A few weeks ago Google officially announced that HTTPS would now become a ranking signal, meaning that websites using secure encryption may get a certain boost in Google rankings.
For now HTTPS is said to be a "lightweight signal", given less importance than numerous other quality factors, but Google admits it may become stronger over time:
The news is shaking up the SEO industry with lots of polar opinions. And to help you decide whether switching to HTTPs may be a good solution for your website, we've created a short guide that explains:
- What HTTPS is;
- Who should use it;
- How it may affect your SEO;
- And what pros and cons there are in switching to HTTPS;
So, let's get a closer look at HTTPS.
What is HTTPS?
HTTPS is a secure method of exchanging information across the Web that uses several extra means to protect the transferred data.
Normally (with a commonly used HTTP protocol), browsers and web servers exchange data in plain text, leaving you vulnerable to eavesdropping — an attacker is able to intercept your data, and then see and use it.
When sent via a "secure" HTTPS version of the protocol, your data gets protected by:
1. Encryption — encrypting the exchanged data to keep it secure from eavesdroppers. That means that while the user is browsing a website, nobody can "listen" to their conversations, track their activities across multiple pages, or steal their information.
2. Data integrity — data cannot be modified or corrupted during transfer, intentionally or otherwise, without being detected.
3. Authentication — proves that your users communicate with the intended website. It protects against man-in-the-middle attacks.
This way HTTPS ensures you can safely send personal data online (like credit card information, login details and so on) without a risk of its leaking to a third party.
For protecting the transferred data, HTTPS uses SSL technology. So, to enable HTTPS for your website, you need to get an SSL Certificate (usually on a paid basis) and install it on the server.
Does my website need HTTPS?
For any site that is taking transactions, like e-commerce stores and payment gateways, using HTTPS has long become a standard. And if you're not yet offering this protection to you users — you'd better do that asap.
For websites collecting personal information for account login, comments, email subscription and so on, HTTPS is a good practice, and can help you build user trust.
For a purely informational website, without any sensitive data transferred, there's no direct necessity in HTTPS protocol. Though this can to some extent protect your visitors from phishing and other scam practices.
Do I need HTTPS sitewide?
Even though HTTPS is already used by thousands of websites, quite a common tendency for many of them is to protect only separate checkout or login pages, rather than the entire site.
While this approach is definitely better than not having HTTPS at all, here are some cons of not having HTTPS on your entire site:
- Users' session IDs and cookies cannot be protected. With partial HTTPS protection, when a user switches from HTTPS to HTTP, his session ID and cookies must be transmitted in the clear, and thus can be intercepted and used to impersonate your users (like in the Firesheep case).
- Users may end up entering their credit card or login details on another website. Not protecting your landing page with HTTPS or protecting only the "Submit" form on the submission page leaves criminals an opportunity for a man-in-the-middle attack: they can intercept the unsecure pages of your site and lead your customers to fake submission forms instead of the intended ones.
Another case against partial HTTPS implementation (if you're only planning a move to HTTPS), is that setting the switch from HTTPS to HTTP within one website may itself be complicated. And, when set improperly, may often result in a scary error messages popped up to your users.
Note: if you decide to use HTTPS only on the submission pages, make sure none of them slips your attention. If you're setting HTTPS protection for a login page, make sure you also set it for pass reset pages, and so on.
Will HTTPS boost my rankings?
Ever since the "HTTPS ranking signal" announcement, fears spread that not having an SSL certificate can now push your site down in Google results, making many website owners start moving their sites to HTTPS without proper research and understanding.
Yet you need to remember that for now HTTPS is considered only a "very lightweight signal" that can potentially give you a tiny rank advantage (together with a set of some 200+other SEO signals), rather than push you to Google top.
If transitioning to HTTPS would be relatively easy for you or important for your business (i.e. e-commerce), then by all means make the switch.
However, if it would be quite difficult to convert to HTTPS it may not be worth the burden, and you surely can find more effective SEO techniques to implement.
Pros and cons of switching to HTTPS
HTTPS protects your users from man-in-the-middle attacks and other forms of unauthorized eavesdropping and tampering.
SSL certificates cost money and have to be renewed and maintained.
Note: The price ranges tend to vary here, so you may find a reasonably priced solution (sometimes a shared SSL if it is provided by your hosting).
- Industry standards
Online businesses that handle cardholder information can use this website security as a way to comply with the PCI DSS (Payment Card Industry Data Security Standard)
- Dedicated IP address
Each SSL certificate requires its own private IP address.
Note: If your server supports SNI (Server Name Indication) you may go with a shared IP. Yet you have to realize that SNI is not supported by some older browsers (ex. IE on Windows XP)
With a growing awareness of online fraud, many internet users will simply refuse to buy anything from an online merchant that doesn't encrypt their transactional data.
- Site slowdowns:
Encrypting and decrypting information requires extra server processing power and thus can slow down your website.
HTTPS padlock icon in the address bar has become a symbol of trust, and can boost your brand's image as a trustworthy source.
- Redirect difficulties
If you have little or no experience in server configuration, the process of properly redirecting all your content to HTTPS may be complex.
— Proper canonicalization lets you avoid duplicate content issues.
— All HTTP URLs have to be permanently redirected to HTTPS with 301 redirect.
— Any absolute internal links within your website need to be edited into the HTTPS URLs or into relative URLs (ex.<img src="//domain.com/img/logo.png">)
- Google rankings
Even being a small signal for now, HTTPS can potentially have an increasing effect on your search engine visibility.
- Lost social signals
Most social signals you've earned will be lost over the moving.
- Some external apps do not support HTTPS
For instance, some WordPress plugins may not properly work on the HTTPS version of your site.
Note: Run a deep research to make sure all external plugins you use support HTTPS, or find a replacement.
- No external HTTP content allowed
Trying to leave external content from non-HTTPS resources will result in error messages shown.
Note: Make sure your HTTPS pages feature only content from HTTPS sites and your CDN (Content Delivery Network) supports it too.
- AdSence revenue may drop
As Google states on their AdSense page, "HTTPS-enabled sites require that all content on the page, including the ads, be SSL-compliant. As such, AdSense will remove all non-SSL compliant ads from competing in the auction on these pages… Ads on your HTTPS pages might earn less than those on your HTTP pages."
We hope this outline will help you take informed and grounded decision on if, when and how to switch your website to HTTPS protocol. Please join the comments below to share any thoughts you have on the issue!
And if you found this guide useful, send your thanks to SEO PowerSuite team, and share it with your contacts via the social buttons on the left!