Did you receive a notice from Google like the message above? If so, you are not alone. Site owners of domains that haven’t yet made the move to HTTPS (also known as HTTP over TLS, or Transport Layer Security) have been receiving warning messages from Google asking them to “migrate to HTTPS“.
Google has been trying to get site owners to move from HTTP (Hyper Text Transfer Protocol) to HTTPS (Hyper Text Transfer Protocol Secure) for quite some time now. It was nearly 1 year ago when we last blogged about this topic and recommended moving from HTTP to HTTPS. These new warning messages mark a more aggressive approach at trying to have webmasters convert to HTTPS.
Why does Google want you to move to HTTPS?
Using HTTPS provides additional layers of protection to that data that is transmitted across the web. This includes:
- Data integrity
Security is extremely important to Internet users so it’s a big deal to Google.
When Will Google Start Showing Security Warnings to Chrome Users?
Google will being showing the security warnings starting in October 2017 with version 63 of Chrome. Google has said they intend on marking all pages that are served over HTTP as “non secure”. You still have time to make the switch so if you’ve been holding off, now is the time to make this happen. Here’s a snippet of text from a recent warning message one of our clients received:
“Starting October 2017, Chrome (version 62) will show a “NOT SECURE” warning when users enter text in a form on an HTTP page, and for all HTTP pages in Incognito mode.
The following URLs on your site include text input fields (such as < input type=”text” > or < input type=”email” >) that will trigger the new Chrome warning. Review these examples to see where these warnings will appear, so that you can take action to help protect users’ data. This list is not exhaustive.”
See the <input type=”email”> in this warning message above? That’s HTML for an input field on a web form that asks for a users email address (like like the example below):
Will rankings go down after switching from HTTP to HTTPS?
According to the Google Search Console Help webpage: “With any significant change to a site, you may experience ranking fluctuations while Google recrawls and reindexes your site.” So yes, there is a chance of a drop in rankings and traffic. Our own experience is that rankings come back quickly (within a week). For some site’s, rankings and traffic are not impacted at all. Referring to to drops in rankings and traffic related to moving to HTTPS, Google’s Gary Illyes has said that they have “changed a bunch of things on our end to make sure that doesn’t happen.” This was previously the main reason why SEOs have not all been on board with the move to HTTPS in the past. Google’s Illyes (the closest thing we have to a “Matt Cutts” at Google these days) tweeted the following:
Specifically talking about the amount of time it would take to recover rankings and traffic, Illyes said “One week is understandable, two weeks, with a stretch. For any longer I’d raise an eyebrow”. Of course, we can’t take every word from Google as truth but I agree with Gary here.
Although we are talking about one additional letter in your URL strings, to Google and other search engines this means your entire site has brand new URLs, so it takes Google time to process this change. The proper way to handle these changes is with a 301 redirect from every HTTP version to the corresponding HTTPS version.
It should be noted that Google has previously indicated that HTTPS is a ranking signal and there is a ranking boost for HTTPS sites. Most likely this will become an even stronger ranking signal than it is today as Google continues to weighs user behavior metrics as a bigger factor in their search engine rankings.
What is required to migrate from HTTP to HTTPS?
There are many things required to make a proper move, including:
- Acquire an SSL certificate (2048-bit key)
- Activate the certificate
- Install the certificate on your domain
- Update all hard coded links in your code from HTTP to HTTPS
- Test to ensure that external scripts support HTTPS
- Create 301 redirects for all HTTP pages to corresponding HTTPS page
- Crawl your website to check that all pages can be crawled
- Use “Fetch as Google” to test that Googlebot can access your pages
- Update sitemaps
- Update robots.txt file
- Update canonical tags
- Resubmit disavow file (if you use disavow files)
- Add new site to Google Search Console
- Use change of address tool
- Update Google Analytics default URL
- Update tools that you use (A/B testing software, rank tracking, etc.)
It’s also important to note that SSL certificates expire so they need to be renewed. Depending on the certificate you have, typically renewal is every 90 days to 1 year.
Benefits of HTTPS
- HTTPS is a ranking signal in Google’s algorithm. While it currently is a small part of their algorithm, it is likely to become more important in future algorithm updates.
- Ability to see referral data in Google analytics that comes from HTTPS sites. If you have an HTTP site, the referrer data is stripped when you are sent any traffic from a HTTPS site and Google analytics reports the traffic as direct. However, referral data is passed to Google analytics when a visitor goes from a HTTPS site to another HTTPS site.
- More secure for your site visitors. This means the data they submit to you in a form is encrypted and sent over a secure channel. As mentioned above, HTTPS offers multiple layers of protection including encryption, data integrity and authentication.
- Increase user’s trust of your site and your firm. Having a secure site shows that you care about the privacy of your site visitors and can improve their level of trust.
- Better visitor conversion rates. You have a much greater likelihood of converting site visitors if they are not receiving browser warnings about your site security. You don’t want to scare visitors off your site when you are spending good money on marketing trying to get them to contact your firm!
Now more than ever it is time to change to over to HTTPS.