HTTPS: What is it and how to migrate your website?
The role of HTTPS in SEO may not seem extremely obvious. And yet, there certainly is a connection between the two. Regardless of the capacity in which you peruse the web (as an enlightened amateur, avid user, occasional blogger, or digital professional), you have no doubt encountered this website security protocol before. You would, at the very least, have seen these five letters show up on the very left of the URL address bar in your browser.
The main reason HTTPS and SEO deserve to be considered together is that Google classes HTTPS as one of the main ranking factors in Chrome’s algorithm. In 2014, the web giant had announced it was going to highlight websites protected by the HTTPS protocol. This was enough to encourage webmasters to make their connections more secure. Years later, the numbers speak for themselves: 91% of pages are loaded over HTTPS on Windows, 95% of the traffic is secure on Android, and it reaches 98% on ChromeOS. In addition, 97 out of 100 of the top-ranking websites default to HTTPS, and 100% of them work on HTTPS (source).
Naturally, Google is not the only factor. Many things have contributed to turning a wild web into a more civilised space: making HTTPS more accessible, similar measures being put in place by other browsers, etc. Three vital questions remain to be asked: What is HTTPS, exactly? Should you switch to HTTPS for the sake of your search engine optimisation? How to migrate to HTTPS?
What is HTTPS?
THE HTTPS PROTOCOL
To fully grasp the concept of HTTPS, we first need to touch upon HTTP, from which it derives. HTTP (or HyperText Transfer Protocol) is a communication protocol developed specifically for the web. It makes it possible to exchange data between a server and a client, for instance between a website and a browser.
The problem with HTTP is that these exchanges are wide open, meaning they are not encrypted and, logically, not confidential in the slightest. Technically, anyone can interfere with the communication and pick up the information that is circulating, as if they were listening in on a phone call.
In most cases, it’s not that big a deal: if you’re reading an article on a news site, you’re not exchanging personal information that could be misused. Things become more complicated if you log in on your bank’s website… if anyone got their hands on your information – such as your account number or login details – the consequences could be dire.
HTTP’s main drawback being security, that’s where HTTPS came in, well before the link between HTTPS and SEO became a thing.
THE HTTPS PROTOCOL
The HTTPS protocol (HyperText Transfer Protocol Secure) was designed to address the security issue that its bigger brother posed.
So, what is the difference between HTTP and HTTPS? In actuality, HTTPS is merely an HTTP with an added layer of security called TLS (Transport Layer Security). The latter acts as an encryption key which – as the name indicates – encrypts the data exchanged between the server and the client.
Using an HTTPS protocol makes it possible to:
- Secure the data travelling between a website and a browser so that no one can access it and misuse it. The information exchanged is encrypted and the key is known only to the server and the client.
It all goes down as if a conversation over the phone were taking place in a unique language known only to the speakers, thus preventing any spy who might be listening in from understanding anything.
- Guarantee the identity of the website being perused, thus making sure that it is indeed the one whose URL is showing up. This is particularly crucial, as it allows the Internet user to check that they are navigating their bank’s website, for instance, and not a fake platform created to trick them into revealing their information.
HOW CAN YOU TELL AN HTTPS SITE APART FROM AN HTTP SITE?
It’s quite simple: a secure website displays the letters “HTTPS” at the beginning of its URL instead of a simple “HTTP”. On Chrome, the letters show up in green.
Another proof of security: the presence of a padlock (green or otherwise) near the URL. It can be found on the left on Chrome, Firefox, or Internet Explorer.
Note that clicking on the padlock (or, in some cases, on an icon containing an “I”), you can access the information which contains the type of certificate used to secure the site.
The HTTPS protocol goes through an SSL (Secure Socket Layer) certificate which “sets” the TLS security layer. This electronic certificate is applied to the website to secure data exchanges by encrypting it using an asymmetrical encryption key. Websites protected by an SSL (or TLS) certificate display the well-known padlock, thus proving that they are secure.
The first step is to obtain that certificate, which activates the correct protocol. We use SSL and TLS certificates interchangeably, but it’s worth noting that the SSL protocol is no longer current. It has since been replaced with the TLS, a safer version based on the same principle. The expression “SSL certificate” remained to designate any encryption certificates used to activate the HTTPS.
There are several types of SSL certificates, some more secure than others:
- Free SSL certificates (such as Let’s Encrypt)
- Extended validation certificates (Extended SSL)
- Organization validated certificates (Organization SSL)
- Domain validated certificates (Domain SSL)
- Multi-domain certificates (WildCard)
These certificates are delivered by special bodies called Certification Authority (CA). Several of them are available:
- Comodo (lié à OVH)
The price for an encryption certificate can go from zero (free) to several thousand euros per year. It varies based on how reliable the certificate is, meaning the level of verification that needs to be reached before the certificate is delivered. This verification ranges from a simple email sent to the person making the request to a whole set of documents to provide. It also varies based on the CA selected.
Why switch to HTTPS?
If you’re wondering whether it’s worth switching to the HTTPS protocol, here are not one, but two reasons to do so.
For starters, you may want to switch to HTTPS for security reasons. HTTPS contributes to making the web a safer place for everyone, users and professionals alike, by offering protection against “man-in-the-middle attacks”. Unfortunately trendy, these consist in intercepting communications between two digital correspondents in order to collect personal data. All without getting noticed. Thus, your banking information or login details are gathered by a computer hacker who will then use them fraudulently.
HTTPS is the best way to mitigate this security flaw. This means it is vital for professionals who offer websites where data can circulate, whether it be through forms, registration procedures to open an account, or to pay for a purchase by providing credit card details. Needless to say, unprotected sites are not very popular amongst Internet users who are becoming increasingly careful about protecting their data.
And then, there is the necessity of HTTPS for SEO. The people at Google want to make the web a safer place, and therefore do everything they can to encourage everyone (and not just high-risk platforms, even though the protocol was originally invented to protect banks) to move to HTTPS. When it comes to search engines, the switch from HTTP is making more and more sense. Very soon, ALL websites will have to proudly brandish the HTTPS logo.
Proof: not only has Google been favouring HTTPS platforms since 2014, but the US giant also means to flag any websites that are not HTTPS secure! In other words, users will see a message warning them that the site is unsafe. This certainly impacts their trust in the website in question.
Here are two good reasons to switch to HTTPS. But let’s delve deeper into the link between HTTPS and SEO.
What is the impact of HTTPS on SEO?
Let’s review the events in a chronological order:
- In 2014, Google announced that websites that activated the HTTPS protocol would be favoured by its ranking algorithm. The ranking improvement is not extremely significant.
- In 2015, Google indicated that HTTPS plays the role of a referee between two contending sites. If both websites are practically identical in every way (keywords, freshness of the content, loading times…), then the algorithm will favour the most secure one by default.
- HTTPS is now used as a ranking signal by Google (source). Although it’s worth noting that this little boost doesn’t make up for bad SEO. The websites that make it to the first page of the SERPs are those that integrate other SEO best practices, and not just from a security standpoint.
This means that HTTPS and SEO are intertwined, but that the former doesn’t count as one of the main levers. The benefits are not uninteresting, though, since obtaining a good SSL certificate can have an indirect impact on optimisation. For instance:
- It influences the users’ decisions, and many are more likely to make a purchase on an HTTPS website rather than on an HTTP one. The more these websites are flagged as unsafe, the more web shops will need to display their HTTPS credit prominently.
- It shapes Google’s search rankings. Imagine a user who clicks on a link in the SERPs only to realise that the website is unsafe. They immediately click the “back” button, which Google interprets as a sign that the user is not satisfied with the result. HTTPS SEO impacts the website’s ranking in that way.
With that said, Google is proving to be more and more strict about favouring secure websites.
SHOULD YOU SWITCH TO HTTPS FOR SEO’S SAKE?
When it comes to SEO, HTTP to HTTPS is not necessarily the answer. Migrating your website to the HTTPS protocol in the hopes of achieving SEO gains is simply not reasonable. The boosting effect is so insignificant that you’d need a huge magnifying glass to see the slightest difference. At the very least, one thing is clear: even though the HTTPS effect does exist, it falls far behind other, more crucial criteria, such as content, technical optimisation, and backlinks. SSL clearly isn’t the best way to go about getting your pages to rank higher in the SERPs.
As we explained above, using HTTPS for SEO certainly isn’t the only reason to make the switch. Whether you own a web shop or any other type of website, the protocol secures exchanges with users and enhances your image as a brand.
With browsers sending out security alerts to users every time an HTTP site causes a security breach, can you imagine what your visitor would think if your name came up?
How to migrate your site from HTTP to HTTPS?
Whether you choose to do it for security reasons or for SEO, the HTTP to HTTPS switch is a lot like an entire website migration. In practical terms, here’s what needs to be done:
- 1. Purchase (or ask for) an SSL certificate and install it on your website.
- 2. Change your internal URLs to secure all of your pages using HTTPS.
- 3. Set up 301 redirects to send all your HTTP URLs to HTTPS URLs. This will allow you to preserve all the benefits from your SEO efforts (popularity and traffic) on your pages during the migration process. Be sure to test these URLs to make sure everything is working properly!
- 4. Always check that your canonical URLs all point to your HTTPS pages. This will fix some of the duplicate URL issues you may be having.
- 5. Check that all your HTTPS pages are indexable.
- 6. Activate the HSTS (HTTP Strict Transport Security) mechanism to inform the client that the interactions will now be carried out through a secure connection.
Once the migration to HTTPS is in effect, you will need to think about the last few verifications:
- Launch a crawl to make sure there are no errors.
- Create a new Search Console and follow the indexing of the pages in HTTPS by comparing the HTTPS version with the original one.
- Check and correct the URLs of the links that point to your website to make sure they are all in HTTPS.
- Update your CMS’s external plug-ins to be absolutely certain that they are compatible with the new protocol.
- Change your Google Analytics settings so that the platform takes HTTPS pages into account, particularly to monitor how the traffic evolves.
- Restore your social interaction indicators (reposts and likes) by following these instructions.
- Measure your pages’ loading time in HTTPS. Migrating from HTTP to HTTPS can result in everything getting slower. This is because of the additional back-and-forth between the server and the client.
If you run into any issues, your website’s performance can be improved thanks to the HTTPS/2 protocol, which you can implement once the migration to HTTPS is complete.
What type of SSL certificate should I choose?
You will most likely need to think about which certificate to choose when switching to HTTPS to secure your connections. The answer depends on your site as much as it does on your needs in terms of security… For a basic website where there is no exchange of personal data, a free SSL certificate is usually more than enough (Let’s Encrypt, for instance). No need to look much further.
For a corporate website, it might be preferable to opt for a Domain Validated (DV) certificate, or an Organisation Validated (OV) certificate. The price for such certificates ranges from a few dozen to several hundred euros per year. The difference between the two resides in the type of authentication. A DV does not identify who is requesting the certificate. The OV, on the other hand, is a bit more secure. However, when it comes to choosing which one is right for you, try to think about it from the user’s perspective. Are they going to click on the certificate to check the authentication field? Do you truly need this additional layer of protection?
For a web shop, things are quite different: you need to guarantee your customers’ safety at every step of the user experience on your site. Here, Extended Validation (EV) turns out to be vital. A green bar is displayed in the browser, immediately allowing the users to know that they are using an optimally protected website. This is very beneficial for your brand image.
As for Multi-Domain certificates, they apply to websites that need to secure and certify several domain names.
Migrating your website to HTTPS for SEO is not strictly necessary, but rather a measure developers take for the sake of comfort and trust. Installing an SSL certificate on your server is not going to significantly boost your SEO or turn your website into an un-hackable fortress (SSL encrypts the connection without securing the server or the browser themselves). Yet, it will make your visitors feel safer when it comes to sharing their personal data with you, be it login details or banking information. Note that 97% of the websites that appear on the first page of Google’s search results are in HTTPS.
One piece of advice: Whatever the solution you end up choosing, the desired certificate, and the Certification Authority selected, don’t run into this migration headfirst without taking time to consider its benefits. And, above all else, take the time you need to make the right call!
Do you want to know more about setting up an SEO strategy?
Contact us now!