What is https? What is it for? and how can I implement it?

HTTPS (or Hypertext Transfer Protocol Secure) is one of the main requirements to start with SEO. No matter how professional your website is (enlightened amateur, exalted Internet user, second-hand blogger or digital professional), you have inevitably been confronted with this protocol for securing websites. Everybody already noticed those five letters displayed on the far left of the URL address bar on your browser next to a little padlock.

https versus http image

It is even more important to take a close look at HTTPS as Google has made it a key criteria of its ranking algorithm via its Chrome browser. In 2014, the web giant announced a focus on sites protected via the HTTPS protocol. Enough to encourage webmasters to secure their connections. Three years later, the figures speak for themselves: 66% of sites are in HTTPS on Windows, 64% of traffic is secure on Android and over 75% on ChromeOS. In addition, 71 of the top sites in Google's SERPs were in HTTPS at the end of 2017, compared to 37 in 2016.

Of course, Google is not the only actor. Other factors have played a role in this transformation from a wild web to a more civilized web: initiatives making it easier to access HTTPS, appropriate measures taken by other browsers, etc.. However, it is essential to ask three questions: what exactly is HTTPS? Is it necessary to adopt it to reinforce the effects of your organic reach? And how to organize this migration to HTTPS?

What is the HTTPS?

  • The http protocol

To understand what HTTPS is, we must return to HTTP, which is its precursor. HTTP (short for HyperText Transfer Protocol) is a communication protocol specifically designed for the web. It enables the exchange of data between a server and a client, for example between a website and a browser.

The problem with HTTP is that these exchanges are open to everyone, i.e. they are not encrypted and therefore not confidential. Anyone, technically, can get in the way of the communication and retrieve the informations that is exchanged, like someone listening in on a conversation on the phone.

In most cases, this is not so serious: if you read an article on a newspaper website, you are not exchanging personal data that could be misused. But things become more complicated when you log on to your bank's website: if someone gets their hands on your information (for example, your account number or accesses), the consequences can be serious.

The main flaw of the HTTP protocol is therefore its lack of security. And that's where HTTPS comes in.

  • The https protocol

The HyperText Transfer Protocol Secure (HTTPS) protocol was designed to overcome the security issue posed by its big brother.

HTTPS, in reality, is just an HTTP protocol to which a secure layer called TLS (Transport Layer Security) has been added. This acts as an encryption key that encrypts the data exchanged between the server and the client.

Going through an HTTPS protocol makes it possible to:

  • Secure the data that circulates between a website and a browser, so that no one can access and misuse it. The information exchanged is encrypted and the encryption key is known only to the server and the client.
  • Everything happens as if the telephone conversation were in a single language, known only to the interlocutors, which prevents the eavesdropper from understanding anything.
  • Guarantee the identity of the website being consulted, so that you can be sure that it is the one whose URL is displayed. This point is essential, since it allows the Internet user to ensure that he is surfing on his bank's site, for example, and not on a platform created from scratch to deceive him.
  • How can we see if a website is HTTPS or HTTP?

It's quite simple: a secure site displays, in its URL, the letters "HTTPS" instead of the simple "HTTP". On Chrome, these letters appear in green.

Another proof of security: the presence of a padlock (green or not) near the URL. It can be found on the left side of Chrome, Firefox or Internet Explorer.

Note that by clicking on the padlock (or on an icon containing "i" in some cases), you can access information about the type of certificate used to secure the site.

  • HTTPS certificates

The HTTPS protocol uses an SSL (Secure Socket Layer) certificate that allows the TLS security layer to be "laid down". This electronic certificate is applied to the site to secure data exchanges by encrypting them using an asymmetric encryption key. A site protected by an SSL (or TLS) certificate displays the famous padlock proving that it is secure.

To do this, you must first obtain this certificate: this is what enables you to activate the appropriate protocol. We speak interchangeably of SSL or TLS certificates, but it is important to know that the SSL protocol is no longer current since it has been replaced by TLS, a more secure version based on the same principle. The term "SSL certificate" has remained to refer to all encryption certificates enabling HTTPS.

There are several types of SSL certificates, more or less secure:

  • The free SSL certificate (Let's Encrypt type)
  • The Extended Validation Certificate (Extended SSL)
  • The Organization Validation Certificate (Organization SSL)
  • The Domain Validation Certificate (Domain SSL)
  • The multi-domain certificate (WildCard)

These certificates are issued by specific bodies, the Certification Authorities (CA). Again, there are a number of them:

  • Symantec
  • GeoTrust
  • GlobalSign
  • Thawte
  • Comodo (related to OVH)
  • RapidSSL
  • Digicert
  • AlphaSSL
  • TrustProvider

The cost of an encryption certificate can range from zero (free of charge) to several thousand euros. The price varies based on the reliability of the certificate, i.e. the level of verification reached before it is issued: this verification ranges from a simple email sent to the applicant to a multitude of documents that need to be provided. The price also depends on the CA chosen.

Why switch to HTTPS?

If you are interested in moving your website to HTTPS, here are not one, but two good reasons to do so.

On the one hand, there is the security reason. The HTTPS helps make the Web a safer place for everyone, professionals and Internet users alike, by providing protection against "man-in-the-middle" attacks. Unfortunately, those attacks are in vogue, and their purpose is to intercept communications between two digital interlocutors in order to collect personal data. All without being detected. That way, your banking data or your identification can be captured by a hacker who is then able to use them fraudulently.

HTTPS is the best method to overcome this security flaw. It is therefore a crucial part of professional websites on which data circulates, whether it is to fill out a simple form, to register a personal account, or to make a payment for a purchase by entering your credit card details. Needless to say, unprotected sites are not very popular in the eyes of Internet users, who are themselves increasingly concerned about the protection of their data.

On the other hand, there is the SEO reason. At Google, they are campaigning to make the web a safer territory: it is no longer a question of limiting the incentive to switch to HTTPS only to high-risk platforms (the protocol was originally invented to secure bank sites). In the near future, ALL websites will have to proudly display the HTTPS logo.

The proof: not content with favoring HTTPS platforms since 2014 (see the announcement made in this regard), Google displays messages on their Chrome browser to warn the user if a site is not secure. This has a negative impact on visitor confidence.

These are two good reasons to switch to HTTPS. But let's dwell for a moment on the second one: the impact on natural referencing.

What is the impact of HTTPS on SEO?

Let's start by reviewing the chronology of events:

  • In 2014, Google announces that it will favor sites that enable HTTPS through its ranking algorithm. The improvement in ranking is very minor.
  • In 2015, Google indicates that HTTPS plays the role of referee in case of a confrontation between two similar sites in response to a request. If two sites are almost identical in everything (keywords worked, freshness of content, display speed ...), the algorithm defaults to the one that is the most secure.
  • Today, 40% of the results displayed on the first page of Google are in HTTPS (source). The boost is more noticeable, but that doesn't explain everything: these sites on Page 1 of the SERPs are also the ones that apply other SEO best practices, apart from security alone.

To summarize, the move to HTTPS does not act as a major springboard for SEO. This is not to say that the benefits are not interesting, since obtaining a good SSL certificate can have indirect impacts on SEO. In particular:

  • By influencing the choices made by Internet users. They are likely to choose a site in HTTPS over another in HTTP, especially in order to make a purchase. The more the sites will be marked as non-secure, the more important it will become for the merchant sites to display their security visibly and clearly.
  • By playing Google Ranking. Imagine: a user clicks on a link in the SERPs, realizes that the site is not secure, and goes back to select another one. Google perceives this reversal as a sign of dissatisfaction, which will impact the ranking of the site in question.

That said, it is not impossible that Google's push for secure sites will be more noticeable in the future.

Should I switch to HTTPS for SEO reasons?

A migration of your site to HTTPS hoping for pure SEO gain is not reasonable. The boost is so small that it takes a big magnifying glass to see any difference. Even if the HTTPS effect exists, it remains far, far behind the most decisive criteria that are content, SEO and backlinks. SSL is therefore clearly not a way to track your pages so that they climb into the SERPs.

But there are many other reasons to switch, as we have seen above. Both to secure exchanges with Internet users and to enhance your brand image. This concerns primarily, but not only, merchant sites.

In the future, security alerts will be sent by browsers to Internet users whose data has leaked because of a security flaw on a HTTP site. Imagine for a moment what your visitors would think of your website, if your site were concerned?

How to migrate your site from HTTP to HTTPS?

Be aware that a switch from HTTP to HTTPS is similar to a site migration. Concretely, here is how to do it:

  1. Buy (or request) an SSL certificate and install it on your website.
  2. Modify your internal URLs so that all your resources are served in HTTPS.
  3. Set up 301 redirects from HTTP URLs to HTTPS URLs. This allows you to maintain the SEO (popularity and traffic) of your pages throughout the migration. Above all, test these URLs afterwards!
  4. Make sure that your canonical URLs point to your HTTPS pages. This way, you will have less worries about duplicate URLs.
  5. Make sure your HTTPS pages are indexable.
  6. Enable the HSTS (HTTP Strict Transport Security) mechanism to inform the client that interactions will now be done over a secure connection.

Once the migration to HTTPS is complete, you need to think about the final checks:

  1. Run a crawl to make sure there are no errors.
  2. Create a new Search Console and monitor the indexing of pages in HTTPS, comparing with the old version.
  3. Check and correct the URLs of the links pointing to your site, so that they are all in HTTPS.
  4. Update the external plugins of your CMS to make sure they are compatible with the new protocol.
  5. Modify your settings in Google Analytics so that the platform takes into account pages in HTTPS, especially in order to follow the development of traffic.
  6. Retrieve your indications of social interactions (shares and likes) by following these instructions.
  7. Measure the loading times of your HTTPS pages. Migration may be accompanied by a general slowdown due to additional negotiations between server and client.

In case of problems, the performance of your site can be improved using HTTP/2 once the migration to HTTPS is complete.

What type of SSL certificate should I choose?

The question arises as to which certificate to choose to migrate to HTTPS and secure your connections. But the answer depends on the nature of your site as much as on your security needs... For an average site where no personal data is exchanged, a free SSL certificate is more than enough (Let's Encrypt type). No need for more.

For a company website, it is preferable to opt for a Domain Validation (DV) or Organization Validation (OV) certificate. These certificates cost from a few dozen euros to a few hundred euros per year. The difference between the two lies in the authentication: the DV does not identify the applicant of the certificate, while the OV is slightly more secure. However, on this point, you have to put yourself in the position of the Internet user: will he or she click on your certificate to check the authentication field? Do you really need this extra protection?

For an e-commerce site, things are different: you need to ensure the security of your customers throughout the shopping tunnel. In this case, the Extended Validation (EV) certificate is essential. It displays a green bar in the browser, so users know immediately that they are surfing on a site with optimal protection. It's good for your brand image.

As for multi-domain certificates, they apply to sites that need to certify several domain names.

In conclusion

Migrating your website to HTTPS is not an absolute necessity, but rather a measure of comfort and confidence. Installing an SSL certificate on your server will not boost your SEO or turn your website into a tamper-proof fortress (SSL encrypts the connection without securing the server or browser itself). But it will allow your visitors to feel secure when they entrust you with personal data, whether it is login credentials or bank details. Note that 40% of Google's front page sites are in HTTPS.

Extra bonus advice:

Whatever solution you choose, whatever certificate you want and whatever Certification Authority you choose, don't launch into a migration without first thinking about it. Above all, take your time!