Should you switch your site from http to https?
In September Google announced that websites would receive a minor ranking boost by using Secure Socket Layer (SSL) technology and switching from HTTP to HTTPS. Now that the 'dust has settled' a little, this post looks at the 'Pros' and 'Cons' of making the switch.
Google has stated that it would be a 'very lightweight signal' within the overall ranking algorithm and carried 'less weight than other signals such as high-quality content; Google webmaster trends analysts Zineb Ait Bahajji and Gary Illyes went on to say that Google
'would like to encourage all website owners to switch from HTTP to HTTPS to keep everyone safe on the web.'
As a result, the search marketing community went into overdrive, blogging, tweeting and commenting on the reports. Many webmasters and business owners were soon requesting information and guidance on moving to SSL and companies were producing white papers on the topic.
Search Engine Land produced an interesting article about the buzz that the news from Google generated on Twitter, with lots of amusing tweets from web users and SEOs alike.
But should your business make the switch?
Here are some pros and cons of changing your website from HTTP to HTTPs
The most obvious benefit, and what SSL was developed for, is the security of data and the associated trust that consumers place on your site as a result.
Cyber theft is on the increase and customers all around the world are becoming more concerned about identity theft and credit card fraud.
Because of this, they are more aware than ever of what SSL certificates are and the protection they offer against unauthorised access of personal data.
Symantec, a well-known supplier of SSL certificates, carried out a study in 2013 which found that:
- 80% of customers knew to look for the padlock icon signifying SSL encryption
- 81% knew to check for the secure internet connection in their browser (HTTPS)
- 75% of respondents stated that they would abandon an online transaction if they felt that the website was not secure
- 55% knew to look for the green bar in the address lines indicating that an Extended Validation SSL certificate was in place
- One in three of the respondents said that the lack of a trust seal would deter them from completing their transaction
Additionally, as previously mentioned, Google has recently stated that it will provide a small (unquantified) ranking boost to sites that have implemented SSL.
But what about the disadvantages?
SSL certificates do cost money. While they're not as expensive as they used to be, an Extended Validation SSL certificate from a reputable supplier could set you back anything between £200 and £1000 a year – depending on the type of certificate and the vendor.
SSL connections require an initial handshake before data can be transmitted securely. The amount of data isn’t huge (typically under 5 kB) but for requests for small amounts of data this can result in a significant overhead.
In addition, data transmitted via HTTPS is often not cached. This means that every element needs to be reloaded each time a visitor moves from page to page, resulting in slower loads for every page requested from the server.
In 2010, Google claimed that sites that are optimised for speed would also receive a ranking boost. The company stated that 'currently, fewer than 1% of search queries are affected by the site speed signal' - which is the same percentage of queries said to be affected by the recent SSL update.
So, by moving to SSL, site owners may gain a boost from having a secure site but this might be negated by the corresponding decreases in page speed.
However, webmasters shouldn't avoid the move to SSL just because of the speed issues. There are ways to improve the speed of SSL connections – notably by using the SPDY protocol.
SPDY (pronounced speedy) is a networking protocol developed primarily at Google for transporting web content, with particular goals of reducing page load latency and improving security.
The Yoast website has some interesting comments on this. The optimisation company known for the WordPress SEO plugin, states on their site that 'always had every page that contained a contact form and our checkout pages on HTTPS and everything else on HTTP. The reason for this was that HTTPS was slower than HTTP and we’d rather not put everything on HTTPS because of that.'
But they also stated that 'Google’s recent work on SPDY actually negates most of that speed issue though, if your hosting party supports it.'
Considering this is from the team that supported the Guardian in their mammoth task of moving from a .co.uk to a .com domain, it's advice worth following.
SSL can be tricky to install and if implemented incorrectly, could actually cause more problems than it solves. The comments on Dave's original alert on the new ranking factor gave examples of lost rankings and this case study from Buffer shows a more recent problem - look before you leap! Buffer reported in their post on their experience:
"Here’s a look at our organic traffic in isolation. The orange line is our traffic before the switch; the blue line is after. Yikes, right?"
Avoid SSL migration issues
It seems that this was a bug in Google's implementation, but it still shows the risk. Here are some of the other issues that could result from a poorly executed SSL migration that I recommend to plan against.
If your web developers do not correctly implement redirection of the old URLs (HTTP) to the new ones (HTTPS), then your site would end up with what Google sees as duplicate content.
Once you've completed the migration, it's worth checking that the old URLs redirect to the new ones. Similarly, there should only be one version of the new URL with or without the www (e.g. www.example.com vs example.com). Alternatively you can use the rel=canonical link tag to specify the preferred version of the page to search engines.
Many CMSs, by default, use absolute URLs (which include the protocol – http/https and the domain) for links and embedded media files.
What this means is that links embedded into content on pages would still have the old (HTTP) URLs. If 301 redirects are implemented to point the old links to the new ones (which is good SEO practice), then this will result in lots of internal 301 redirects.
SEOs have different views on how bad internal 301 redirects are for SEO but what we do know is that Google interprets internal 301 redirects to the homepage as a 404 (or page not found) – which is not beneficial to SEO.
John Mueller of Google confirmed this during a Webmaster central hangout in 2013. That means that if you 301 internal pages to the homepage, they won’t pass PageRank.
Another side effect of absolute URLs being embedded into pages is that users are then presented with content including the old unsecured assets over a secure connection.
This results in mixed content, whereby some assets are delivered over HTTPS and others through regular HTTP. Mixed content will throw up errors in modern browsers – normally by altering the padlock icon in a user's browser.
This is a common problem for webmasters. Qualsys analysed the home pages of about 250,000 secure sites from the Alexa top 1 million list, and found that 22% of them included unsecure content.
During the migration, you should set all internal assets to use relative rather than absolute URLs.
For external resources, such as third-party scripts and iframes, you'd need to load them using the secure (HTTPS) protocol, if the external resource is available over SSL.
It should be noted that different browsers handle mixed content differently. Qualsys provides a tool (SSL Labs) that let's you know which types of assets that present mixed content errors in different browsers – a page which ironically throws up mixed content errors in Google Chrome.
Loss of some link juice
Even if you successfully implement SSL and the migration is handled properly, your site may still lose some of the 'link juice' from inbound links.
The reason for this is as old as the PageRank algorithm itself. Every followed link that Google identifies passes some PageRank from the source to the target page. However, to avoid issues with infinite loops from reciprocal linking, there is a decay factor of around 10-15%. This is explained in detail on Matt Cutts's blog.
Google has also previously stated that the decay for a 301 redirect is around the same as a regular link. So, site owners can expect to lose between 10-15% of their inbound link juice as a result of implementing a 301 redirect from their HTTP to HTTPS website.
Conclusion - moving to https
For many industries, such as financial services and legal sectors, and any sites that handle sensitive customer data, requests should be encrypted to and from the server using SSL. However, for a lot of small businesses, secure connections aren’t required and could prove to be an unnecessary burden.
So, before you leap into it, it’s worth considering the benefits and disadvantages of using SSL for your business. It may be wise to monitor your competitors to see if they make the switch to SSL and to check if this has any positive or negative effect on rankings.