Making the leap: Should you Kermit to HTTPS?
HTTPS looks risky from some angles. Is the danger real or might it be more dangerous not to make the jump?
While searching for the location of the soul, 19th century German physiologist Friedrich Goltz observed that frogs did not attempt to escape hot water if it was heated slowly enough. The same results were produced by his contemporary WT Sedgwick, who noted that “the temperature was raised at a rate of 0.002°C per second, and the frog was found dead at the end of 2½ hours without having moved”. They claimed that the poor frog had not responded to the changes in its environment because they were so gradual. To make matters worse, the location of the soul remained a mystery.
Google’s mobile update back in April 2015 flash-boiled the pot and caused a lot of webmasters to jump out of the water and sort out their websites pronto. “Mobilegeddon” is about as far as it’s possible to get from the more subtle warming we’re seeing with Google’s approach to HTTPS.
“Why would I need to change my website? Everything’s fine” (image)
What is HTTPS for?
HTTPS is about security. About safety. It’s not exciting or explosive like, say, “mobilegeddon” – at least not at first glance. It’s a communication protocol (a system of rules for communication between computers) which is encrypted using TLS (transport layer security) or its predecessor SSL. Ribbiting.
Jargon aside, it’s what stops the bad guys from seeing the information passing between your computer and a website you’re visiting.
- Authentication – “Am I talking to who they claim to be?”
- Data Integrity – “Has anyone tampered with the data?”
- Encryption – “Can anyone see my conversation?”
With ye olde unencrypted HTTP, hard drinking desperados in balaclavas could do a man in the middle attack in which they eavesdrop on the details of your purchase of slippers for your gran. After this either (a) your bank phones up to check if you really did buy a plane ticket to Khabarovsk or (b) the rent doesn’t get paid and you get evicted. This is not funny and the people with influence over how the internet works don’t think so either.
“I’m an identity thief by trade. For me, HTTPS is a real headache” (image)
How many websites use HTTPS?
HTTPS looks like the obvious choice for a protocol – but how many websites have switched? 39.8% of the web’s 141,383 most popular websites used HTTPS as of 5th March 2016 according to SSL Pulse, “a continuous and global dashboard for monitoring the quality of SSL support across the top one million web sites”:
The number of secure sites in the sample increased by 2.5% in just one month as of March 2016.
Google’s latest transparency report supports the SSL Pulse data. The stacked bar chart below shows the HTTPS status of the top 100 non-Google websites by traffic. By Google’s estimates, these websites account for “approximately 25% of all website traffic worldwide”:
While there are varying levels of implementation, “Works on HTTPS” is the most important measure to look at if we want to understand the extent of HTTPS uptake across this section of the web because we’re primarily interested in the adoption of the concept of HTTPS by webmasters. We’re at about 40% here according to Google.
While it used to be the case that SSL certificates cost money, certificate authorities are offering free HTTPS certificates in increasing numbers.
- LetsEncrypt offered the first free digital certificate in September 2015
- Symantec, previously charging $1,000 +, is now offering free certificates
- Cloudflare has been providing free universal HTTPS security since September 2014 – the key difference from LetsEncrypt being that this was at the proxy level only and not on a website’s native server.
Google itself is leading the march to HTTPS by example. The graph below from the transparency report shows the percentage of requests to Google’s servers which used HTTPS:
To quell any remaining doubts on Google’s dedication to HTTPS adoption, Webmaster Trends Analyst Gary Illyes had this to say:
Why isn’t everyone using HTTPS already?
Why don’t all webmasters go secure today? There are some good reasons when it comes to SEO.
Here’s what happened to Wikipedia’s organic visibility when it went secure in June 2015:
Visibility dipped at the time of the switch to HTTPS (SearchMetrics) – only the acute dip is correlated. Wikipedia’s visibility was already on a downward trend.
Making a website secure using HTTPS is a form of migration – the content of the website is going to be moved from the insecure HTTP URLs to new secure HTTPS urls. The word “migration” often strikes fear into the hearts of anybody who has a stake in a website’s organic traffic and revenue – and rightly so. Migrations are the riskiest things which can happen in a website’s lifetime – resource and effort needs to be spent on ensuring they are done correctly. Googlebot is going to need to update the entirety of your website’s presence in its index. Even if everything goes perfectly from a technical standpoint, there is still likely to be a dip in organic traffic and revenue for a brief period as Googlebot adjusts to the new setup. It’s risky jumping out of the bowl – you could land upside down and are pretty much guaranteed to at least graze your knee.
Frog in your throat? If that wasn’t enough:
- HTTPS runs (a tiny bit) slower than HTTP
- All resources need to be on HTTPS (CSS, JS)
- Internal links, sitemaps, canonical tags, robots.txt and analytics tracking codes need to be updated
- HSTS should be enabled in addition to HTTPS requiring further technical resource
- HTTPS may interfere with the functioning of ad networks
- Social shares for some platforms require migration & management to retain social proof.
“Maybe I’ll just stay here on this leaf” (image)
If you were the in-house SEO for an ecommerce website, would you want to go hopping over to the C suite with a recommendation for going secure if you knew the risks and potential drawbacks? You’d need a powerful list of longer term benefits to the business as-well as the security reasons we’ve already covered. Slowly, gradually, imperceptibly, these benefits are getting easier to find.
HTTPS is a ranking signal. Google stated this directly on the Webmaster Central Blog way back in August 2014:
“we’re starting to use HTTPS as a ranking signal. For now it’s only a very lightweight signal — affecting fewer than 1% of global queries, and carrying less weight than other signals such as high-quality content— while we give webmasters time to switch to HTTPS. But over time, we may decide to strengthen it”.
In an experiment performed by backlinko.com, HTTPS was found to be moderately correlated with higher rankings on page 1 as shown in the graph below:
Moz’s mean Spearman’s correlation for use of HTTPS and rank showed an even lighter effect at 0.04, supporting Google’s assertion that HTTPS is indeed a real but lightweight signal.
In Summer 2015, Gary Illyes stated that the signal serves as a dealbreaker only when all other ranking factors are essentially equal:
So most webmasters aren’t going to leapfrog over their competitors just by implementing HTTPS – at least not yet.
How long will the HTTPS ranking signal remain weak? While we can only speculate at the moment, Google has left its Webmaster Central Blog statement intentionally open and subject to change:
- “for now” it’s only a very lightweight signal.
- It’s a lightweight signal “while we give webmasters time to switch to HTTPS”
- “over time, we may decide to strengthen it”
Google has been known to increase the strength of its existing ranking signals. The mobile friendly ranking boost is a clear example, with the original boost taking effect on April 21st 2015 and a further boost announced on March 16th 2016 which will reportedly be implemented in May 2016.
What does the perfect HTTPS setup for SEO look like?
How do the pros do it?
- HTTPS is switched on and appears in URLs
- All 4 possible HTTP/HTTPS and www/non-www combinations are consolidated into just one HTTPS URL
- Redirect chains are avoided – every redirect leads directly to the canonical version of the content, ensuring maximum link equity is retained.
- 301 redirects are used as opposed to 302 redirects, signaling to Googlebot that the redirects are permanent.
Detailed guidelines are provided by Google here: https://support.google.com/webmasters/answer/6073543?hl=en
User trust implications
Warning! – a red X over a padlock will appear in front of all URLs not using HTTPS in Google Chrome in the near future. An example of what this might look like is shown below:
Which basically to your mum means this:
This alarming indication of the lack of HTTPS is in a highly prominent position and will be noticed by most users. How they will act in response to it remains to be seen but it is likely that trust in websites prominently marked as unsafe will be weakened in some sense. Visiting and browsing a website is one thing, but sending payment information to it is quite another and this may be evidenced in a decreased willingness of online shoppers to participate in ecommerce with websites not using HTTPS. This could have a noticeable effect on conversion rates. Rising awareness of cyber-crime and the risks involved in online activities involving personal information is only likely to strengthen this effect.
Turning up the heat
Ranking signals and browser security alerts may have raised the temperature enough for some webmasters to take action and leap from the pot, but it’s unlikely that the majority will have been affected – probably because the user trust implications are not yet common knowledge or widely known. While things are getting decidedly warmer, something else may be needed to deliver that final hop-inducing stimulus. That something might just be the arrival of HTTP/2 – the first update to the language of the web in over a decade.
Getting warmer but still on the pot (image)
HTTP/2: Better safe than slow
It’s not just user trust and SERP rankings which could suffer if webmasters don’t act on HTTPS. For the first time in 17 years, a new version of the HTTP language itself has been created – HTTP/2. It’s faster: see for yourself. The main difference is that HTTP/2 can get all of the resources required to load a webpage in a single request, including resources which may or may not be required as the user browses and interacts with the page. The standard version of HTTP (HTTP/1.1) does not perform well when retrieving the large number of resources required to display a modern website because the web was a very different place when HTTP was devised:
How widely used is HTTP/2?
The graph below shows that adoption has approximately tripled in 2016 alone.
What does this have to do with HTTPS?
- “no browser supports HTTP/2 unencrypted”
- “Although the standard itself does not require usage of encryption, most client implementations (Firefox, Chrome, Safari, Opera, IE, Edge) have stated that they will only support HTTP/2 over TLS, which makes encryption de facto mandatory”
If you want your website to be a part of the new faster web, you will have to migrate your website to HTTPS first – it’s de facto mandatory. It’s better to be safe than slow.
HTTP/2 and your SEO
- HTTP/2 is fast, and fast is good for SEO. Web pages which load quickly frequently outperform slower pages in experiments measuring the effect of loading speed on organic conversion rate.
- HTTP/2 is particularly beneficial to the speed of mobile websites – as latency increases (mobile browsing is often high latency), the beneficial effect of HTTP/2 is more pronounced, positively impacting UX.
- Page speed is already a ranking factor so switching to HTTP/2 could provide a boost. It’s entirely possible that, given its significance in the history of the web, the usage of HTTP/2 itself on a webpage could one day become a ranking factor.
Unlocking these benefits requires the use of HTTPS on your website. While Google can’t yet crawl “HTTP/2 only” webpages, it is expected to be able to very shortly according to John Mueller who spoke about the subject in a webmaster hangout in November 2015.
It boils down to this:
- HTTPS websites rank a tiny bit better now but this could get stronger.
- The page-speed benefits of HTTP/2 are only available over HTTPS and faster pages rank and convert better in general.
- Non HTTPS websites are soon to be shamed by Google Chrome with a big red X before the URL.
If your webbed feet aren’t twitching at that last one, you must be mad as a box of frogs. Will this raise the temperature just enough to see more webmasters jumping out of the water and getting HTTPS? Good god I hope so.
The analogy has come to the boil (image)
The experiments conducted on frogs in the 19th century by Goltz & Sedgwick inspired modern consultants to try to save companies from being boiled by the gradual changes in their environment by telling them a story which has now been recognized as a canard. When asked for his professional opinion on the boiling frog story, Dr. George R. Zug, curator of reptiles and amphibians at the National Museum of Natural History declared ”Well that’s, may I say, bullshit”.
Fast Company conducted a similar experiment with the help of J. Debra Hofman, research associate at MIT’s Center for Information Systems Research. The frogs safely exited the warm water in good time and landed with style. “There are certain cases where gradual change is almost preferred,” Hofman commented. “The change myth assumes a very narrow view of people. If frogs can do it, people definitely can.”
“Go for it!” (image)