
How to switch to HTTPS?
This post is intended to explain the importance of HTTPS migration for business owners from SEO perspective. Hence, it might not be of much help for technical users i.e., server administrators incase you are looking for step by step list of commands to execute for HTTPS migration.
Below are the best SEO practices for transferring from HTTP to HTTPS checklist (before and after migration). If implemented correctly, these guidelines will help your website avoid any loss with SEO such as mixed content issues, which sometimes occur due to the HTTP to HTTPS migration process.
- Setup a staging instance: It’s important because it lets you setup everything right as per your requirement and and provide sufficient testing environment without screwing your real website which might be accessed by thousands of visitors. You might even go ahead and implement HTTPS directly in your production instance or live web server but it’s still best as well as safe practice to draft a plan and have everything tested ahead of time to avoid any technical issues later-on.
- Prepare a Website Analytics Report: It’s important to crawl your existing website and take a note of its current state. This will be important for comparison purposes after HTTPS migration. This report should include the total number of pages in your website and its respective URLs, existing traffic details especially the channels through which your visitors arrive, list of internal & external links pointing to your website and most importantly a record of keyword positions of the homepage as well as internal pages in the search engines. You may find these reports through Google Analytics & Google Search Console (previously known as Google Webmaster Tool).
- Get a SSL Certificate & install on the server: This will vary depending on your hosting environment and server setup.
There are 3 types of HTTPS SSL certificates which can be used to make a website HTTPS compatible:
a. Domain Validation (DV) SSL Certificate – Verifies your ownership of the domain.
b. Organization Validation (OV) SSL Certificate – Verifies & proves that you own the domain and that your organization is legitimate. It reassures to your website visitors, as a fraudulent website would never pass this check.
c. Extended Validation (EV) SSL Certificate – It offers the highest level of assurance to your customers – EV SSL applicants must pass an extensive vetting process.
Business can select a type of SSL certificate as per their security concern as well as budget.
SSL Certificate Providers sells 3 types of certificates to address various business requirements:a. Single Certificate: Single certificate protects a single subdomain. This can be your ‘www’ directory also. For example: www.creativemoz.com or example.creativemoz.com
b. Multi-Domain Certificate: Multi-domain certificates protect multiple domains with a single certificate. However, there are limitations on the total number of domains you can install the single certificate and it differs with SSL Providers.
c. Wildcard Certificate: This type of certificates are popular among mid & large sized businesses since it protects unlimited number of multiple sub domains with one single certificate and the number of sub domains don’t need to be defined at the time of purchase.Google recommends the use of 2046-bit key certificates because its highly secure.You may use a free SSL Installation Diagnostics Tool from DigiCert to verify the SSL certificate installation.
- Update the URL references in website content – This can be easily done with a search-and-replace in the database. As a webmaster or web developer you need to update all references to internal links to use HTTPS or relative paths.You also need to ensure that the references to scripts, images, links and so on are either using HTTPS or relative paths.
- Updating the canonical tags – Many CMS systems like WordPress automatically takes care of this when you migrate from HTTP to HTTPS, but its always advisable to double-check, because that’s not always the case.
- Force HTTPS with redirects – Once you are very much sure that all the internal links are updated, you need to enforce HTTPS with redirects in the web server. This will typically depend on your server and configuration and most of the server hosting providers provide well documented articles for Apache, Nginx and IIS.
- Sitemaps – Update sitemaps to use HTTPS versions of the URLs.
- Robots.txt – Update your robots.txt file to include your new sitemap.
- Enable HSTS (HTTP Strict Transport Security) – This informs the web browser to always use HTTPS, which eliminates a server-side check and makes your website load faster.
You can enable HSTS by adding the following lines in your .htaccess file:
Header set Strict-Transport-Security “max-age=31536000” env=HTTP
- Enable OCSP stapling – This enables a server to check if a security certificate is revoked instead of a browser, which keeps the browser from having to download or cross-reference with the issuing certificate authority. This step also makes your website load faster.
- Inform Search Engines – Update the HTTPS URL version of your site to the search engine versions of webmaster tools that you use and load the new sitemap with HTTPS to them. This is pretty important because search engines will gradually de-index your HTTP pages and index HTTPS page.Thats it.. Lets Go live! :)Wait.. We aren’t yet done. Post migration, we need to take the following steps:
- Update the default URL in your Analytics Platform like Google Analytics and add notes about the change so that you know when it occurred for future reference.
- Update your social network profiles – This includes updating the your website URL from HTTP to HTTPS. Apart from this, you need to update the social share counts.
- Update any paid media, email or marketing automation campaigns to use the HTTPS versions of the URLs.
- Update other website analytical tools such as A/B testing softwares, heatmaps and keyword tracking to use the HTTPS versions of the URLs.Once done, keep a close eye on the Google Search Console & your Analytics Tool i.e., Google Analytics and check the impact of HTTP to HTTPS migration on your website traffic.
That’s all!! 🙂
Don’t get tensed if you lose some traffic of keyword rankings during the first few weeks post migration. Your website rankings should get back to normal within 1-2 weeks.
Add a comment below if you’re facing issues while switching to HTTPS Or email me at rahul [at] creativemoz.com for assistance and I’ll be eager to hear as well as help you.