HTTP or HTTPS this is the question.
If you browse through the Internet, you may notice that some of the URLs have HTTP while other have HTTPS prefix.
To a guy surfing the Internet, no matter how intriguing this may be, it doesn’t represent any cause of concern. And to be perfectly honest, most of the casual users will not pay attention to this even when they learn why it is used for.
What are HTTPS and SSL?
Use of HTTPS is more of a technical nature. It stands for Secure HyperText Transfer Protocol. As its name implies, transfer protocol secures receive data on the web. The main difference between HTTP and HTTPS is that the second one is secured.
Computers require a code which can be used between them. It is a very important part of internet security as this code allows them to scramble messages making it hard for outside entities to read them.
Code is used on a Secure Sockets Layer or SSL (otherwise known as Transport Layer Security or TLS). With this additional security option, computers are able to exchange data.
Now, the main question for you as a website owner is why would you change to HTTPS?
Benefits of HTTPS
HTTPS is something that is supported by Google.
As we all know, there are numerous potential dangers whenever you go to the Internet. Data theft is as common as subscribing to a website. It makes it even worse when we realize that some of the websites are scraping your personal information and selling them to the highest bidder.
Although we are unable to do anything about websites that we are visiting, we are able to protect our own information from third parties that may interfere with our web activity.
Having a HTTPS is much better, not only for your visitors, but for you as a website owner.
Given that Google is always trying to improve user experience, it is only normal that this search engine would reward all the websites that have implemented this type of a protocol.
Having HTTPS affects your rankings and gives you a little nudge. However, do not expect miracles from it as it is just a minor factor. Nevertheless, this behavior by Google clearly shows us which way the Internet as a whole is going.
Image taken from Ahrefs.com
Now, let’s get to three main benefits:
- Encryption– It allows all the data on your website to be encrypted. So, whenever a website visitor is accessing this information, third party will not be able to gain insight into his activity or to steal his information.
- Data integrity– During the transfer, all the data will remain intact. If some disturbance does occur, it will be detected. For example, whenever you use credit card to purchase in a browser, you can rest assured that you data will be safe.
- Authentication– With authentication, it is possible to establish whether a user is communicating with the right website. It is a great way to prevent third parties from interfering with sensitive business transactions.
Who should use HTTPS?
Based on what we have said, HTTPS is something that every website can benefit from.
Basically, we are progressing towards a type of network where users and websites will be protected from outside interference. It is safe to say that such a protocol will become a standard in a few years and it is only a matter of time when everyone will have them.
Nevertheless, until that time comes, it is presented as something that can benefit your SEO. With this smart move by Google, the integration process will only be quickened.
When we talk about types of website that benefit the most, it is obvious that online stores have most to gain from it. Every transaction performed on the Internet holds certain risks. By using a HTTPS, you are able to mitigate a big chunk of them.
Difference between HTTP and HTTPS
Main purpose of HTTP is to present information to end user. This protocol does it through a web browser. All these browsers are able to decipher the data. Based on this function, browser is able to tell what we want whenever we click on something.
The main problem with HTTP is that this protocol cannot do much more than that. For example, when data travels from one point to another, there is no way for data to be protected with HTTP as it only helps with deciphering and presentation of information.
HTTPS is much more different in comparison. It doesn’t only read information, it is also able to distinguish sender from receiver. This is very important for numerous internet transactions and credit card payments.
Here, SSL is able to encrypt the data before sending it to receiver. Due to this, third party is unable to interfere in any way. Even if the person could get a hold of these data, he wouldn’t able to decipher it. User gets a certificate that is specially encrypted. It has a unique code that cannot be found anyplace else.
However, in order for a certificate to be issued, website owner has to submit a lot of different data such as server host, name of the website etc. Abundance of data secures its complexity and uniqueness.
HTTPS, browsers and certificates
When browser starts analyzing a HTTPS website, it uses a certificate to establish whether the user and website are legit. After confirming it, the encryption is negotiated between the browser and web server. SSL certificates are able to work with two keys, a private and public one. In conjunction, they are able to create a before mentioned encrypted connection.
In order to get a certificate, website owner must create a CSR or certificate signing request. After getting it, he can install it on server. Naturally, each server has a different set of instructions for installation so it is something that varies.
There is one crucial thing you have to know about certificates; they can vary when it comes to authority. Basically, anyone can make a certificate. However, there is a list of organizations that are authoritative enough to create them. Each browser has a list of organizations that are regarded as trustworthy. Luckily, if you wish to get into business of creating certificates, you can submit a request and then, you will be audited based which you may or may not pass.
Each time a browser tries to connect to a secured website, the process called SSL Handshake will occur. It creates a connection between the two and establishes whether they can be trusted.
SSL uses three keys for creation of connection, previously mentioned public and private as well as session key. Public and private keys are used during the handshake to create the third, session key. After that, the session key is encrypting all the data.
- Browser initiates a connection with a protected website. After that, server needs to identify itself.
- Server sends SSL certificate together with a public key.
- Browser checks it. If everything is ok, it creates a session key back to server.
- Server reads the data from session key and after that, the session begins.
- All the transmitted data is encrypted from this point onward.
What are the things HTTPS cannot help us with?
Naturally, this protocol has only a limited use. As we mentioned before, its main concern is protecting data that is downloaded or uploaded on the internet. It can also help with authorization, confirming the identity of a web user.
Although it has numerous benefits, it is not omnipotent. It will not protect the website, only the data which is accessed by your visitors through a browser.
According to searchengineland.com here are the things from which HTTPS cannot protect us:
- Downgrade attacks
- SSL/TLS vulnerabilities
- Heatbleed, Poodle, Logjam, etc.
- Hacks of a website, server or network
- Software vulnerabilities
- Brute force attacks
- DDOS attacks
Besides HTTPS, your website will also need a standard protection as it did beforehand. Nevertheless, by adding HTTPS, you will be able to encompass a much larger number of issues.
What are the issues when switching to HTTPS?
Although having a HTTPS is much better and it brings us numerous benefits, there are certain downsides. The biggest issues may appear when switching from HTTP to HTTPS.
According to Google, changing from one to another protocol is regarded as if you moved the entire website. Furthermore, this minor change in one letter is seen as URL change due to which your website may experience following problems:
- Traffic fluctuation– Given that you are moving entire website and changing URL, your traffic is bound to suffer for a while. At first, Google will have trouble reindexing and recrawling all the pages. Nevertheless, it will take a while until it’s done and until that moment, you will have to be patient. Occasionally, robots may be prevented from crawling the resource which may lead to additional troubles. Of course, larger websites with more pages will take more time to restore their previous traffic and rankings.
- Server speed is another thing that needs to be taken into consideration as it will impact how fast robots can crawl your website. Entire process can be rushed if you submit your sitemap.
- Issues with content– Switching to HTTPS can lead to various content issues. Some of your content may be duplicated so you will have both HTTP and HTTPS version. Besides that, your previous content which existed on HTTP website may convert improperly on HTTPS domain.
- HTTPS and change in rankings– As previously mentioned, Google incites website owners to change to HTTPS by giving them a minor rankings boost. You need to be realistic about you expectations as this boost is only minor and will not have a significant impact on your positioning. Anyway, the biggest benefit of having HTTPS is the additional protection and that is thing on which you need to focus.
- Additional info– In case that this wasn’t enough and you are still encountering certain problems, you can check these two resources: thread by John Mueller and Google webmasters. Here, you can find some additional tips by Google that can help you resolve any issues you might have encountered after the switch.
Things which you need to avoid
Problems we mentioned in previous chapter are just a part of the story and they mostly refer to things which we cannot control. On the other hand, there are numerous issues which may be caused by our neglect.
In order to switch properly to HTTPS, here are some of the things they need to do:
- Your certificate needs to be up to date
- That same certificate needs to registered to a proper website
- Get your certificate from a valid certificate authority. Certificate will be a secure code specifically made for you.
- Sometimes, SNI (or server name indication) may be missing
- Make sure not to block crawlers from accessing certain pages
- You will have to get the newest OpenSSL version as the older SSL may be vulnerable
- Embed HTTPS content on HTTPS pages
- Make sure that you have the same content on your HTTPS version as you had on HTTP
- Website needs to return the proper HTTP status code
If you are thinking about creating a website, it is best if your protocol is secured.
On the other hand, for those who already have a HTTP website make sure to switch. If possible, this switch should be performed during industry’s off-season as it will give crawlers time to go over your pages and index everything. This way, you are making sure that the loss of money will be minimal.
Even though switching to HTTPS may be bothersome and cost you financially, it is inevitable. In time, all the websites will have it and it would be a bad sign if you didn’t.
As we mentioned in the opening paragraphs, most people will not even notice the prefix. However, for few of them who do and who know what HTTPS means, it will be a sign of trust. It will convince them to purchase from your website as their personal data will be protected and there will be nothing for them to worry about.