HTTPS - What Is All The Fuss About?

HTTPS is part of internet security online

HTTPS is part of internet security online

HTTPS uptake is growing.

Although the internet is amazing for many reasons, one of the negative aspects of the online sphere is security.

It is a priority for search engine companies and web browsers together with a host of web security firms and consumers. It should also be a priority for online businesses.

One way in which website owners and brands can help to protect their site and visitor user experience is by serving their website over a secure protocol connection - HTTPS (may be also known as HyperText Transfer Protocol Secure, HTTP Secure or HTTP over SSL).

Although HyperText Protocol Secure is not 100% flawless, and there are still other steps which you should take to look after security on your site (such as guarding against hackers and password crackers), it does add another layer of security to help prevent interception of data which is sent back and forth via requests in the browser from cyber-attacks.

The purpose of HTTPS is to provide a safer environment for internet users and there is a movement which has picked up steam towards a #HTTPSEverywhere internet environment.

As a result, Google gives a canonical preference to pages competing with others deemed to be equals when the HTTPS protocol is used.  i.e. if all things were equal in a two horse race between pages then the HTTPS page would be given the ranking priority from an SEO perspective.

Likewise, if there is confusion between two URIs which are deemed by Google to be duplicated enough (similarity) to have one of them filtered likely the HTTPS (secure) version will be chosen as 'canonical' (the preferred version) to index in search results.

That said, if the non HTTPS page is not up to the same quality for many other ranking factors, then the HTTPS factor would not give the page a winning advantage.

The HTTPS ranking preference over non HTTPS is an extra incentive for businesses to protect your customers, but it is by no means the only or even anywhere near the most important reason to add HTTPS to a website.

Furthermore, as of January 2017, Google Chrome announced that pages which contained password fields would be marked as 'not secure' to visitors using Chrome as their browser if they were not served over SSL.  For some sites optimized for quick login and with a site-wide password field, this would mean ALL pages on their site would be marked as 'not secure'.

Whilst the ranking differences are minimal, it's safe to say this would likely have quite a negative impact on conversion and loss of visitors.

'Not secure' has negative connotations associated with it, after all; particularly on the internet.

What is HTTPS?

In order for the internet to function, computers need to exchange information for end-users to access a website. The web administrators that designed the internet created HTTP – HyperText Transfer Protocol.

Basically, the HTTP scrambles information using an encryption code. However, once hackers learned the code, they could easily access information that was being transferred. This gave them access to computers of end-users and sensitive information stored on websites.

Web administrators then had to create a new code – HTTPS: HyperText Protocol Secure. The encryption code scrambles the message so that anyone intercepting the information will be presented with a page of gibberish.

HTTPS works by assigning SSL Certificates to the end-user and the website. SSL certificates contain a string of characters that are keys to the code. These keys protect the code and make it much more difficult for hackers to unscramble the information.

There is also growing evidence that a high percentage of the top ranking sites for many many keywords are primarily serving their pages over a HTTPS protocol.  Even more incentive and reason to make the switch.

Why HTTPS is important for your business website

Website security should be a priority for any online business owner (regardless of any SEO benefits). Companies have an obligation to protect sensitive information of customers.

Furthermore, studies consumers trust websites that take measures towards protecting their private information. Not only that, but they want the data protocols of their computers kept safe as well to prevent cyber-attacks.

Online businesses that do not take precautions to strengthen website security it could be argued will increasingly lose potential customers. It is becoming a trend for end-users to bail out of websites if they do not see HTTPS in the URL.  Added to this there is now the 'not secure' warning when visitors use the Chrome browser when loading pages which collect passwords such as login forms and checkouts. This was announced in September 2016 with an introduction to Chrome in January 2017. This could be potentially catastrophic from a conversion optimization perspective for sites which are using site-wide password login for quick sign-in for their visitors as it essentially means that all pages across the site will get the 'not secure' warning in their browser.  We therefore have 'the carrot' (the slight ranking advantage) and 'the stick' (the 'not secure' warning in Chrome) approaches being taken by Google.

According to Google's estimates published in their recent HTTPS transparency report, top websites running HTTPS now account for over 26% of all website traffic worldwide.

Costs of SSL Certificates

SSL certification ranges in price from free (yes, really), right up to a couple of thousand pounds (and sometimes more).

Of course, not all SSL certificates are the same, so it's not merely a case of comparing apples with apples.  'Let's Encrypt' provides a free SSL certificate which has no expiry period and is relatively easy to implement even for the novice webmaster.

Some certification will have a lot more encryption features such as wildcard subdomain encryption coverage (a certificate which covers all potential subdomain variations of a root domain such as aba.rootdomain.com, abb.rootdomain.com, abc.rootdomain.com, and so forth), Extended validation (additional features beyond the basic coverage of one certificate per subdomain), and eliptical curve cryptography.  With the free certification from 'Let's Encrypt' you're unlikely to receive any validation, despite the certificate actually being a valid SSL certificate to implement.

 

What are the different types of SSL Certificate?

There are several different types of SSL certificates with varying criteria you must meet in order to obtain them:

Domain Validation (DV) Certificates

Domain validation is the most basic type of SSL Certificate. It enables a website owner to validate a domain name and can be obtained within a matter of minutes.

Security measures for this type of SSL Certificate are minimal and only suitable for blogs or hobby websites.

Organisation Validation (OV) Certification

The Organisation Validation is the minimum recommendation for business websites that invite customers to purchase products online. The certificate is obtained by means of a Certificate Authority.

This SSL certificate is recommended for small businesses that use a payment portal such as PayPal.

Organisation Validation certificates only offer limited protection, but because payment gateways have their own SSL certificates,

OV certificates are okay to use if only to instil trust in end-users.

Extended Validation (EV) Certification

Extended validation is the highest-class of SSL certificate and should be used where transactions are being exchanged.

EV certificates requires website owners to go through an extensive verification process to prove they have exclusive rights to a domain and confirm it is a legal business.

Other SSL Certificates

The SSL certificates mentioned above are the three classes of certificates that provide protection. But SSL certificates also come in various single and multi-domain packages.

Single domain SSL certificates only protect one website. There is also a wildcard SSL certificate that secure unlimited sub-domains for single domain servers.

Businesses that have more than one domain or subdomain will need a multi-domain SSL certificate that can protect up to 100 domains.

Corporations will probably need a Unified Communications Certificate which will secure office communications environments including sensitive business data that is being passed via email.

In addition to the free SSL certification available through 'Let's Encrypt' there are other ways to get free SSL version's of your site - via CDN's (Content Delivery Networks) such as the ecommerce platform Shopify, or via the likes of Cloudflare CDN which force serving via the HTTPS protocol over the non-secure HTTP version of URIs.

Watch Out For Mixed Content

When adding an SSL to your site and migrating across to a HTTPS Protocol, it's important that you avoid 'mixed content'.  'Mixed content' means that whilst you are serving your pages over HTTPS you are also including some types of other content within those pages which are not being served over a HTTPS connection.  These are frequently such items as images which may have a source in their URL which is HTTP rather than HTTPS or javascript and CSS files, or even images in those CSS files.  'Mixed content' could even refer to third party calls to scripts which you are loading from unsecure connections.

One of the main issues with 'mixed content' is that it essentially invalidates your HTTPS secure page so that it is not actually considered HTTPS at all.  You won't get the green 'Secure' in your Google Chrome browser unless the page is fully HTTPS and does not include mixed content at all.

You'll also find that if you have mixed content any pages which you had validated for AMP (accelerated mobile pages) will also now not be considered HTTPS once mixed content appears in them.  This could be quite a big deal if you have many AMP pages driving traffic, because as soon as pages are not secure they are no longer eligible to be added to the AMP carousel at all, nor be indexed as AMP pages in Google's search results.  For a large news site this could be very costly, as there is increasing evidence that AMP pages drive 'bonus' extra traffic and help with retention on page (dwell time), and also additional page view time.

You can identify which are the offending items of 'mixed content' by using the Chrome developer tools in your browser.  Visit the top of the browser in Chrome (3 dots on the top right hand corner), and then select 'more tools' from the drop down menu, followed by 'developer tools'.  The console will then appear on the right hand side so that you can see a list of calls being loaded in the page.

Mixed content is highlighted and will say 'Mixed content'.

A full explanation of the issue will also be available in the console.

You can then drill down and visit the items that are listed and update the protocol for delivery of that content to a HTTPS protocol.

It's worth nothing that 'mixed content' is one of the most easily fixed but most common ecommerce SEO mistakes we see.

Make HTTPS A Priority For Your Site

If your website URL does not have HTTPS, put it on your list of priorities, otherwise in time it will increasingly negatively affect your visibility in search engines as more and more competitors make the switch.  Not only that, but your customers are more susceptible to cyber-attacks. And you don’t want to lose trust with online shoppers.

Cyber-attacks are bad for online businesses. If consumers cannot trust your firm to protect them against hackers, they will not visit your website. They certainly won’t enter their bank details to purchase your products or services over time as warnings continue to appear.

If you're looking for help and advice on migrating your website to HTTPS and ensuring that your site doesn't take a tumble when doing so for SEO, contact us.  We've worked on a number of successful switches to the SSL versions of sites for clients and know which steps to undertake and in which order.

We've dealt with many HTTPS protocol switches for clients and we understand the process and the best steps to take.  We'll usually offer to carry out an audit of your existing situation and formulate a step by step strategy to make the switch.

Data security is a serious issue for website owners. And with the rise of cybercrime posing a threat to online businesses, it is important to take the correct measures to protect sensitive business data.

This is particularly the case for online businesses that receive online payments.

Although even personal data such as email addresses should be protected.

If you fail to protect the personal data of your customers, the repercussions will be very damaging for your business.

So what measures can you take to protect sensitive data?

Anti-virus and anti-malware technology is a good start.

But search engine administrators have also created various SSL certificates that provide an extra layer of security.

What are SSL certificates?

Secure Sockets Layer (SSL) certificates are encrypted data files that bind an organisation’s details in a cryptic lock.

The SSL certificates contain a public key which is shared with end-users to enable HTTPS and access a website.

Only the website owner and the end-user has access to the public key. Anyone trying to intercept data being passed between a website and the computer of the end-user will find a scrambled message which is unreadable.

In essence, SSL certificates provide websites with an extra layer of security that is designed to protect end-users.

However, there are various types of SSL Certificates and not all of them provide the level of security businesses need to prevent consumer data being compromised.

 

Does Having a Valid SSL Certificate Help With SEO?

Google has confirmed many times there is no ranking benefit to be gained currently merely by having an SSL certificate in place and serving pages by a valid HTTPS protocol.

However, Google Chrome has already displayed the 'not secure' warning in the browser for some time (since January 2017) on pages which require a password or ask for payment entry.

In coming months this will be extended to all pages served over a non-SSL protocol.

This alone, whilst not affecting rankings per say, will indeed have an impact on whether visitors browse away from the site quickly as it is likely many will react negatively to the not-secure warning appearing in Google Chrome.

Whilst strictly speaking switching to HTTPS serving rather than non HTTPS serving is not a site move, but is instead a switch of protocol, not all switches go well and a lot of brands have seen drops in rankings in search engines which directly correlated with the switch to HTTPS from non-HTTPs.

If you're looking to switch across to HTTPS and wanting some advice on how best to move across without impacting your current search engine visibility in organic search engine rankings, contact us.