What is HTTPS vs HTTP for SEO: Specificity and Best Choice for a Successful Presence in Google
HTTPS vs HTTP — What Does It Mean for Security in Web?
Hypertext Transfer Protocol Secure or HTTPS is one of the rudimentary Internet technologies which ensures the safety and confidentiality of the information exchange between the website and the user’s device. That is its main difference from the HTTP protocol, which cannot guarantee the protection of personal data. HTTPS encryption protocols reduce the likelihood of illegal access to confidential information, even over poorly secured networks such as public WiFi. That is especially true for sites that host information such as credit card numbers, passwords for entering payment systems, etc.
The main types of electronic services for which the use of HTTPS is especially important:
- Banking websites.
- Payment systems.
- User Authorization Systems.
- Email and SMS services.
HTTP vs HTTPS difference: the history of Internet security
The issues of reliability and standardization of data exchange became relevant in the early 90s, during the development of the first browsers.
The first step towards a secure Internet was the development of the Secure Sockets Layer (SSL) data encryption protocol by Netscape in 1994.
In January 1999, the IETF introduced a replacement for SSL, the Transport Layer Security (TLS) 1.0 protocol. A year after the introduction of TLS, in May 2000, The Internet Society, or ISOC, published an HTTP over TLS instruction that describes how to extend the HTTP protocol using secure communications using TLS.
Nevertheless, on October 17, 2014, Cybersecurity & Infrastructure Security Agency stated the critical vulnerability of SSL 3.0 to POODLE attacks and recommended stopping the use of this protocol in favor of TLS.
The security protocols SSL and TLS, as well as HTTPS, provide reliability and security in three main areas of communication:
- Encryption makes it as difficult as possible to gain access to personal data and minimize the likelihood of information being used by intruders.
- Integrity of the transmitted data so that all changes can be accurately tracked at each stage of the transfer, regardless of their nature and source.
- Authentication of data exchange participants, guaranteeing the absence of unpleasant surprises (e.g. MITM attacks) and getting to the very website where the user was going to.
To see more details about the benefits and necessity of implementing HTTPS, see this video by Emily Stark at the Chrome Developers Summit in 2016.
HTTP vs HTTPS Security
Unlike HTTP websites, the speed of an HTTPS site may seem like a weak point, but the high level of security completely overcomes this disadvantage. There are several ways to improve the speed of these websites:
- Multiplexing and prioritization of streams, compression of headers, and sending the server to the cache by the means of HTTP 2.
- Lossless data compression using the Brotli algorithm.
- Using the HPACK algorithm for large headers and greater reliability.
- Using Stapling with Online Certificate Status Protocol (OCSP) to quickly validate security certificates.
- CDN implementation.
HTTPS and Google: Struggle for Security in Web
Google has always taken a clear and unambiguous stance on online security, and the adoption of HTTPS is no exception. The history of Google and SSL began on May 21, 2010, when a post appeared on the company’s blog calling for a more secure connection. At the time, Google Chrome had only a 10% market share.
On November 22, 2011, the Google security team published a post about the transition of all Google services to a secure connection via HTTPS, while by the end of 2011, Chrome’s market share had almost doubled.
2012 was a watershed for Chrome, as its market shared equal IE. On August 6, 2014, Gary Illyes co-authored a post confirming the role of HTTPS as a positive signal in ranking, and Pierre Far along with Ilya Grigorik dedicated this topic to the joint presentation “HTTPS Everywhere” at the Google I/O Summit.
Then a year later, on December 17th, 2015, the security and indexing team published news about the HTTPS versions of pages being indexed by default. A month later, in October 2016, a more detailed guide on how to avoid notifications about an insecure protocol for their sites was prepared for developers. By the end of 2016, the Google Chrome browser has become the market leader, while the shares of Firefox and IE were less than 15% and continued to fall:
On February 8, 2018, another publication by Emily Schechter shed light on the next update, during which all the pages using HTTP would be displayed as unsafe with the 68th version of Google Chrome.
Webmasters were offered several benefits to promote the idea of security to the masses:
- small preferences in website ranking;
- priority ranking of safe pages;
- simple, affordable, and quick migration.
These are the main points of the presentation of the Google Chrome product manager, Emily Schechter, at the Progressive Web Apps Summit 2016.
In October 2017, an example of a website potential threat alert looked like this:
According to Netmarketshare, in October 2017, when the Chrome Security Warnings feature began to work in full mode, the share of Google Chrome was already about 60%:
As a result, the owners of many sites began to quickly switch to the HTTPS protocol.
In 2018, Adrienne Porter Felt, on behalf of the team of Google Chrome engineers, made a Twitter post, once again listing the main reasons why Google advocates for the transition to HTTPS.
On February 8, 2018, another post from Emily Shechter shed light on another update, during which all pages using HTTP will be displayed as insecure, starting from version 68 of Google Chrome – a very specific https deadline.
So, it is no exaggeration to say: there was one of the main trends by Google – SSL-2018.
As a result, when switching to HTTP links, users increasingly began to see such warnings:
On May 17th, 2018, a product manager for Google Ads, Jon Diorio, also made a post about the important HTTPS updates. Particularly, on the voluntary-forced migration of landing pages for advertisers to a more secure protocol. So yes, Google requires SSL — that is one of the many rules we have got during the last two years. At that time, the market share of Google Chrome was about 59%. In 2020, Google Chrome accounts for 65%-70% of the global browser market. And as we can see, regarding HTTP vs HTTPS, Google has more than a clear position.
How Does Using HTTPS Instead of HTTP Work?
When a secure connection is being used, the data transferred between the client and server is encrypted. Encryption algorithms may differ, but its task remains unchanged – to make sure that only those who are intended to read the data can.
- Encryption in transit is necessary so that your information, such as a credit card number or shipping address, is not intercepted along the way between the server and the browser.
- End-to-end encryption creates two unique keys that can decrypt data. One for the sender and the other for the receiver.
- Encryption at rest is used for data that is not transmitted but is stored somewhere. For example, on the hard drive of a computer.
The Main Steps for Safe Data Exchange
The main steps of HTTPS protocol take only a split second:
- The client (your browser) – receives the web page address from you and asks the server for its secure version.
- The server on which the data of the desired web page is stored sends back the public key and certificates (SSL or TLS) signed by the certification authority.
- The client verifies the authenticity and validity of the certificates by contacting the certification authority that issued them.
- The client generates an encryption key and sends it to the server.
- The server decrypts the key received from the client and in response, sends the requested web page encrypted with the received key.
- The client decrypts and displays the resulting web page.
Security certificates are also known as digital signatures, their purpose is to confirm the strength of the encryption mechanism and that it matches the protocol. Certificates are usually categorized into two types – the simpler 1024-bit and the more advanced 2048-bit. To increase the reliability of certificates, Google suggests listing them in the Certificate Transparency, secure public directories, these are special servers that allow you to add information about new certificates that cannot be deleted or changed.
Security certificates are divided into levels, depending on their reliability, the conditions for obtaining, and, of course, the cost. Simple certificates:
Domain Validation is the simplest certificate that confirms the right to own or manage a domain. It does not require documents and does not contain data about the recipient. The time required to receive it is a couple of minutes.
- A certificate can be issued for one domain, this is called Single Domain Validation, which does not include any sub-domains or consonant domains.
- A certificate can be issued for a group of domains aka. Multi-Domain Validation, which does not include sub-domains, but instead, includes many consonant domains that are not required to be registered at the time of certification. A certificate publisher typically indicates a limit on the number of consonant domains.
- A certificate can be issued for one domain and its sub-domains, which is called a Wildcard Domain Validation, it includes any sub-domains of the same root domain or host.
- Organization Validation is a more complex certification that is only issued to legal entities. It requires a standard package of documents to verify the organization’s information that will be indicated in the certificate. It takes a few days to receive this certificate.
- Extended Validation is the most reliable and expensive certification, and is also issued exclusively to legal entities. It requires an extended package of documents, as well as data to confirm the physical address of the company. It takes about a week to receive this certification.
Getting or Buying a Security Certificate
The most popular domain and hosting providers offer various security certificates for their clients, but the several free offers that are available significantly change the situation in the market of security services. For example, Let’s Encrypt offers free certification services for several dozen supported providers, such as WordPress, WPEngine, A2 Hosting, Dreamhost, Kinsta, and many others.
Even Cloudflare, a quite famous company, offers a variety of ways to register the required certificate free of charge.
Migrating to HTTPS
The process to install a security certificate for your website consists of several basic steps:
- Obtaining a Certificate.
- Certificate Installation.
- Domain Information Update.
- Forwarding setup.
- Reconfirmation of ownership in the Google Search Console.
- Site map update.
- Robots.txt update.
- Google Analytics Settings Update.
Step 1. Begin with backing up the website. This is a necessity that is facilitated by most hosting providers such as Hostgator, GoDaddy, Bluehost, and Namecheap.
Step 2. Evaluate and visualize the complete structure of your website from scratch. The result of this step should be a vulnerability checklist that will be useful during the subsequent testing after switching to HTTPS.
Things to consider:
- Technologies used and possible conflicts, for example, Adsence and social plugins, often do not tolerate migration to HTTPS.
- Connected external services.
- CMS features, especially if you use several.
- The renewal dates and expiration date of the certificate.
- Make sure that you receive a certificate for all hostnames that serve your site, for example, with and without the “www.” prefix.
- The absence of prohibitions on indexing HTTPS pages in robots.txt and the code of the pages themselves through noindex tags.
- Use a separate IP to support older browsers and SNI (Server name indication).
- Make sure that the contents of the HTTP and HTTPS pages are identical.
- Possible conflicts and unnecessary redirection chains.
Step 3. Check and prepare a base to compare indicators after the transition. There may be some glitches when changing the protocol – this is normal. To make sure that everything is in its place, you need to have the most accurate picture of the current ranking, which has to be compared to the updated indicators.
To assess the state of the site, the indicators of pages and individual keywords, historical data, preferably from 2 to 6 months, and current indicators for the last few weeks are essential.
Hint: group the pages by the sections of the site which they relate to. It will take a little longer, but if necessary, you can understand the source of the problem much faster.
Step 4. Choose a deployment scenario: directly, through a development environment, or a virtual environment. The first option is the quickest but also the riskiest. The development environment will allow you to first test your website and then deploy it. The most time-consuming step is going to be the creation of a virtual mirror-website not only for testing the changes but also to see their effect on the final product.
Here are the points to consider: Making changes directly to the production environment can save you time, but you will nott have time to fix potential bugs and errors, and they will affect users in real-time.
Step 5. Purchase and install the required certificate, as well as configure redirects, and check everything again with the Google bot simulator.
Things to consider:
- Make sure that the redirection is configured correctly and that no pages are available to users in both the HTTP and HTTPS versions.
- Check that there are no restrictions on indexing HTTPS pages in robots.txt and that the code of the pages themselves through noindex tags.
- Do not forget to check which versions of the pages are indicated as canonical, since all rel=canonical links should now point to HTTPS pages.
- Make sure that the alternate and hreflang attributes are used correctly.
- Double-check and correct any unnecessary redirection circuits.
Hint: GitHub has a detailed description of successful practices for implementing various certificates and it is advised that you study before installing.
For example, do not pursue excessive security. If you want to use RSA, then the best choice would be 2048 bit keys, providing 112 bits for security. Although 3072 bit RSA keys do provide 128 bits they are much slower. If you need a higher level of data encryption, you should turn to more efficient ECDSA keys that provide the same 128 bits while using 256. Of course, some older clients may not support ECDSA, but most will be able to work with them without any problems.
Step 6. The content downloaded by the pages should be separated into active (scripts) and passive (images) to ensure that all components are using secure protocols and there is not any room for vulnerabilities and attacks. This may take some time, as you will need to check almost all the internal links and resources of your website.
Step 7. After making sure that everything works as it should, double-check that all pages return the code 200 for available pages, and 404 or 410 for the nonexistent ones.
Step 8. Once again, go through the vulnerability checklist that you prepared while getting ready for the migration.
Step 9. Is everything working smoothly so far? Then it’s time to update the data in the Google Search Console. The implementation of HTTPS is interpreted as a change in the address of the site and will require re-verification. Also, it is crucial to consider the interaction of Google analytics HTTP vs. HTTPS.
Things to consider, sometimes, updating data in the Google Search Console may lead to a re-evaluation of your site for compliance with current requirements and rules.
Hint: do not forget to download the updated site map, as well as other parameters, for example, a list of disavowing links.
Google gives some great recommendations to make migration as comfortable as possible:
- Choose reliable certificate providers.
- Avoid legacy protocol versions.
- Use certificates with the maximum level of security (2048-bit).
- Use 301 server-side redirects.
- Use HSTS technology.
- Make sure that your server supports Server Name Identification (SNI) in advance.
HTTP vs. HTTPS — SEO-performance
In 2014, Barry Schwartz described a 35% drop in AdSense ad revenue due to the site’s migration to HTTPS. Soon after, Google said it fixed the problem by linking a drop in profits to a large number of ads that did not meet the security requirements. However, in August 2017, Crunchify also noted a decrease in profit from AdSense by an average of 10% after the introduction of HTTPS. The general recommendation for such issues is updating the AdSense code after each implementation of new security certificates.
Social Plugins and Counters
Another known consequence of migration are problems with social network plugins and various counters. In particular, Ray Dolan described his data loss from social plugins after switching to HTTPS in detail. Facebook offered a solution, but for the og:url tag to work correctly, a 200 response code is required from old Http-pages, which is impossible when using redirects through 301 code. More recently, the SEO Hacker project reported the loss of more than 100 thousand tweets and other social signals when migrating to HTTPS. However, the positive conversion effect showed an almost fivefold increase in keyword performance. In general, migration may require the resetting of all social counters.
Since the HTTPS connection is interpreted by Google as a change of address or as moving a site, you will need to go through the procedure of re-authorizing the site. It may entail re-evaluating the site per the quality standards for content and rules of use. With some websites, there may not be a noticeable difference, but for others, the consequences may include a slight decrease in ranking efficiency, fines, or manual verification.