HTTPS – What Is All The Fuss About?

securityHTTPS uptake is growing.  Although the internet is amazing for many reasons, one of the negative aspects of the online sphere is security. It is a priority for search engine companies and web browsers together with a host of web security firms and consumers. It should also be a priority for online businesses.

One way in which website owners and brands can help to protect their site and visitor user experience is by serving their webiste over a secure protocol connection – HTTPS (may be also known as HyperText Transfer Protocol Secure, HTTP Secure or HTTP over SSL). Although HyperText Protocol Secure is not 100% flawless, and there are still other steps which you should take to look after security on your site (such as guarding against hackers and password crackers), it does add another layer of security to help prevent interception of data which is sent back and forth via requests in the browser from cyber-attacks.

The purpose of HTTPS is to provide a safer environment for internet users and there is a movement which has picked up steam towards a #HTTPSEverywhere internet environment.  As a result, Google gives a canonical preference to pages competing with others deemed to be equals when the HTTPS protocol is used.  i.e. if all things were equal in a two horse race between pages then the HTTPS page would be given the ranking priority from an SEO perspective.  Likewise, if there is confusion between two URIs which are deemed by Google to be duplicated enough (similarity) to have one of them filtered likely the HTTPS (secure) version will be chosen as ‘canonical’ (the preferred version) to index in search results.  That said, if the non HTTPS page is not up to the same quality for many other ranking factors, then the HTTPS factor would not give the page a winning advantage.  The HTTPS ranking preference over non HTTPS is an extra incentive for businesses to protect your customers, but it is by no means the only or even anywhere near the most important reason to add HTTPS to a website.

What is HTTPS?

In order for the internet to function, computers need to exchange information for end-users to access a website. The web administrators that designed the internet created HTTP – HyperText Transfer Protocol.

Basically, the HTTP scrambles information using an encryption code. However, once hackers learned the code, they could easily access information that was being transferred. This gave them access to computers of end-users and sensitive information stored on websites.

Web administrators then had to create a new code – HTTPS: HyperText Protocol Secure. The encryption code scrambles the message so that anyone intercepting the information will be presented with a page of gibberish.

HTTPS works by assigning SSL Certificates to the end-user and the website. SSL certificates contain a string of characters that are keys to the code. These keys protect the code and make it much more difficult for hackers to unscramble the information.

There is also growing evidence that a high percentage of the top ranking sites for many many keywords are primarily serving their pages over a HTTPS protocol.  Even more incentive and reason to make the switch.

Why HTTPS is important for your business website

Website security should be a priority for any online business owner (regardless of any SEO benefits). Companies have an obligation to protect sensitive information of customers.

Furthermore, studies consumers trust websites that take measures towards protecting their private information. Not only that, but they want the data protocols of their computers kept safe as well to prevent cyber-attacks.

Online businesses that do not take precautions to strengthen website security it could be argued will increasingly lose potential customers. It is becoming a trend for end-users to bail out of websites if they do not see HTTPS in the URL.  Added to this there is now the ‘not secure’ warning when visitors use the Chrome browser when loading pages which collect passwords such as login forms and checkouts. This was announced in September 2016 with an introduction to Chrome in January 2017. This could be potentially catastrophic from a conversion optimization perspective for sites which are using site-wide password login for quick sign-in for their visitors as it essentially means that all pages across the site will get the ‘not secure’ warning in their browser.  We therefore have ‘the carrot’ (the slight ranking advantage) and ‘the stick’ (the ‘not secure’ warning in Chrome) approaches being taken by Google.

According to Google’s estimates published in their recent HTTPS transparency report, top websites running HTTPS now account for over 26% of all website traffic worldwide.

Costs of SSL Certificates

SSL certification ranges in price from free (yes, really), right up to a couple of thousand pounds (and sometimes more).    Of course, not all SSL certificates are the same, so it’s not merely a case of comparing apples with apples.  ‘Let’s Encrypt’ provides a free SSL certificate which has no expiry period and is relatively easy to implement even for the novice webmaster.

Some certification will have a lot more encryption features such as wildcard subdomain encryption coverage (a certificate which covers all potential subdomain variations of a root domain such as aba.rootdomain.com, abb.rootdomain.com, abc.rootdomain.com, and so forth), Extended validation (additional features beyond the basic coverage of one certificate per subdomain), and eliptical curve cryptography.  With the free certification from ‘Let’s Encrypt’ you’re unlikely to receive any validation, despite the certificate actually being a valid SSL certificate to implement.

In addition to the free SSL certification available through ‘Let’s Encrypt’ there are other ways to get free SSL version’s of your site – via CDN’s (Content Delivery Networks) such as the ecommerce platform Shopify, or via the likes of Cloudflare CDN which force serving via the HTTPS protocol over the non-secure HTTP version of URIs.

Watch Out For Mixed Content

When adding an SSL to your site and migrating across to a HTTPS Protocol, it’s important that you avoid ‘mixed content’.  ‘Mixed content’ means that whilst you are serving your pages over HTTPS you are also including some types of other content within those pages which are not being served over a HTTPS connection.  These are frequently such items as images which may have a source in their URL which is HTTP rather than HTTPS or javascript and CSS files, or even images in those CSS files.  ‘Mixed content’ could even refer to third party calls to scripts which you are loading from unsecure connections.

One of the main issues with ‘mixed content’ is that it essentially invalidates your HTTPS secure page so that it is not actually considered HTTPS at all.  You won’t get the green ‘Secure’ in your Google Chrome browser unless the page is fully HTTPS and does not include mixed content at all.

You’ll also find that if you have mixed content any pages which you had validated for AMP (accelerated mobile pages) will also now not be considered HTTPS once mixed content appears in them.  This could be quite a big deal if you have many AMP pages driving traffic, because as soon as pages are not secure they are no longer eligible to be added to the AMP carousel at all, nor be indexed as AMP pages in Google’s search results.  For a large news site this could be very costly, as there is increasing evidence that AMP pages drive ‘bonus’ extra traffic and help with retention on page (dwell time), and also additional page view time.

You can identify which are the offending items of ‘mixed content’ by using the Chrome developer tools in your browser.  Visit the top of the browser in Chrome (3 dots on the top right hand corner), and then select ‘more tools’ from the drop down menu, followed by ‘developer tools’.  The console will then appear on the right hand side so that you can see a list of calls being loaded in the page.

Mixed content is highlighted and will say ‘Mixed content’.  A full explanation of the issue will also be available in the console.  You can then drill down and visit the items that are listed and update the protocol for delivery of that content to a HTTPS protocol.

Make HTTPS A Priority For Your Site

If your website URL does not have HTTPS, put it on your list of priorities, otherwise in time it will increasingly negatively affect your visibility in search engines as more and more competitors make the switch.  Not only that, but your customers are more susceptible to cyber-attacks. And you don’t want to lose trust with online shoppers.

Cyber-attacks are bad for online businesses. If consumers cannot trust your firm to protect them against hackers, they will not visit your website. They certainly won’t enter their bank details to purchase your products or services over time as warnings continue to appear.

If you’re looking for help and advice on migrating your website to HTTPS and ensuring that your site doesn’t take a tumble when doing so for SEO, contact us.  We’ve dealt with many HTTPS protocol switches for SEO clients and we understand the process and the best steps to take.