August 1, 2017 by Paul Ceppaglia
Should You Migrate to HTTPS? What Every SEO Should Know
For years now, SEOs have known that utilizing a secure domain for a website can offer many benefits. However, many have been hesitant to move their existing, non-secure sites. This article will take a closer look at HTTPS, the different protocols involved, the SEO implications of migrating to HTTPS, and several things you’ll need to take into consideration when you decide to make the move.
Back in 2014, Google announced that their search algorithm would start using HTTPS (secure HTTP) as a ranking signal.
Ever since this announcement, the question “should we migrate our site to HTTPS?” has been uttered by virtually every SEO, as they weigh the possible rankings benefits against the potential headaches created by a site migration.
Fast forward to 2017, and this post on the Chromium blog details how, starting October 2017, Google Chrome will show the “Not secure” warning both when users enter data on an HTTP page, and on all HTTP pages visited in Incognito mode.
Additionally, the blog states “Eventually, we plan to show the “Not secure” warning for all HTTP pages, even outside Incognito mode.”
This means that if you haven’t already made the switch to HTTPS, then there’s no time like the present!
But first, here’s a primer on HTTPS for those who might need a refresher…
What is HTTP?
HTTP (hypertext transfer protocol) has been the foundation for distributing information across the world-wide web since the late 1990s. HTTP is the underlying protocol that determines how data is transferred across the web.
Data transferred using HTTP is unencrypted, meaning that Information conveyed via HTTP is at risk of being intercepted or manipulated. When you connect to a website via HTTP, data is sent in clear text. This allows any nosey party (someone sharing your Wi-Fi network, your ISP, intelligence agencies, etc.) to easily see the pages you visit and the data being transferred.
To address this, HTTPS (the “S” stands for “secure”) was developed. When you use HTTPS to connect to a web server, your browser and the web server exchange cryptographic keys. This allows the browser and server to send messages that only they can decrypt.
A web server can be secured with what is called an HTTPS certificate. The certificate contains a public key, which is needed to create a secure session.
When your browser makes an HTTPS request to a web server, the server first sends its certificate back to your browser. Once your browser has received the server’s certificate, the secure “handshake” is initiated and a secure connection is established between browser and server.
TLS vs SSL
There are two common protocols used to provide this data encryption: Secure Socket Layer (SSL) and Transport Layer Security (TLS). Both are cryptographic protocols that provide authentication and data encryption across network connections between servers, clients, and applications.
Facts About Secure Socket Layer (SSL)
- Originally developed by Netscape, to address the growing concern regarding internet security
- SSL 2.0 shipped with Netscape Navigator 1.1 in 1995
- SSL 3.0 was released in 1996, and addressed the many security vulnerabilities of SSL 2.0
Facts About Transport Layer Security (TLS)
- TLS 1.0 was first introduced in January 1999 in an effort to standardize SSL, and as an upgrade of SSL Version 3.0
- TLS 1.1 was defined in RFC 4346 in April 2006
- TLS 1.2 was defined in RFC 5246 in August 2008
- TLS 1.3 is a working draft
Should You Use SSL or TLS?
In simple terms, TLS is the successor to SSL. While both can strengthen your website’s security, there are some key factors that you should consider when planning a move to HTTPS.
First and foremost, both SSL 2.0 and 3.0 have been deprecated by the IETF. In fact, over the years many serious vulnerabilities have been discovered in the deprecated SSL protocols, including the Heartbleed bug and POODLE.
Therefore, the answer to this question is clear…if you are planning on implementing HTTPS today, be sure to utilize TLS.
In addition to the SEO benefit you’ll receive, there are plenty of other reasons to utilize HTTPS for your site. These include:
- Security: This should probably go without saying, but implementing HTTPS on your site means that your visitors’ sessions will be encrypted. Security brings peace of mind to your customers, especially if purchases are being made on your site, or money changes hands.
- Credibility: Secure domains let your visitors know that the data is coming from a known source, and can help give your brand/products real credibility in the consumers’ eyes.
- Conversion: In many cases, the ‘secure’ icon (displayed when a site is being served securely) can actually boost conversion rates on a website.
Things to Consider When Migrating to HTTPS
When you do decide to take the plunge, there are several things you’ll need to consider as you change to a secure domain.
- CDN: If you utilize a CDN (Content Delivery Network), you will need to make sure that your CDN supports SSL/TLS, and make any necessary adjustments.
- Analytics/Reporting: As you migrate to HTTPS, make sure that any tracking codes, reports, or other analytics are still functioning as expected.
- Redirect all incoming traffic from http:// to https://
Migrating an existing site from HTTP to HTTPS isn’t necessarily an easy task. However, if you’ve been delaying the move, I hope you can see that it is definitely worth any associated trouble, and in fact it will become even more important in the near future.
While there are certainly many factors that go into moving from HTTP to HTTPS (more than can be addressed in this article), when done properly you will see your rankings actually improve over time.
For those who would like more information, please see Google’s resource on migrating site to HTTPS without major impact to rankings.