What is HTTPS and what does it do for you?

Ever since Google suggested websites move to HTTPS, many businesses have made the migration. Along the way, many of them have made mistakes. Some of these mistakes come from misunderstanding what this really does for you.

Whenever I have technical questions that exceed my abilities, I turn to my awesome web host, Knownhost. They are always there to help me and are willing to go the extra mile. This time I turned to Chris and asked him a couple questions about HTTPS- especially as it relates to your business’ website.

Before we get into this, let’s define a couple of acronyms.

• HTTP stands for “HyperText Transfer Protocol.” It’s how your browser requests information from a web server (the computer, somewhere, that contains your website). There are other ways to get information from a web server (for instance, FTP), but HTTP is how websites do so.
• HTTPS stands for “HyperText Transfer Protocol—Secures.” Like HTTP, HTTPS is how your browser gets information from your server, but in this case, it does this over a secure connection. This connection is secured with an…
• SSL stands for “Secure Sockets Layer.” This is the piece you need to transform an HTTP website into an HTTPS one. If you want an HTTPS website, you’ll have to purchase a certificate from a credible provider.

Understanding that, I approached KnownHost with a couple of questions:

What does an SSL certificate do for a website, in layman’s terms? Is there a good analogy to describe how it works?

An SSL protects login information or other user details being sent between the browser and the server. A good analogy would be that the server has a key and your browser has a key. When sending the information, that information is in a virtual “locked chest” and both keys (one of which your browser has and other the server has) are needed to open that chest and transfer that information so someone in between cannot read it.

What do most business owners misunderstand about an SSL certificate?

Many businesses believe that SSL certificates will protect their website 100% from those looking to exploit their WordPress or Joolma websites. This is not the case as an SSL only protects information being sent (for example, via a login form on the site).

With an SSL in effect, the browser sends a copy of the SSL certificate and then the browser will perform a check to ensure the SSL is trustworthy. If it is, it sends a digitally signed acknowledgment to the server to start an SSL encrypted session. Then the encrypted data is shared between the browser and the server.

Why do you think Google is recommending this?

Although we don’t have any direct information from Google regarding their reasons for making this recommendation, we believe Google is recommending this to help ensure users’ faith that their information is safe when they access a website using Google’s search results and to deflect any possible blame on Google for stolen personal data.

Does that help demystify this for you? As you can see, HTTPS is not the panacea some people think. That being said, if you want to make this migration, please take a look at some of the common mistakes I’ve noticed that people make during this transition.

Common Mistakes when moving to HTTPS

Not using a valid SSL certificate

Have you ever tried to visit a website only to get a page from your browser asking you to make an “exception”? Someone is trying to run an HTTPS website without a valid SSL certificate. It could be that someone is too cheap to buy one. It might be because their certificate has expired. It’s no good to have an HTTPS website if every one of your visitors hits this “exception” page. Keep your certificate up-to-date!

Thinking this makes your entire website secure

Whether vandalism or malicious, more and more websites are getting hacked. In fact, it’s so common that Google has recently hired a large team to handle reconsideration requests from hacked websites. Yes, you read that right: if your website is hacked, Google will “penalize” it (to protect its users) and you’ll need to file a reconsideration request as if you have a search engine penalty. That sucks. I’ve seen this happen to a lot of websites recently.

That being said, as Chris mentioned above, an SSL certificate won’t protect you from all hackers. It will help protect login information, so people can’t get your password (as easily). It can also help protect credit card data as it’s transferred to your payment gateway. However, an SSL certificate doesn’t protect you from all forms of hacking. In other words, don’t think this will stop your hackers.

Thinking this will make you “rank”

I sigh just thinking about this claim. Sure, Google announced that this will be a part of their algorithm. They made this an official part of their Webmaster Guidelines in January 2016. So, I must admit, this might give you an edge over your competitors’ websites- if all other factors are the same. Don’t forget that Google’s algorithm has hundreds of ranking factors. This is only one, and we don’t know how much more (or less) Google weighs it and the many others.

The fact is that there are probably a ton of other things you need to do first before this is the only difference between you and the other competing websites in your SERPs.

Besides, ranking is a poor way to measure your SEO efforts.

Using a 302 redirect

Whenever I see this, I know exactly what happened: somebody read somewhere that having an HTTPS website will help you get more traffic from Google. That sounds good to them, so they ask their developers to make this happen. The developer is busy on Reddit, so they throw it up using a default redirect and they can get back to more important things.

Unfortunately, by default, most servers use a 302 redirect. From a human perspective, that’s fine- you still end up on the right page. Unfortunately, if Google sees you’re using a 302 redirect, you are telling it, “I’m not here, right now, but I’m coming back later.” While Google will crawl the page at the end of the redirect, it will not pass the link authority to the destination page- you’re coming back, after all. As a result, Google starts ranking those new pages as if they don’t have any links, and your organic traffic drops off a cliff.

You should have told your developer to take 15 extra seconds to use a 301 rather than a 302 redirect. This way, all those links pointing to your old HTTP website will now be credited to your new HTTPS website, and you won’t suffer from a loss of traffic, either.

Inconsistent URLs

You’re not done when you use a 301 redirect. Don’t forget to update your URLs, too. There are several places this can go wrong.

1. Make sure your canonical tags use HTTPS now or you’ll send Google a mixed message: you’re 301ing your URLs, but the canonical tag says that’s not the right URL.
2. Make sure the URLs in your XML sitemap use HTTPS now. Your XML sitemap is a great way to tell Google all your pages, but if they have to pass through a 301 redirect, you lose a little link authority with each redirect.
3. Update internal links to HTTPS. When someone moves between HTTP and HTTPS, the HTTPS website loses referring information. If you don’t update your internal links, your web analytics data might stop showing how people are actually coming to your site. Without that information, you won’t be able to make accurate marketing decisions.
4. Update images and scripts to HTTPS. If a page has some HTTP and HTTPS assets requested, most modern browsers will throw a “caution” to users (usually with a yellow notification near the URL field). While this isn’t a big deal, don’t give your visitors reason to doubt your website’s credibility. Ensure you access your JavaScript, CSS, videos, images, etc. over HTTPS.
5. Don’t forget to update your PPC campaigns, too. AdWords will freak out if you send their visitors through a redirect.

Not changing Google Analytics

When you set up your Google Analytics account, you probably set your website to HTTP. Now that your website is HTTPS, you must go into your admin and update this. You’ll find this under Admin. Look for your “Property” (in the middle column) and select “Property Settings.” You’ll see your Tracking ID, Property Name, and the Default URL on this page. Make sure your “Default URL” is now set to https://

Not changing Google Search Console

Search Console is finicky. It only gives you data for the exact website you provide it. That means you’re not getting the complete data if you run a WWW website, but only verify GSC data from the URL without WWW.

The same is true for HTTPS websites. You’ll need to verify your website again, using HTTPS to get the correct data. In fact, it’s interesting to watch Google index your HTTPS site while it de-indexes your HTTP site. Keep both profiles open for a while. You’ll see Google at work.