This time last year we made a list of SEO trends for 2015, mentioning Google’s HTTPS Everywhere initiative as one of the ideas that were to become more important for webmasters in the following years. First announced back in August 2014 at Google’s I/O Conference, this initiative was designed to stimulate a wider adoption of HTTPS and highlight the significance of website security.
Namely, last year Google introduced HTTPS as a lightweight search signal in an attempt to raise awareness of online security issues and encourage more webmasters to get SSL certificates for their websites. The idea was to make the web a safer place by ensuring secure server connections and maximum privacy for online users. With this goal still in focus, Google decided to further improve online safety by allowing search engines to crawl HTTPS pages by default. As announced on Google Online Security blog earlier in December, the company is making a major step in enabling the HTTPS Everywhere idea to actually happen:
“Today we’d like to announce that we’re adjusting our indexing system to look for more HTTPS pages. Specifically, we’ll start crawling HTTPS equivalents of HTTP pages, even when the former are not linked to from any page.”
Unlike before, HTTPS pages will now have an actual boost in search and will be shown to users by default. What this means for webmasters is that they need to ensure they’ve implemented security certificates properly to provide the best possible experience for visitors and retain their search positions.
Google on moving to HTTPS
With HTTPS becoming a more relevant search ranking factor, getting a SSL certificate and its proper implementation are a greater imperative for webmasters in 2016. As suggested by Google’s John Mueller, this might take some time (and money, too) to get right, but will eventually bring the necessary stability to the entire web world – one website at the time.
HTTPS takes time (& sometimes money) to set up, but it's the best we have & where the web is moving; you can't hid from it forever.
— John Mueller (@JohnMu) December 18, 2015
Now, to actually move to HTTPS, you need to work with a trusted provider and typically pay a little extra to get the necessary security. For companies that are aware of the importance of protecting customers’ data, this should not be an issue and is only a logical step in the process of improving user experience. However, while most companies aren’t willing to compensate on security, the issue of the additional costs seems to be a justified concern for some smaller companies. To those who brought about this issue on Twitter, John Mueller replies in a witty comment:
@rchtjn Well, turning the website off saves money too.
— John Mueller (@JohnMu) December 18, 2015
Though perhaps not the most actionable advice to give to a startup owner worried about the costs of shifting to HTTPS, Mueller’s answer implies the value of taking this step. Namely, security is becoming a growing concern and everyone – from end users to website owners – needs to work on this in order to create a safer web. After all, compensating on security may turn out to be costlier than getting a SSL certificate if a major data breach occurs. Therefore, SSL represents a long-term data protection strategy and as such should be a focus for webmasters in the following years.
What is SSL?
SSL stands for Secure Socket Layer, a standard encryption technology used to transfer data from a user’s browser to the web server. Websites use SSL encryption to prevent hackers to intercept and misuse the data users leave on a website (via checkout pages, as well as registration or contact forms). SSL largely functions using public and private encryption keys, out of which the former is used to scramble the information, while the latter decrypts it so that it could be read by someone monitoring the transmission.
On a website, the secure transfer via a standard SSL certificate is marked with https:// in front of the website URL in the address bar, as opposed to http:// that represents a standard protocol on websites that do not use SSL. When a person visits a https:// page, therefore, his or her communications, data and transactions are safe from potential information skimming or sniffing. Quite logically, this is particularly important for company and ecommerce websites that collect personal information, where the use of SSL certificates is a matter of corporate credibility.
Key considerations when getting a SSL certificate
Having a SSL certificate on a business website can largely shape the way consumers perceive the company. However, SSL certificates come in different forms and there are several things that need to be taken into consideration when choosing the right one. In a brief guide on the topic, Google suggests the following:
1. Use SSL certificates issued by trusted Certificate Authorities in order to protect visitors from potential man-in-the middle attacks. The certificate authorities are associated with legal regulations and aim to verify the website as a trusted resource.
2. Decide on which type of certificate you need: single, multi-domain or wildcard certificate.
3. Use 301 redirects to point both users and search engines to the https pages.
4. Use protocol relative URLs to minimize the possibilities of serving 404 pages when a user lands on a URL loaded from a development environment.
5. Use a web server that supports HSTS (HTTP Strict Transport Security)
6. Test your pages using Qualys SSL/TLS
These are just some of the key steps in the whole process of shifting to HTTPS and simply getting a certificate is not enough to actually provide secure communications. Namely, after choosing the right SSL provider and obtaining the certificate, there is a set of steps that need to be taken on a website in order to ensure Google will index it properly.
Setting up HTTPS
If you need help with setting up your SSL certificate, contact us.
Depending on your hosting provider, as well as the web hosting management panel you use, you would need to find the proper instructions on your hosts’ website and follow them to make sure you did the installation steps right. Setting up all the pages to point to the https versions typically involves only several clicks, but this doesn’t mean it should be taken lightheartedly. Namely, you need to check server settings to properly redirect all URLs to point to their https versions by editing the htaccess file of your website. As suggested by the Yoast developers, the whole process should more or less constitute of the following:
1. Redirect your server to point to https instead of http.
3. Set SSL for your CDN.
4. Consider setting Google’s SPDY networking protocol to make your site faster.
Of course, this may not immediately result in significant traffic boost, but will definitely bring various benefits long term. More importantly, the shift to HTTPS is not relevant for SEO only. As online security becomes a more and more important issue for the online users worldwide, companies need to ensure they’re doing everything they can to ensure maximum security for their users.
Additionally, as pretty much all know, SSL certificates can be pricey. Because and due to the fact that web deserves free and uncompromissed security Let’s Encrypt (joint initiative of plenty of big names in web industry) started operating about month ago in public open beta of their service.
Let’s Encrypt offers clients (there are packages for couple of most popular operating systems) along with some 3rd party clients available on GitHub which are able to automatically generate and renew certificate at designated time saving you both money and time.
Be cool, let your sys admin know and help supporting the open web along with sparing some cash! Win-win!
While the wider use of HTTPS can have some evident benefits for the future of the web, many website owners see the “imposed” transition as an unnecessary burden and extra costs. It is true that a large number of websites do not have checkout pages or any other data collection forms, so they may not really need to spend extra to secure web server communications. For them, getting a SSL certificate is an additional cost and potentially a technical hurdle.
In relation to this, Luanna Spinetti collected influencers’ thoughts in order to discover whether there is a considerable value in moving to HTTPS. Quite expectedly, the opinions varied with most respondents pointing to the general necessity for improving web security, while emphasizing the fact it’s up to individuals to determine whether this step would be worthwhile for their own websites. Lukasz Zelezny of Zelezny.uk notes:
“Do I think HTTPS is necessary? Not really unless you are asking your website’s visitors for confidential information or taking payments through your site. However, in the future it could mean the difference between a page ranking at number 1 or number 2 in search – this makes it necessary.”
From this perspective, it is clear that not all the websites need SSL at this moment. However, this is a general direction in which the SEO world moves and is certainly an important thing to consider. This is illustrated in the case of The Washington Post, which took months to redirect all their pages to the encrypted versions. In a story of the magazine’s ten month long transition to https, Will Van Vazer pointed out to all the challenges of the process, emphasizing the fact it was worthy after all.
For a publication as large as The Washington Post, it would be expected to face a set of challenges some smaller websites should not be concerned with at all. In fact, as John Mueller pointed out in relation to this undertaking, this only means that the transition to the https is not just a buzz, but actually an important step in ensuring the credibility of a website.
“If it takes 10 months for a big site to move to HTTPS, you can assume they’re not just doing it to follow a fad,” says Mueller adding that “Moving to HTTPS is getting easier and easier, especially for smaller sites, but even then, there are details that you sometimes have to find solutions for along the way. This post covers some of the challenges the Washington Post had along the way.”
Although evidently a technical thing, setting up a SSL on a website does not necessarily have to be that complex or expensive. CloudFlare, for example, has been giving free certificates to their consumers since late 2014 with an aim of encouraging a wider adoption of the company’s Universal SSL. Therefore, for all the website owners who think that the transition to HTTPS makes sense for their business can find an easy and affordable ways to do it.
In addition to the SEO value, however, there are different other reasons why SSL should be implemented. After all, getting a certificate for SEO reasons only is not what Google actually tried to encourage. The importance of security the website has to do with providing excellent user experience and this should be a primary motivation for webmasters to implement it.
Beyond the SEO value: security for business benefits
The importance of using SSL seems to have been making headlines only after Google decided to treat it as a ranking signal. Nevertheless, its role in improving a business’s reputation has been vital even before it has become one of the search ranking factors. Namely, this form of a security practice may paint a better picture of a company or website, which helps in maintaining stable reputation online.
When it comes to actual user perceptions of secure protocols, different reports show that internet users generally pay insufficient attention to online security despite the fact they express concerns about this issue. When it comes to SSL, however, it could be assumed that an average user is unfamiliar with the technical jargon related to it as pointed out in a related study by researchers from Carleton University in Canada and National Research Council in Canada. The study showed that people make little difference in terms of decision making between website that use SSL and those that don’t. According to them, this is especially important for the browser Chrome, where little space is available for showing security cues.
On the other hand, when a proper trust badge is placed anywhere on a website, users feel more secure using their personal information on it. Some websites decide to place this badge in the footer section and especially on product pages, where users are required to leave their data and make a transaction (on ecommerce websites).
Therefore, despite the fact the average internet users make little difference between http:// and https:// protocols, companies should consider using the latter to prevent data loss and gain users’ trust. With people gradually becoming aware of online data security and privacy issues, business websites need to raise the standards in this respect. Coupled with better search rankings, SSL implementation obviously offers multiple benefits and should be seen as a strategic activity for all modern companies.
With billions of commercial websites now serving the global market and collecting users’ personal data in one form or another, employing sufficient security practices is essential for a successful digital strategiy. One of the most important web security measures, SSL has been long established as an industry standard in the US and other countries, now gaining more attention as one of Google’s search ranking factors. For the SEO world, this means that more webmasters will need to consider improving their website security practices and thus directly improve users’ experience.
Have you moved to https yet? As a webmaster, what do you see as the major challenge in this process?