Introduction to HTTPS
Every day we share our personal information with different websites whether it’s making a purchase or simply logging in. In order to protect the data which is transferred, a secure connection needs to be created. Sites like BBC, Amazon, Ebay, Facebook and John Lewis all use a secure connection to protect your data. Generally you probably won’t notice it.
However, this is achieved using SSL (Secure Socket Layer) and HTTPS (or Secure HTTP). HTTPS is an encryption method that secures the connection between a user’s browser and your web server. This makes it harder for hackers to eavesdrop on the connection and steal personal information.
For example can you see the HTTPS element in the following web addresses:
Also you can see this and the green padlock icon which indicates that HTTPS is active in the attached image from the BBC.
Typically, if you’re not running an e-commerce store where you’re collecting payment info directly on a page, you won’t have come across HTTPS in the context of your own website since most small business websites are generally informative and don’t require the users to enter particularly sensitive information, so most website owners have not bothered about HTTPS in the past.
About 2 years ago Google announced they would favour HTTPS secured sites over standard HTTP versions in search results. At the time it was considered to be relatively little value in terms of additional favourable weighting, with many people suggesting the HTTPS bonus in search results was as little as 1% versus regular HTTP only sites, so consequently only larger more affluent businesses adopted the standard.
Moreover, as installing HTTPS is extra work – and therefore a hard cost to you with little tangible benefits in the past, we’ve had no cause to recommended it to date.
However due to impending changes in web-based security standards driven by companies like Google we need to alter that advice now.
Why do we need SSL and HTTPS now?
Google has announced that as of version 70 of Chrome which is due for release in October 2017 users (which includes all Android phones) will receive a ‘NOT SECURE’ message when visiting any page that contains enquiry forms on your website, whether it’s for completing a business enquiry or simple site searches. Eventually over time, this message will appear on every page.
We also understand other browsers like Firefox (who already tag insecure login forms with a warning) will follow suit in the very near future. Google have stated now that this is the first step in their long-term plan to mark all pages served through HTTP as ‘NOT SECURE’.
The result of this means that eventually every page on a standard website will be marked as ‘NOT SECURE’ if we do not implement HTTPS. This warning it seems will ultimately appear in search results on Google (as per the warnings about ‘non mobile-friendly’ sites) and therefore visitors will be given a warning about your site before they visit it.
As you can imagine, those warnings will be extremely off-putting for potential customers and the majority will naturally select to visit only websites and pages that do not display security warnings. As a consequence we see no alternative but to build all new websites from October onwards with HTTPS as standard, and to offer a service to retro-fit HTTPS into existing sites like yours.
You can read more about Google’s advice on securing your site with HTTPS here: https://support.google.com/webmasters/answer/6073543
Additionally the perceived rank position bonus in organic Google search results is considered to now become more significant from late 2017 into 2018, with various industry commentators saying it could be as much as 5% or even 10% uplift. Google have stated that this benefit will grow inline with adoption increases.
Currently it’s estimated that less than 15% of small business like yours are running on HTTPS. The good news I suppose amongst this then is that this is an opportunity to get ahead of your competition who will be slow to react to this industry pressure due to lack of awareness, cost and hassle.
So what’s involved and what’s the cost of moving to HTTPS?
Firstly you’d need to acquire an SSL certificate for each domain or website. Premium certificates can be bought on your behalf from certified issuing authorities and they authenticate your site as owned by you and therefore mark it as ’trustworthy’. Alternatively there are free certificates available now from projects like https://letsencrypt.org/ which are more than adequate for informational and marketing sites.
Once the SSL certificate is installed and configured correctly your site, it will display a small green padlock in the top address bar confirming this is the case as per the picture above. You can visit facebook.com to see this – or indeed on this site where I’ve already installed HTTPS.
Your site will then need to be configured to run using the new HTTPS standard. Every page will need to be checked manually – and where necessary – particular elements including every link, all images and source code will need to be changed to utilise the HTTPS format.
Then, once the technical changes are complete, we will need to treat the change from HTTP to HTTPS as a whole ‘site move’ for SEO purposes, which can affect your search engine ranking adversely if done badly. This includes writing redirects for every page, post and image – so that inbound links and search engine ranks are not lost.
This is because every url will now be different, for example: http://www.google.co.uk > becomes > https://google.co.uk
You can read about what’s involved in a ‘site move’ here: https://support.google.com/webmasters/answer/6033049
As every website is different, the technical challenges and time to complete the process are hard to quantify up front, and for larger sites this can be particularly complicated. The process can take anywhere from a few hours to a couple of days to complete and test depending on the site structure, content, page count and other factors like the specific software running on it.
This configuration and installation service is generally a one-off cost.
Benefits of moving to HTTPS
At this stage there are now 4 advantages in moving to HTTPS:
1. Avoid the new security warnings appearing for visitors on your website pages from October.
2. Avoid search engine results warnings.
3. To get a rank boost from Google in natural search results (35% of all page 1 results are now HTTPS, and the search bonus could rise to ~10%)
4. Gain an immediate advantage over majority of competitors who will respond slowly
How to move to HTTPS
The process is transparent and requires no action on your part.
In view of the benefits versus the inevitable pitfalls, we recommend you consider this an important priority when budgeting for the year ahead, and absolutely essential for the medium to long term.
Once again, if you have any questions or would like links to further reading on the subject, please get in touch.