Do I Need To Make My Website an HTTPS?
Have you heard Google want you to switch your site to HTTPS?
#updated July 2018 – this is now more important than last year and all sites need to have an HTTPS.
Firstly what is HTTPS?
Hyper Text Transfer Protocol Secure (HTTPS) is the secure version of HTTP, the protocol over which data is sent between your browser and the website that you are connected to. The ‘S’ at the end of HTTPS stands for ‘Secure’. It means all communications between your browser and the website are encrypted. So essentially an https offers a secure method for hosting your website. It’s recongnised by the padlock in the browser bar.
Some background information.
In 2014 Google announced in a campaign that they would start to rank secure pages over unsecure ones. 3 years later and now it’s more than just a ranking issues, Google and many others want the web to be more secure in general. If you think about it we want that too. We all know how our information is taken and stored for re-targetting and it is only going to become more invasive of our surfing activities.
In August 2014 Google had their HTTPS everywhere campaign, they announced HTTPS as a ranking signal.
At first they noted that “for now it’s only a very lightweight signal,” but over time Google “may decide to strengthen it, because we’d like to encourage all website owners to switch from HTTP to HTTPS to keep everyone safe on the web.” Then on Sept. 8, 2016 Google announced:
Early this year, 2017, version 56 of the Chrome web browser was released. There is a significant change in the way it displays websites that are not using HTTPS, also known as holding an SSL certificate. This change may confuse your site visitors or surprise you if you are not expecting it.
Starting with the release of Chrome 56 in Januart, any website that is not running HTTPS will have a message appear in the location bar that says “Not Secure” on pages that collect passwords or credit cards. It will look like this:
This may confuse your site visitors who land on your site or sign into it because they may interpret the message to indicate that your website has been compromised. They could also interpret the message to mean that your site has some underlying security issue other than being non-HTTPS. The initial changes will affect websites that collect login and credit card information over http but as Google rolls out their plan to secure web privacy across the internet we can be sure that change is coming soon and it is sensible to get it sorted sooner rather than later.
The nitty gritty of why you should make your site an HTTPS?
Google identifies several reasons to switch to HTTPS in their website migration guide:
- Encrypting the exchanged data to keep it secure from eavesdroppers. That means that while the user is browsing a website, nobody can “listen” to their conversations, track their activities across multiple pages or steal their information.
- Data integrity. Data cannot be modified or corrupted during transfer, intentionally or otherwise, without being detected.
- Proves that your users communicate with the intended website. It protects against man-in-the-middle attacks and builds user trust, which translates into other business benefits.
- SSL benefit to search rankings. Everyone with a business website wants to achieve strong rankings in the SERPS (search engine results pages) — but it isn’t easy. With literally hundreds of different and evolving criteria used in Google’s algorithm, you want to use every available tool to your advantage. SSL encryption can help your website rank higher in search results.
- Trust: If you have contact forms on your site or need to take any information, seeing the HTTPS and green padlock will add to the trust perception and let potential contacts know their submission is protected and that you are not a fly-by-night operation. Certificate Authorities also offer Trust Seals that you can display on your site. In addition to the padlock and HTTPS in your browser location bar, these graphics give website visitors an additional visual indication that you have SSL encryption in place.
How do you transfer from HTTP to an HTTPS?
There are quite a few steps involved to move to an HTTPS, Google has a guide here. In essence you need to purchase an SSL Certificate, load it onto your website sever then map all the pages / images / content / links ulrs from http to https.
If you like details and want to know more, here is the ‘how’.
Step 1 is to purchase an SSL Certificate.
Types Of SSL Certificate
There are numerous types and brands of SSL Certificate and whilst they all work using the same principle they do offer different features.
Here is a high level overview:
- Domain SSL – Most popular type of SSL. Browser Padlock shows. Domain Name only appears in browser bar. Low cost and instant issue. No paperwork, no waiting. Limited to one domain only. (The type we are offering to install)
- Wildcard SSL – Same as Domain SSL but extends to sub domains of this domain (not available on Extended SSL – see below)
- Organization SSL – More expensive SSL with domain ownership and Company verification required. Usually issued in 1 to 2 business days. Browser Padlock shows with Domain Name & Company Name appearing.
- Extended SSL – Most expensive type of SSL which requires domain ownership and Company verification as well as legal, physical & operational verification required. Usually issued within 3 to 4 business days. Extended validation with green browser bar showing company name.
Step 2 Install SSL Certificate
For the purpose of brevity we will assume that a Domain SSL is being purchased as you are a single person business and are concerned with the installation of the SSL and the switch to HTTPS rather than the vetting procedure of an Organization or Extended SSL.
Your webmaster or hosting company will then create the Certificate Signing Request and perform the installation of the certificate.
To install an SSL your site must have a Dedicated IP address. If your site doesn’t have a dedicated IP address you will need to change your hosting plan or host. Some hosts will do this once you start the installation process.
Step 3 Backup Your Website
As a security measure before redirecting your site to HTTPS we recommend making a full backup of your website.
This is an optional step and is only in case there are any issues and you need to restore your files. As a rule it is sensible to take a back-up of your site regularly.
Step 4 Configure Hard Links In Your Website
Because you are switching from HTTP to HTTPS the internal links in your website need to reflect this otherwise they will return 404 errors (file not found).
If you have a small website you can do this by hand or get a Developer to make these changes.
However, if you have a large site maybe hundreds or even thousands of pages there are tools that can help you to do this very quickly.
Step 5 Update Tools & Code Libraries
This usually won’t apply unless you have a larger, more complex website.
Step 6 Change Any External Links Under Your Control
If you have external websites pointing to your site (i.e. backlinks) you should change any that you have under your control from HTTP to HTTPS. Mostly these will be things like directory listings.
Most of the time they won’t be under your control though but don’t worry about this as you will be making changes later that will redirect any HTTP traffic to HTTPS.
Step 7 Implement 301 Redirects
A 301 redirect is a permanent redirection that you can set up to tell any HTTP traffic to now go to the HTTPS equivalent.
If you are not an experienced Web Professional then this is probably best left to a developer.
Depending on your webserver you will need to setup sitewide direction.
Step 8 Update Links In 3rd Party Tools & Transactional Emails
If you’re using any third party applications such an email marketing tool, marketing automation or Customer Relationship Management tool then you’ll need to run a manual check on any links that you’ve created there to make sure they’re all up to date.
Likewise if you have a billing system your transactional emails such as welcome emails and any invoice emails need to be updated to reflect the change. Of course the redirection you’ve set up previously will forward any HTTP links to the HTTPS equivalent but it’s always more professional to correct these.
Step 9 Update Landing Pages & Paid Search Links
If you have any landing pages setup then these will have been updated automatically by the 301 redirect but for completeness you should double check these.
Also check the links you are using in the paid search tools you are using whether that’s Google, Facebook or whatever.
Also if you use a Landing Page generator then you should update your setting there to reflect the switch.
Step 10 Update Google Search Console & Google Analytics
Finally you need to make sure that you update your Google Search Console (Google Webmaster Tools) by submitting the new HTTPS site as well as re-submitting your SiteMap.
Also don’t forget Google Analytics to make sure that you can get the correct analytics. That’s just a question of setting the ‘Default URL’ to HTTPS.
Switching to HTTPS has a few steps involved. But increasingly security is important and sooner or later you will need to make the switch.
Choose the right sort of SSL for your needs. There are several types and whilst they all work the same there are varying degrees of verification and also the way the browser appears, such as the green browser bar.