September 6, 2017
By now, unless your site is already set up with an https url, you’ve very likely received an email from your host company or from Google encouraging you to “MIGRATE TO HTTPS”.
Why is this important?
This is part of Google’s mission to make the web a better, safer place. It’s the equivalent of homeowners in a previously sleepy, crime-free town waking up to a new big-city reality and putting locks on doors that were previously left unlocked at night.
The “s” in https” stands for “secure” and means that a site has installed a “secure sockets layer” (SSL) that encrypts the conversations that go back and forth between your website and your visitors and prevents unauthorized parties from observing or listening in to them. It also prevents corruption of data and provides authentication to ensure that communications reach the intended recipient directly.
It used to be understood that you needed this only if your web pages included forms that requested highly sensitive information (like logins, credit card details, social security numbers, etc) but it is increasingly becoming a good idea for all sites (and all pages).
It’s quite likely you have clicked a link from a mildly alarming email that seemed legitimate (but wasn’t) and have come upon a credible-looking but fraudulent site at some point. Cyber-criminals can slip into any non-secure conversation and do things like serve your trusting visitor a modified version of your site just like these and lure your visitors into clicks and transactions other than those you have created.
Highly-trafficked websites that process a lot of payments may attract criminals more than smaller sites but the trustworthiness of smaller sites can be hijacked for criminal purposes in all kinds of ways—and it is very easy for those with criminal intent and the technical know-how to trawl the web with robots looking for any sites with any security openings and exploit them. This is why Google is making an even bigger push than before.
The Consequences of staying with HTTP
Your site will still function without the added secure sockets layer—but here’s why it will become a bigger and bigger issue if you leave your site unsecured:
- The more everyone else goes ahead and migrates to HTTPS, the more your site will stand out as insecure—and even if your visitors are not using Chrome or Firefox and don’t see the red “Not Secure” warnings, your site will become more vulnerable to attack as predators continue to look for unencrypted sites to compromise.
- Google is now going to begin more aggressively penalizing sites that do not use a secure connection. HTTP-based sites will be down-ranked in their search algorithms (causing a drop in traffic from searches); form fields will appear to Chrome users flagged as “Not Secure” (making visitors uneasy about filling in any forms — even a contact form); and the url in the address bar will be flagged with a red notice: “Not Secure” (again making visitors nervous, even if it is no less secure than it is now).
Google has been encouraging HTTPS migration for a while…
Google began down-ranking unencrypted sites in 2014, although to a minor degree. According to the data in the Google Transparency Report, over 50% of all pages viewed by desktop-users are now encrypted and 83% of the U.S. traffic that goes through Google is now encrypted (it differs for other countries). This suggests not only that the trend to making the upgrade is real, but that the Google search-rank penalty for remaining unencrypted (or weakly encrypted) is already significant.
October is when changes will take place
The new, more aggressive penalties will be put in place early in October (2017), so the time is now to make the change if you haven’t done it already. You’ve probably opened a website and seen that “Your Connection is not Private” notice, followed by a warning that “hackers might be trying to steal your information” and offering you a big button saying “Back to Safety”. This probably won’t be exactly what will happen to your site in October without HTTPS, but you will definitely start seeing red “Not Secure” warnings like this in the address bar.
The first step in migrating to HTTPS is to obtain a Secure Sockets Layer (SSL) certificate.
HOW TO GET AN SSL CERTIFICATE
All hosting companies now offer SSL certificates and signing up for the basic-level certificates will cover all needs except transactions that involve credit card and other sensitive information (for this you need the Comodo-level certificates). Going with what your hosting company provides is the simplest solution.
There are free options for SSL certificates (Let’s Encrypt being the best-known) but not all hosting companies make it easy/possible to use them. Dreamhost stand out for making the use of Let’s Encrypt almost a one-click (and completely free) operation. Bluehost, Hostgator, GoDaddy and others all have different offerings—so check the website of your hosting company.
HOW TO CHANGE THE SITE FROM HTTP TO HTTPS
Once your certificate is purchased/installed, your site still needs to be reconfigured to use the new address.
Changes that need attention include:
- Changing the site’s base url in your settings
- Changing the config file to force the site to use https: (if people look for it using http:)
- Changing any urls used in your site’s structure that begin with “http:” (eg paths to images, videos, css, js, webfonts, etc)
- Removing any unnecessary redirect chains in your htaccess file
- Checking for issues with canonical urls
- Checking all site content for internal links that might include “http:”
- Registering the new url with Google Search Console and checking that it reconnects to Google Analytics
- Submitting the site with its new url to Google for re-indexing
With all this done, the site should be checked and monitored for a while for any breakdowns. For example, if there are any images within the site that still have “http:” in their path, the page on which they are found will continue to display as insecure. You can run a “site:[yourDomain].com” search on Google to see if all the pages Google is indexing on your site are being found as https: urls. Google will re-index what it considers your most important pages pretty much instantly when you use the Search Console to “Fetch as Google” but you may find some of your less-important pages take more time to get fully re-indexed.
With everything done right you will benefit by:
- creating a “trustworthiness” sense of security for your visitors
- improved results in Google search
- slightly increased site speed
If you’re tech-savvy and want to understand this better than I have outlined here, you might like to read this very thorough outline: Google Warnings For Form Input Over HTTP Coming in October
If you made your own site and can understand the technicalities, you’ll be fine making the migration by yourself. If not, get in touch with your designer/developer and have her do it for you.