Does Your Website Need SSL Certificate?
The short answer is EVERY website needs an SSL certificate and needs to be migrated from HTTP to HTTPS as soon as possible.
You may be asking questions like:
- Does my website need a SSL?
- Why is my website showing up as not being secure on Google chrome?
- Why do I need a SSL?
- What does an SSL do?
- What does an SSL protect you from?
- What does https mean?
- How does HTTP differ from HTTPS?
And many more questions that are similar to the ones listed above.
This may be leaving you confused on what and why moving your website to HTTPS is so important right now. What makes it worse is there seem to be many HTTPS myths and loads of bad HTTPS advice being given, around the importance of making your website secure.
Let’s FINALLY Debunk The HTTPS Myths For Once And For All!
In this article we are going to debunk the myths so anyone can understand why making your website (even blogs) secure is important. We are not only going to explain the ‘why’, but we are going to give you all the necessary resources you need to do it ‘right’, so you have zero downtime and no decreases in search engine visibility during the change.
This article is great for both Senior SEO and C-level Executives because we cover “what to look for” and “what to look out for”, plus provide an SEO’s SSL Migration Checklist for the ‘SEO freaks and geeks’ out there.
Before we get into the SSL myths and learn what you need to do to protect your website users with HTTPS, let’s first make sure we understand the basics around SSLs.
What Is This HTTPS/SSL Thing And Why Should You Care?
HTTPS stands for ‘HyperText Transfer Protocol Secure’ (or “HTTPS” or “HTTP over SSL”) and it is the internet standard for secure communication between your browser and any web server.
The internet is NOT as secure as many people like to believe with HTTP only. Anyone can read what data you send to and from any server if the website is NOT using a HTTPS. IF you’re searching for “toenail fungus cure” or “STDs symptoms” on a website that does not use HTTPS, then anyone could potentially see this: the government, your neighbor, your Mom and even your spouse.
HTTPS solves that privacy problem by encrypting the communication end-to-end: Only your computer and the web server can see what data gets transmitted when a website uses HTTPS properly. Additionally, you can be sure you are connected to the right server as long as the green lock icon displays in your address bar like the image below.
What’s The Difference Between SSL and TLS?
Secure Sockets Layer (SSL) — or its newer form Transport Layer Security (TLS) — is the protocol that HTTPS uses to accomplish this additional security. To keep it simple TLS are the newer version of SSL. In general, people use “SSL” and “TLS” interchangeably, but that’s changing towards everyone saying “TLS”. “TLS” is what everyone will call it in the future, while “SSL” is the phrase everyone knows right now. Currently, as we write this you want your site to be using TLS 1.2.
You can test your SSL with this site: https://www.ssllabs.com/ssltest/analyze.html to see if you are SSL is using TLS 1.2.
4 HTTPS Myths We Hear ALL The Time – Don’t Believe The Hype!
SSL Myth 1 – You’ll hear people say, ‘If you don’t have sensitive information on your website or if you are not selling a product or service where someone buys online, then there is no need for an SSL certificate.”
There are many problems with this statement. The biggest one is as of October 2017, Google Chrome will start to warn people with this message:
If fact, if you have Google Search Console setup you may be seeing this message already:
The message above is warning you that your website is not considered secure. You can’t say they didn’t warn you and give you loads of time to get this fixed.
If you want to see how much of your traffic will be affected by this, just log into your Google Analytics and look at the % of people who use Chrome.
SSL Myth 2 – We’ve heard people say things like, “SSLs don’t increase security.”
This completely wrong. HTTPS is so much more than making your website secure for online purchases. It also provides integrity and authenticity for your website visitors. When you don’t have an HTTPs then your website traffic can be modified by a middleman like an ISP or airport WIFI. How do you feel that your website visitors can easily be redirected to malicious website courtesy of a shady DNS? Well, this is what your business is risking by not have SSL certificate on its website.
SSL Myth 3 – We’ve heard many people say things like, “You don’t need an SSL for a blog.”
Again SSL certificates do not make your website secure, but what they do is helps your website’s information travel securing between your website to the user’s device and vice versa. Does your blog collect information like ask people to sign up for a newsletter? If so, then you’ll want to have an SSL on your blog. Do you care that your blog readers will give the correct information from your website without getting intercepted by a hacker? If so, then you’ll want to have an SSL on your blog. So next time someone asks, “Do you need an SSL for your blog?” Scream back, “YES!!!”.
SSL Myth 4 – We hear people stuff like, “Encrypting all pages on your website will only slow them down.”
That is NOT TRUE! If fact, when it can be faster. It’s faster when you setup your new SSL on HTTP2, which can ONLY be done once you have an SSL certificate. Troy Hunt has this great visual on load time between a non-secure website on a HTTP/1 vs the same website with a SSL certificate on HTTP2, which shows you that HTTPS can be faster than a HTTP website. Another great visual to understand the difference between HTTP1 vs HTTP2 was done by Kinsta (see below).
Basically, HTTP1 is like getting your meal served by three different waiters on three different serving trays vs getting your food served by one waiter on one serving tray. Of course, HTTP2 will be faster!
5 Reasons You Should Move Your Company’s Website From HTTP To HTTPS
- It’s the right thing to do for your website users by transferring information securely from your website to their devices (and vice versa).
- You can have a faster loading website by using HTTP2 (see above examples). Again a net win for you and your users.
- You are future proofing for what the search engines and browsers (like Chrome), expect you to do.
- It’s a positive ranking factor, and that is straight from Google’s mouth. And Brian Dean’s research of analyzing 1 million search results proved that, in fact, many of the first page results on Google have a strong correlation with sites that have HTTPS. Just see his image of this data below.
- Improved analytics data from referral traffic. When traffic passes to an HTTPS site, the secure referral information is preserved. This is unlike what happens when traffic passes through an HTTP site, and it is stripped away and looks as though it is “direct traffic” on most analytics software.
How Many Websites Are Adopting HTTPS?
It’s really no longer an option to have a none secure website if fact here’s a great graph showing the adoption of HTTPS websites.
Now we know there are still millions of websites who have not yet made the jump to having a secure website, but we know after reading this article they will want to make the move to a secure website, so we’ve put together a simple checklist you can follow to make sure you do this right.
The Ultimate Checklist for Migrating from HTTP to HTTPS
Before Launching HTTPS Checklist:
- SSL Certification Setting – Get, configure and test the TLS certificate using SHA-2 for SSL on the server.
- Google Search Console Registration – Register both domains HTTP & HTTPS in Google Search Console, along with your www and non-www versions. If you also had registered individual subdomains or subdirectories in the Google Search Console, replicate that registration & configuration with their https version.
- Rankings Monitoring – Be sure to benchmark your rankings in both Google and Bing prior to changing your website to the https
- Current top site pages & queries identification – Identify the top pages and related queries- attracting organic search visibility & traffic so you can prioritize when validating & monitoring the site performance. It’s a great idea to mark notes in Google Analytics timeline.
- Crawl the current website – Crawl the current website and find any broken links and technical issues and be sure to fix those issues first before moving HTTP to https.
- New HTTPS web setting with updated internal links – Set the new web version to make the new changes too. Be sure to test & update the links on a stage environment. It’s common to remember to point to the URLs to the new destinations, but often people forget files like images, js, pdfs, etc. Be sure to point all files to the new HTTPS structure.
- New HTTPS Web canonicalization – Update the canonical tags to include absolute URLs using https on the stage environment.
- New HTTPS Web canonicalization – Verify in the stage environment that all of the already existing rewrites & redirects behavior (non-www vs. www; slash vs. non-slash, etc.) are also implemented in the https Web version as they used to work on the HTTP one.
- Redirects preparation – Set the new Web version to make the changes, test & update the links on a stage environment, to point to the URLs (pages & resources such as images, js, pdfs, etc. too) with HTTPS.
- New XML Sitemap Generation – Generate a new XML Sitemap with the URLs with https to be uploaded in the HTTPs Google Search Console Profile once the site is moved.
- Robots.txt preparation – Prepare the robots.txt to be uploaded on the https domain version when the site is launched replicating the existing directives for HTTP, but by pointing to the https URLs if necessary.
- Campaigns updates preparation – Prepare changes on any ads, emailing or affiliates campaigns to start pointing to the https URLs versions when the migration is done.
- Disavow Configuration – Did you have a penalty at some point and needed to submit a disavow list? Verify if there were any disavow requests submitted in the past that will need to be resubmitted again for the https URLs versions in its own Google Search Console profile.
- Geolocation Configuration – If you’re migrating a gTLD that you are geo-targeting through the Google Search Console (as well as its subdomains or subdirectories, in case you’re individually geo-targeting them), make sure to geo-target them again with the https domain version.
- URLs Parameters Configuration – If URLs parameters are handled through the Google Search Console the existing configuration should be replicated in the HTTPs site profile.
- CDN Configuration Preparation – If a CDN is used verify that they will be able to properly serve the https domain version of the site and handle SSL when the migration is done.
- Ads & 3rd-Party Extension Preparation – Verify that any served ads code, 3d party extensions or social plugins used on the site will properly work when this is moved to https.
- Web Analytics Configuration Preparation – Make sure that the existing Web Analytics configuration will also monitor the traffic of the https domain. This often means setting up new profiles in Google Analytics, Adobe Omniture, etc.
During an HTTPS Launch Checklist:
- HTTPS site launch – Publish the validated https site version live (kinda obvious), but what the heck!
- Validate that New HTTPS URL structure – Make sure the HTTPS site version is the same than the one in the HTTP
- Validate internal links – Verify that the site’s internal links are pointing effectively to its HTTPS URLs
- Validate the new HTTPS version canonicalization – Verify that the canonical tags on the pages are pointing to its HTTPS URLs.
- Validate new HTTPS version canonicalization of redirects and rewrites – Implement the rewrites and redirects from www vs non-www, slash vs. without slash, etc. in the new HTTPS Web version.
- Validate HTTP to HTTPS redirect implementation – Make sure the implementation of the 301-redirects from every URL of the site from its HTTP to HTTPS version are working.
- Web Analytics Configuration – Annotate the migration date in your Web Analytics platform & verify that the configuration is set to track the https Web version.
- SSL Server Configuration Validation – Verify the SSL configuration of your Web Server. You can use services like https://www.ssllabs.com/ssltest/
- Robots.txt Update – Refresh the robots.txt setting in the https domain with the relevant changes.
After a HTTPS Launching Checklist:
- HTTPS crawling validation – Crawl the site to verify that the HTTPS URLs are the ones accessible, linked and served without errors, erroneous no-indexations & canonicalizations & redirects.
- New HTTPS site redirects validation – Verify the redirects rules from http vs. https, www vs. non-www & slash vs. non-slash are correctly implemented.
- XML Sitemap Release & Submission – Upload & Verify the generated XML sitemap with the https URL versions in the https Google Search Console profile.
- Official external links update – Update official external links pointing to the site to go to the HTTPS version (Social Media profiles partner sites, etc.).
- Ads & 3rd-Party Extension Validation – Verify that any plugins like social buttons, ads & 3rd party code are correctly working in the HTTPS URLs versions. You can scan your Website to look for non-secure content with https://www.jitbit.com/sslcheck/.
- Campaigns update Execution – Implement the relevant ads, emailing and affiliate campaigns changes to correctly refer to the HTTPS Web version.
- HTTPS Crawling and Indexation Monitoring – Monitor the indexation, visibility & errors of both the HTTP & HTTPS site versions.
- HTTPS Rankings & Traffic Monitoring – Monitor both HTTP & HTTPS site versions traffic and rankings activity.
- Robots.txt configuration validation – Verify the robots.txt setting in the https domain to make sure the configuration was properly updated.
Hat tip to Aleyda Solis for her HTTPS checklist, which was the foundation to building our version.
5 Biggest Mistakes Webmasters Make When Migrating a Website From HTTP to HTTPS
We have seen terrible things happen when development teams do not use a checklist like this during the migration of a website from being unsecured to being secured.
Biggest SSL Migration Mistake 1 – Launching the new site on HTTPS, but leaving it ‘no index, no follow’ staging status on, which tells the search engines NOT to index the website. We can’t tell you how many developers miss this very important step or forget to do it once they push the staging site live.
Biggest SSL Migration Mistake 2 – Not getting an SSL for all versions of their website, like on multilingual websites. It doesn’t have to be expensive too because you can use services like Cloudflare, which is currently free as I write this.
Biggest SSL Migration Mistake 3 – Not having 1 URL serving all their content. So many developers have so many different versions of their website being served up and when you do this you split the leverage of all your website’s authority to different pages. It can even cause duplicate content issues when you have this setup wrong.
We’ll use our website to show you how the perfect HTTPS setup for SEO purposes looks like:
- HTTPS is enabled, meaning you can type in https://www.poweredbysearch.com and you’ll see the website.
- The other HTTPS URL — in this case, https://www.poweredbysearch.com — as well as both HTTP URLs (http://poweredbysearch.com and https://www.poweredbysearch.com) all redirect to https://www.poweredbysearch.com ensuring there is ONLY 1 canonical version of the content available
- Every redirect leads directly to the canonical version of the content. It redirects A –> B, not A –> D –> C –> B
- Every redirect uses the HTTP status codes for permanent redirects (301s), instead of temporary redirects (302 or 307)
Don’t make those common SSL migration mistakes listed above!
Do You Want To Download Our SSL Migration Checklist?
If you want to download our SSL migration checklist, you can do so here (it’s free!). You may also know other business who need this important information and you can socially share it to them by using the social sharing icons on this page or just cut and copy the URL and email it to them. They’ll thank you for it later! If you have any questions about migrating your website from HTTP to HTTPS you can also leave a comment below and we’ll answer it.
Do You Want Our Help to Migrate Your Website From HTTP to HTTPS?
aHrefs did a study of 10,000 websites with HTTPS and found that 90% of them did not setup it up right. The highlights are shown in the infographic below.
Can you afford to have your SSL setup wrong? Are you worried what that if setup wrong it can impact your visibility? You should be.
The stats prove that 9 out of 10 websites setup it up wrong. The chances are if you don’t have an experienced SEO PRO do this, then chances are you too will suffer the same fate. If you just prefer to have some SEO experts do the migration for your company, you can contact us to do it, as we have done dozens of SSL certificate website migrations over the last few years.