The Great HTTPS Migration

Most websites have been using the http protocol for many years without issue. The protocol used to access a website is rarely something most users consider or understand. Which is understandable, since the onus is on web developers to determine the protocol used when someone types in a website URL. For instance, the user types in “google.com” and the developer chooses to redirect to www. and also https instead of the default http.

HTTPS Migration

The user only cares that they see that green padlock and the word “secure” when they’re entering sensitive data, like typing in their account number on a banking website.

For the most part (whether justified or not), https has been used only for websites where customer security was important, like an e-commerce or banking website. However, in recent years, there has been an increase in attacks that exploit the http protocol, such as man-in-the-middle attacks, which include eavesdropping, manipulating data, and more advanced phishing techniques.

It’s also a lot easier and cheaper (including free options) to obtain and set up https now, so even for websites that don’t require it, https should be the default for all sites going forward. You’ll also get a slight SEO ranking boost!

Google recently sent all customers who use Webmaster Tools a message like the one we got:

Google Search Console

Google is letting people know that starting sometime in October 2017, if your website URL does not use https and you have forms on your website, the Google Chrome browser will start showing a “NOT SECURE” warning to the user when they enter data into the form. They will also show this warning at all times to the user if they browse your website in Incognito mode, even if they don’t fill out a form at all.

This change will likely affect many websites, and it’s a bold move by Google to push the advancement of security on the internet as a whole. This is just the beginning of its long-term goal of showing this warning to all http protocol websites when using Google Chrome. The timetable for this long-term goal is still unknown.

Google Chrome is by far the most widely used browser, so this is a big and important change. It’s highly likely all other browsers will follow suit.

What This Means

Every new website should be developed with the intent of serving it over https

For existing websites that have forms, we recommend switching your website protocol to https as soon as possible to ease customer concerns.

For existing websites that do not use forms, there’s more time before this switch is necessary, but stay tuned for when Google announces the next part of its long-term goal.

How It’s Done

Before a migration from http to https can occur, you need to go through the following steps:

  • Crawl the website to create an audit of all the content in its current state.
  • Make sure you truly understand the current website architecture and the hosting platform.
  • Choose the certificate type that works best for your domain: single, multi-domain, or wildcard.
  • Set your expectations:
    • You should expect a temporary dip in website ranking after the change while search engines figure out that you are no longer on http (which is considered a completely different website). It shouldn’t be too drastic, and it should recover quickly if everything is set up correctly.
    • Any sort of social counter may be reset, depending on the social platform’s API.
    • Expect a cost for the certificate, per year.
    • Certificates expire, so make sure you have a plan for how to renew (or set it up to renew automatically).

Steps to implement:

  1. Purchase an SSL/TLS certificate. Google recommends getting a certificate with a 2048-bit key.
  2. Make sure https is enabled on the server.
  3. Install the certificate.
  4. Visit the site in https mode and change all links and fix all mixed content errors.
  5. Test everything.
  6. Redirect all traffic to only https.
  7. Test again.
  8. Generate a new site map.
  9. Run the site through a content audit tool again to make sure a crawler is seeing the same pages as before the change.
  10. Tell Google Webmaster Tools to recrawl the website.

Or, you can contact us. We can help you with this.