HTTPS vs. HTTP : All You Need to Know to Stay in Google’s Good Graces in 2020
What is HTTPS?
HyperText Transfer Protocol Secure or HTTPS is one of the basic Internet technologies which ensures the safety and confidentiality of the information exchange between the website and the user’s device. This is especially relevant for mobile devices. Smartphones often contain and transmit identity and financial data, for example, when working with Apple, Google Pay, Amazon, PayPal, Stripe, etc, encryption protocols lower the risk of theft or intrusion into the data transferred by the user even when using a network with poor security, like public WiFi.
The main types of e-services that require using HTTPS instead of HTTP include:
- Banking websites
- Payment systems
- User Authorization Systems
- Email and SMS services
Many people think that caring about security and the introduction of HTTPS are closely connected to Google and its development, but this is not factually correct. The reliability and standardization of data exchange have been in the spotlight since the development of the first browsers in the early 90s.
The first step towards a more secure Internet was with the development of the SSL encryption protocol (Secure Sockets Layer) by the Netscape company in 1994. SSL was supported until 1996 when they stopped developmening after version 3.0. Three years later, in 1999, IEFT presented a replacement for SSL – the TLS 1.0 protocol (full name – Transport Layer Security). A year after the introduction of TLS, in May 2000, the Internet Society or ISOC published an HTTP over TLS instruction, describing the extension of the HTTP protocol through secure data exchange using TLS. The differences between TLS 1.0 and the latest version of SSL were not critical, which is why their names are still being mixed up until now. Nevertheless, on October 17, 2014, Cybersecurity & Infrastructure Security Agency stated the critical vulnerability of SSL 3.0 to POODLE attacks and recommended stopping the use of this protocol in favor of TLS.
The SSL and TLS security protocols and HTTPS as well, since it’s based on them, provide reliability in three main areas of data exchange on the Internet:
- Encryption of transmitted data to maximize the complexity of tracking, gaining access and interception/theft of user data;
- Integrity of the transmitted data so that all changes can be accurately tracked at each stage of the transfer, regardless of their nature and source;
- Authentication of data exchange participants, guaranteeing the absence of unpleasant surprises (e.g. MITM attacks) and getting to the very website where the user was going to.
To see more details about the benefits and necessity of implementing HTTPS, see this video by Emily Stark at the Chrome Developers Summit in 2016.
HTTP vs HTTPS Difference
The relative shortcomings of HTTPS in terms of speed are fairly compensated by its additional security measures. Moreover, there are several ways to significantly improve website performance when using HTTPS:
- Multiplexing and prioritization of streams, compression of headers, and sending the server to the cache by the means of HTTP 2;
- Lossless data compression using the Brotli algorithm;
- Using the HPACK algorithm for large headers and greater reliability;
- Using Stapling with Online Certificate Status Protocol (OCSP) to quickly validate security certificates;
- CDN implementation.
HTTPS and Google
Google has always maintained an active public position when it comes to Internet security and the adoption of HTTPS was no exception. To promote this idea to the masses, webmasters were offered several advantages, including:
- small preferences in website ranking;
- priority ranking of safe pages;
- simple, affordable, and quick migration.
These are the main points of the presentation of the Google Chrome product manager, Emily Schechter, at the Progressive Web Apps Summit 2016.
The issue of migration did not lose its relevance even two years later. In 2018, Adrienne Porter Felt, on behalf of the team of Google Chrome engineers, made a Twitter post, once again listing the main reasons why Google advocates for the transition to HTTPS.
One of the first Google blog posts appealing to use a more secure SSL connection was made on May 21st, 2010. Google required SSL. At that time, Google Chrome’s share was at 10% of the market, and a year later, on November 22, 2011, the Google security team published a post regarding the transition of all Google services to a secure HTTPS connection. And by the end of 2011, Chrome’s market share nearly doubled. 2012 was a turning point for Chrome, as the shares of Chrome and IE finally became equal. The growing popularity of the browser was easy to use as leverage for the mass implementation of new security standards. On August 6, 2014, Gary Illyes co-authored a post confirming the role of HTTPS as a positive signal in ranking, and Pierre Far along with Ilya Grigorik dedicated this topic to the joint presentation “HTTPS Everywhere” at the Google I/O Summit.
Then a year later, on December 17th, 2015, the security and indexing team published news about the HTTPS versions of pages being indexed by default. And finally, on September 8, 2016, Emily Schechter published a post about an innovation that was developed to identify insecure websites that was launched along with the 56th version of Chrome, in January 2017. All sites using the HTTP protocol and containing forms for collecting user data began to be displayed with a small notification in the address line:
Which should have became more expressive over time:
A month later, in October 2016, a more detailed guide on how to avoid notifications about an insecure protocol for their sites was prepared for developers. By the end of 2016, the Google Chrome browser had established itself as a market leader, while the shares of Firefox and IE were less than 15% and continued to fall:
On February 8, 2018, another publication by Emily Schechter shed light on the next update, during which all the pages using HTTP would be displayed as unsafe with the 68th version of Google Chrome.
However, Google did not stop at a simple warning, and when switching to HTTP links, users began to see these messages:
On May 17th, 2018, a product manager for Google Ads, Jon Diorio, also made a post about the important HTTPS updates. Particularly, on the voluntary-forced migration of landing pages for advertisers to a more secure protocol. At that time, the market share of Google Chrome was about 59%. In 2020, Google Chrome accounts for 65%-70% of the global browser market.
How Does HTTPS Work?
When a secure connection is being used, the data transferred between the client and server is encrypted. Encryption algorithms may differ, but its task remains unchanged – to make sure that only those who are intended to read the data can.
- Encryption in transit is necessary so that your information, such as a credit card number or shipping address, is not intercepted along the way between the server and the browser.
- End-to-end encryption creates two unique keys that can decrypt data. One for the sender and the other for the receiver.
- Encryption at rest is used for data that is not transmitted but is stored somewhere. For example, on the hard drive of a computer.
The Main Steps for Safe Data Exchange
The main steps of HTTPS protocol take only a split second:
- The client (your browser) – receives the web page address from you and asks the server for its secure version;
- The server on which the data of the desired web page is stored sends back the public key and certificates (SSL or TLS) signed by the certification authority;
- The client verifies the authenticity and validity of the certificates by contacting the certification authority that issued them;
- The client generates an encryption key and sends it to the server;
- The server decrypts the key received from the client and in response, sends the requested web page encrypted with the received key;
- The client decrypts and displays the resulting web page.
Security certificates are also known as digital signatures, their purpose is to confirm the strength of the encryption mechanism and that it matches the protocol. Certificates are usually categorized into two types – the simpler 1024-bit and the more advanced 2048-bit. To increase the reliability of certificates, Google suggests listing them in the Certificate Transparency, secure public directories, these are special servers that allow you to add information about new certificates that cannot be deleted or changed.
Security certificates are divided into levels, depending on their reliability, the conditions for obtaining, and, of course, the cost.
- Domain Validation is the simplest certificate that confirms the right to own or manage a domain. It does not require documents and does not contain data about the recipient. The time required to receive it is a couple of minutes.
- A certificate can be issued for one domain, this is called Single Domain Validation, which does not include any sub-domains or consonant domains.
- A certificate can be issued for a group of domains aka. Multi-Domain Validation, which does not include sub-domains, but instead, includes many consonant domains that are not required to be registered at the time of certification. A certificate publisher typically indicates a limit on the number of consonant domains.
- A certificate can be issued for one domain and its sub-domains, which is called a Wildcard Domain Validation, it includes any sub-domains of the same root domain or host.
- Organization Validation is a more complex certification that is only issued to legal entities. It requires a standard package of documents to verify the organization’s information that will be indicated in the certificate. It takes a few days to receive this certificate.
- Extended Validation is the most reliable and expensive certification, and is also issued exclusively to legal entities. It requires an extended package of documents, as well as data to confirm the physical address of the company. It takes about a week to receive this certification.
Getting or Buying a Security Certificate
The most popular domain and hosting providers offer various security certificates for their clients, but the several free offers that are available significantly change the situation in the market of security services. For example, Let’s Encrypt offers free certification services for several dozen supported providers, such as WordPress, WPEngine, A2 Hosting, Dreamhost, Kinsta, and many others.
Even Cloudflare, a quite famous company, offers a variety of ways to register the required certificate free of charge.
Migrating to HTTPS
The process to install a security certificate for your website consists of several basic steps:
- Obtaining a Certificate
- Certificate Installation
- Domain Information Update
- Forwarding setup
- Reconfirmation of ownership in the Google Search Console
- Site map update
- Robots.txt update
- Google Analytics Settings Update
Step 2. Evaluate and visualize the complete structure of your website from scratch. The result of this step should be a vulnerability checklist that will be useful during the subsequent testing after switching to HTTPS.
Things to consider:
- Technologies used and possible conflicts, for example, Adsence and social plugins, often do not tolerate migration to HTTPS;
- Connected external services;
- CMS features, especially if you use several;
- The renewal dates and expiration date of the certificate;
- Make sure that you receive a certificate for all hostnames that serve your site, for example, with and without the “www.” prefix;
- The absence of prohibitions on indexing HTTPS pages in robots.txt and the code of the pages themselves through noindex tags;
- Use a separate IP to support older browsers and SNI (Server name indication);
- Make sure that the contents of the HTTP and HTTPS pages are identical;
- Possible conflicts and unnecessary redirection chains.
Step 3. Check and prepare a base to compare indicators after the transition. The transition will have short-term consequences, this is normal. To make sure that everything is in its place, you need to have the most accurate picture of the current ranking, which has to be compared to the updated indicators.
More things to consider are, that the page indicators and individual keywords are divided into two groups and the historical data, preferably from 2 to 6 months before the transition and current indicators from the last few weeks.
Hint: group the pages by the sections of the site which they relate to. This will take a little more time, but you will quickly understand the source of any problems.
Step 4. Select a deployment scenario in real-time, through development or virtual environment. The first option is the fastest, but the riskiest. The development environment will allow you to first test your website and then deploy it. The most time-consuming step is going to be the creation of a virtual mirror-website not only for testing the changes but also to see their effect on the final product.
Things that you need to consider, by making changes in real-time in the production environment, you can save time, but you will not have any extra time to fix possible shortcomings and errors, meaning that they will affect users right away.
Step 5. Purchase and install the required certificate, as well as configure redirects, and check everything again with the Google bot simulator.
Things to consider:
- make sure that the redirection is configured correctly and that no pages are available to users in both the HTTP and HTTPS versions
- check that there are no restrictions on indexing HTTPS pages in robots.txt and that the code of the pages themselves through noindex tags
- do not forget to check which versions of the pages are indicated as canonical, since all rel=canonical links should now point to HTTPS pages
- make sure that the alternate and hreflang attributes are used correctly
- double-check and correct any unnecessary redirection circuits
Hint: GitHub has a detailed description of successful practices for implementing various certificates and it is advised that you study before installing.
For example, do not pursue excessive security. If you want to use RSA, then the best choice would be 2048 bit keys, providing 112 bits for security. Although 3072 bit RSA keys do provide 128 bits they are much slower. If you need a higher level of data encryption, you should turn to more efficient ECDSA keys that provide the same 128 bits while using 256. Of course, some older clients may not support ECDSA, but most will be able to work with them without any problems.
Step 6. The content downloaded by the pages should be separated into active (scripts) and passive (images) to ensure that all components are using secure protocols and there is not any room for vulnerabilities and attacks. This may take some time, as you will need to check almost all the internal links and resources of your website.
Step 7. After making sure that everything works as it should, double-check that all pages return the code 200 for available pages, and 404 or 410 for the nonexistent ones.
Step 8. Once again, go through the vulnerability checklist that you prepared while getting ready for the migration.
Step 9. Is everything working smoothly so far? Then it’s time to update the data in the Google Search Console. The implementation of HTTPS is interpreted as a change in the address of the site and will require re-verification.
Things to consider, sometimes, updating data in the Google Search Console may lead to a re-evaluation of your site for compliance with current requirements and rules.
Hint: do not forget to download the updated site map, as well as other parameters, for example, a list of disavowing links.
Google gives some great recommendations to make migration as comfortable as possible:
- Choose reliable certificate providers
- Avoid legacy protocol versions
- Use certificates with the maximum level of security (2048-bit)
- Use 301 server-side redirects
- Use HSTS technology
- Make sure that your server supports Server Name Identification (SNI) in advance
The Impact on SEO
In 2014, Barry Schwartz described a 35% drop in AdSense ad revenue due to the site’s migration to HTTPS. Soon after, Google said it fixed the problem by linking a drop in profits to a large number of ads that did not meet the security requirements. However, in August 2017, Crunchify also noted a decrease in profit from AdSense by an average of 10% after the introduction of HTTPS. The general recommendation for such issues is updating the AdSense code after each implementation of new security certificates.
Social Plugins and Counters
Another known consequence of migration are problems with social network plugins and various counters. In particular, Ray Dolan described his data loss from social plugins after switching to HTTPS in detail. Facebook offered a solution, but for the og:url tag to work correctly, a 200 response code is required from old Http-pages, which is impossible when using redirects through 301 code. More recently, the SEO Hacker project reported the loss of more than 100 thousand tweets and other social signals when migrating to HTTPS. However, the positive conversion effect showed an almost fivefold increase in keyword performance. In general, migration may require the resetting of all social counters.