Securing Your Website: Should You Switch to HTTPS?
Many people will recognise websites running over HTTPS, even if not directly familiar with the term. When you purchase something online or log in to a secure area of the web (email for example) you will see a padlock in the browser address bar indicating the web page is secured and data being sent over the web is encrypted. HTTPS, or Hypertext Transfer Protocol Secure, is the protocol which ensures data is encrypted. It adds an additional security layer to prevent unauthorised users intercepting and reading data, usually with malicious intent, whether that is simply emails, credit card details or other sensitive information.
Over the last few years there has been increased talk amongst the tech. community of making the web more secure by switching from HTTP to HTTPS protocol. This culminated with Google publically announcing on 6th August 2014 that it would start using HTTPS as a ranking signal, effectively encouraging website owners to switch their websites from using HTTP to HTTPS. So, not only would traditionally secure web pages such as eCommerce checkouts be encrypted during transmission over the web but entire websites would be sent using secure HTTPS transmission.
In this article we want to outline the benefits and considerations for anybody considering the switch.
Why move your website from HTTP to HTTPS
There are three broad reasons to consider moving a website from HTTP to HTTPS:
- Improved website security
- The opportunity to improve website speed, and
- the promise of improved website rankings should Google weight HTTPS as a positive ranking signal
Looking briefly at each of these factors:
With mobile overtaking desktop use the opportunities for hacking users' personal information are increasing dramatically. Unsecured websites are more vulnerable to malicious attacks than secured websites. A typical security threat is commonly known as a ‘Man-in-the-Middle‘ attack which allows an eavesdropper to listen in on, and potentially alter communication between end users and web servers. Many other threats exist which allow hackers to potentially alter your website content or redirect users to other, malicious sites.
While the threat is more evident for those businesses who operate websites with 'secure-areas', any unsecured website potentially provides a 'backdoor' opportunity to access and steal sensitive information held on a User's PC or mobile device. Operating your website over HTTPS / SSL reduce the opportunity for malicious hackers to intercept web traffic or alter the content on your website.
Improving the speed of a website is a tangible benefit for your customers, particularly for mobile browsing where download times significantly lag behind desktop broadband speeds. One of the advantages of HTTPS over HTTP is that it enables websites to utilise services such as SPDY which can significantly improve download times for web pages, by providing HTTP multiplexing and prioritization. In layman's terms this means fewer individual connections are made to send elements of a web page, such as images and html files, over the internet.
There is an argument that HTTPS increases download times as there is an additional 'handshake' to establish a secure connection but for large websites with dynamic content services such as SPDY can provide a significant boost to web page download times. Major websites such as Facebook, Twitter and Google already utilise SPDY to improve their content download times. For smaller, static sites, simply leveraging browser caching will improve your time-to-download, so the benefit individual businesses gain will vary according to website infrastructure.
Not all hosting environments support SPDY at present so leveraging the improved speed benefits of HTTPS/SPDY may mean a move to a hosting service provider that supports the service. You can check whether your own web host supports the SPDY protocol at http://spdycheck.org/
A recent report from SearchMetrics.com (29th August 2014) suggested that at present there is no discernable boost to rankings from running a website on HTTPS rather than HTTP. However, given Google's public statement to make sure that websites people access via Google are secure and treat HTTPS as a ranking signal, albeit a lightweight one, we expect this to change in future. We would suggest it is better to take action now to move to HTTPS if you are interested in the potential SEO benefit should Google decide to make HTTPS a ranking factor in the future, particularly given the immediate benefit of improved website security.
Moving a website to HTTPS
Moving a website’s infrastructure from HTTP to HTTPS involves a certain amount of work. There will be a small direct cost to purchase an SSL certificate. There is also the cost of arranging the move which will vary depending on the size and complexity of your website. Consider also the benefits / costs over the longer term. More websites will move to a secure infrastructure, operating over secure protocols in the next 5-10 years. Doing the work now gives you a potential advantage.
For those businesses and organisations wanting to benefit from the benefits that HTTPS provides we would strongly recommend ensuring there is a well thought through plan in place. Moving a website from HTTP to HTTPS requires pre-planning to ensure proper back-ups are in place and to check hthat URLs are working correctly once the move has taken place.
A brief outline for moving a website from HTTP to HTTPS
- Create a back-up of your website infrastructure, both your local configuration and your remote web host – if you make a mistake you may need to roll-back any changes.
- Purchase and install and SSL Certificate on your website. Your web hosting provider will be able to assist with this.
- Check that the certificate is installed correctly by navigating to the secure version of your site, e.g. https: //www. mywebsite.com
- If using Google Webmaster / Google Analytics tools, create a new Account for the HTTPS:// version of your website. For further guidance see the instructions on preparing a website move at https://support.google.com/webmasters/answer/6033085?hl=en&ref_topic=603...
- If you have not already done so, update your local website files to update any absolute URLs by replacing http:// www. mywebsite.com with site-relative URLS e.g. //www. mywebsite.com. You will also need to update your Google Analytics identifier and sitemap if this is generated manually.
- Set up site-wide redirection on your web server to redirect requests to the HTTPS version of web pages
- Verify that the site move has been completed correctly by performing a web search for certain key pages in Google and/or Bing.
- Update external links to your website i.e. those links from external websites to your own. This is not absolutely necessary if you follow Step 6 as Google and Bing will follow the Redirect directive and pass any page rank to the new HTTPS version of your web pages. However, updating the high value backlinks over which you have control, helps provide Search Engines with a clear signal to prefer the https:// version of your web pages and display those
- Verify that the HTTPS version of web pages have been indexed by Google using Google Webmaster tools. In our experience it will take around one week before Google completes a crawl of the https://.. version of your website but this figure may vary depending on existing crawl rate and other factors
Making the web a more secure place is better for all of us. There are plenty of unscrupulous people out there looking to steal our online credentials. While we can be passive and watch-and-wait for the web / internet community to provide a universal solution to better security and website response times, there are immediate benefits from taking a proactive approach.
For those contemplating the move, speak with your existing web hosting/design company. With proper planning the move should take no more than a week (other than updating external backlinks) and for smaller websites, the actual switchover can often be completed in one/two days.