What is HTTPs and what does it do for you?

Ever since Google suggested websites move to HTTPS, a lot of businesses have made the migration. Along they way, many of them had made mistakes. Some of these mistake come from mis-understanding what this really does for you.

Whenever I have technical questions that exceed my abilities, I turn to my awesome web host, Knownhost. They are always there to help me out and willing to go the extra mile. This time I turned to Chris and asked him a couple questions about HTTPS- especially as it relates to your business’ website.

Before we get into this, let’s define a couple acronyms.

• HTTP stands for “HyperText Transfer Protocol.” It’s the way your browser requests information from a web server (the computer, somewhere, that contains your website). There are other ways to get information from a web server (for instance, FTP) but for websites, HTTP is the way to go.
• HTTPS stands for “HyperText Transfer Protocol- Secures.” As with HTTP, it’s the way your browser gets info from your server but, in this case, it does this over a secured connection. This is secured with an…
• SSL certificate- which stands for “Secure Sockets Layer.” This is they piece you need to transform an HTTP website into an HTTPS one. You’ll have to purchase a certificate from a credible provider, if you want an HTTPS website.

Understanding that, I approached KnownHost with a couple questions:

What does an SSL certificate do for a website- in layman’s terms? Is there a good analogy to describe how it works?

An SSL protects login information or other user details being sent between the browser and the server. A good analogy would be that the server has a key and your browser has a key. When sending the information, that information is in a virtual “locked chest” and both keys (one of which your browser has and other the server has) are needed to open that chest and transfer that information so someone in between cannot read it.

What do most business owners mis-understand about and SSL certificate, in your experience?

Many businesses believe that SSL certificates will protect their website 100% from those looking to exploit their Wordpress or Joolma websites. This is not the case as an SSL only protects information being sent (for example, via a login form on the site).

With an SSL in effect, the browser sends a copy of the SSL certificate and then the browser will perform a check to ensure the SSL is trustworthy. If it is, it sends a digitally signed acknowledgment to the server to start an SSL encrypted session. Then the encrypted data is shared between the browser and the server.

Why do you think Google is recommending this?

Although we don’t have any direct information from Google regarding their reasons for making this recommendation, we believe Google is recommending this to help ensure users’ faith that their information is safe when they access a website using Google’s search results and to deflect any possible blame on Google for stolen personal data.

Does that help demystify this for you? As you can see, HTTPS is not the panacea some people think. That being said, if you want to make this migration, please take a look at some of the common mistakes I’ve noticed that people make during this transition.

Common Mistakes when moving to HTTPS

Not using a valid SSL certificate

Have you ever tried to visit a website only to get a page from your browser, asking you to make an “exception”? That’s because someone is trying to run an HTTPS website without a valid a SSL certificate. It could be that someone is too cheap to buy one. It might be because their certificate has expired. It’s no good to have an HTTPS website if every one of your visitors hits this “exception” page. Keep your certificate up-to-date!

Thinking this makes your entire website secure

Whether it’s vandalism or malicious, more and more websites are getting hacked these days. In fact, it’s so common that Google has recently hired a large team just to handle reconsideration requests from hacked websites. Yes, you read that right: if your website is hacked Google will “penalize” it (to protect its users) and you’ll need to file a reconsideration request as if you have a search engine penalty. That sucks. I’ve seen this happen to a lot of websites recently.

That being said, as Chris mentioned above, and SSL certificate won’t protect you from all hackers. It will help protect login information, so people can’t get your password (as easily). It can help protect credit card data too, as it’s transferred to your payment gateway. However, an SSL certificate doesn’t protect you from all forms of hacking. In other words, don’t think this will stop your hackers.

Thinking this will make you “rank”

I sigh just thinking about this claim. Sure, Google announced that this will be a part of their algorithm. In fact, in January, they made this an official part of their Webmaster Guidelines. So, I have to admit, this might give you an edge over your competitors’ websites- if all other factors are the same. Don’t forget, there are hundreds of ranking factors in Google’s algorithm. This is only one- and we don’t know how much more (or less) Google weighs it along with the many others.

The fact is there are probably a ton of other things you need to do first, before you’re at the point where this is the only difference between you and the other competing websites in your SERPs.

Besides, ranking is a poor way to measure you SEO efforts, anyway.

Using a 302 redirect

Whenever I see this I know exactly what happened: somebody read somewhere that having an HTTPS website will help you get more traffic from Google. That sounds good to them so they go to their developers and ask them to make this happen. The developer is busy on Reddit so they throw it up using a default redirect and they can get back to more important things.

Unfortunately, by default, most servers use a 302 redirect. From a human perspective, that’s fine- you still end up on the right page. Unfortunately, if Google sees you’re using a 302 redirect you are telling it, “I’m not here, right now, but I’m coming back later.” While Google will crawl the page at the end of the redirect, it will not pass the link authority to the destination page- you’re coming back, after all. As a result, Google starts ranking those new pages as if they don’t have any links- and your organic traffic drops off a cliff.

What you should have done is told your developer to take 15 extra seconds to use a 301 rather than a 302 redirect. This way all those links that were pointing to your old, HTTP website now get credited to your new, HTTPS website- and you won’t suffer from a loss of traffic, either.

Inconsistent URLs

You’re not done when you use a 301 redirect. Don’t forget to update your URLs, too. There are several places this can go wrong.

1. Make sure your canonical tags each use HTTPS now or you’ll send Google a mixed message: you’re 301ing your URLs but the canonical tag says that’s not the right URL.
2. Make sure the URLs in your your XML sitemap uses HTTPS now. Your XML sitemap is a great way to tell Google all your pages but, if they have to pass through a 301 redirect, you lose a little link authority with each redirect.
3. Update internal links to HTTPS. When someone moves between HTTP and HTTPS the HTTPS website loses referring information. If you don’t update your internal links, your web analytics data might stop showing how people are actually coming to your site. Without that information, you won’t be able to make accurate marketing decisions.
4. Update images and scripts to HTTPS. If a page has some HTTP and some HTTPS assets requested, most modern browsers will throw a “caution” to users (usually with a yellow notification near the URL field). While this isn’t a big deal, don’t give your visitors reason to doubt your website’s credibility. Make sure you’re accessing your javascript, CSS, videos, images, etc over HTTPS, too.
5. Don’t forget to update your PPC campaigns, too. AdWords will freak out if you send their visitors through a redirect.

Not changing Google Analytics

When you setup your Google Analytics account you probably set your website to HTTP. Now that your website is HTTPS, you’ll need to go into your admin and update this. You’ll find this under Admin. Look for your “Property” (in the middle column) and select “Property Settings.” On this page you’ll see your Tracking Id, Property Name and the Default URL. Make sure your “Default URL” is now set to https://

Not changing Webmaster Tools

Webmaster Tools (okay, Search Console- old habits die hard) is finicky. It only gives you data for the exact website you give it. That means, if you are running a WWW website but only verify WMT data from the URL without WWW, you’re actually not getting the complete data.

The same is true for HTTPS websites. To get the correct data you’ll need to verify your website again, using HTTPS. In fact, it’s interesting to watch Google index your HTTPS site while it de-indexes your HTTP site. Keep both profiles open, for a while at least. You’ll see Google at work.