This post is part one of a two part series on HTTPs and HTTP/2 migra­tions. To learn more about migrat­ing to HTTP/2, click here.

On Sep­tem­ber 8th 2016, Google announced that in 2017, they will “mark HTTP pages that col­lect pass­words or cred­it cards as non-secure, as part of a long-term plan to mark all HTTP sites as non-secure.” Sim­ply put, Google is mov­ing clos­er to a secure web by includ­ing warn­ings in the Chrome brows­er for sites that are not secure.

2017 is right around the cor­ner, but it’s not too late to learn how to migrate your web­site to HTTPs. In this blog post, you’ll learn about why this change hap­pened, what it means for your web­site, and how you can get your HTTPs migra­tion up and running.

How did we get here?

Since the 2014 I/O Con­fer­ence, Google has made secu­ri­ty one of their top pri­or­i­ties both for their own prop­er­ties as well as the web as a whole. In 2014, Google indi­cat­ed that web­sites served over HTTPs would receive a rank­ings boost going for­ward. This came as big news to many in the SEO indus­try, but the ROI asso­ci­at­ed with a migra­tion of this mag­ni­tude remained unclear.

Con­ven­tion­al wis­dom indi­cat­ed that the move to HTTPs, espe­cial­ly for large, enter­prise sites, incurred more risk than reward. HTTPs migra­tions aren’t with­out com­pli­ca­tions, and many com­pa­nies have actu­al­ly expe­ri­enced a drop in SEO vis­i­bil­i­ty when they migrat­ed to HTTPs (Wired.com’s migra­tion is a good example).

So what has changed? Sim­ply put, we are reach­ing crit­i­cal mass. When Google announced the ini­tia­tive to reward secure web­sites, only about 7% of all page 1 Google search results were secure web­sites. Now, that num­ber is clos­er to 30% and is grow­ing rapidly.

Numer­ous sites have already tak­en the plunge into HTTPs, and the num­ber con­tin­ues to increase. Accord­ing to BuiltWith, of the top mil­lion sites, 9% are cur­rent­ly SSL by default. This is up from 2.7% in Sep­tem­ber 2015.


Top Mil­lion Sites with SSL by Default — BuiltWith.com

Clear­ly, the scales have start­ed to tip in favor of those with secure sites. But despite the dif­fi­cul­ties of migra­tion, there are mea­sur­able benefits.

Site security affects your brand, for better or worse

If the small rank­ings boost wasn’t moti­va­tion enough, the web­site sham­ing immi­nent in 2017 great­ly increas­es the risk of neg­a­tive brand asso­ci­a­tions. Hav­ing your site flagged by Chrome as inse­cure will cer­tain­ly have an adverse impact on your brand. But, the con­verse is true for secure sites.

Hav­ing an HTTPs site not only pro­vides an added lev­el of secu­ri­ty, but also builds cus­tomer trust. Accord­ing to a study by Glob­al­Sign, over 9 out of 10 cus­tomers are more like­ly to trust a site, leave per­son­al infor­ma­tion, or make a pur­chase when they know their data is sent over a secure connection.

Even more astound­ing? 55% of users are wor­ried about iden­ti­ty theft online. 77% of users are con­cerned about their data being mis­used online. And a whop­ping 84% would aban­don a pur­chase if data was sent over an inse­cure con­nec­tion. Unsur­pris­ing­ly, users look for secu­ri­ty indi­ca­tors before tak­ing action online:

Clear­ly, HTTPs is impor­tant not just for your search rank­ings, but also for main­tain­ing pos­i­tive brand­ing and achiev­ing max­i­mum ROI.

HTTPs improves your analytics data

When an HTTPs (secure) site links to an HTTP (non-secure) site, this can cause the head­er infor­ma­tion to be blocked. This means that if your site is not secure, and a secure site (like Google) links to you, any head­er infor­ma­tion from that domain is miss­ing and the ses­sions are cat­e­go­rized as “Direct” in Google Ana­lyt­ics. Sim­ply put, not hav­ing a secure site makes head­er information—such as refer­ral source—more like­ly to be incorrect.

There are two solu­tions to this problem:

  • Com­plete­ly migrate the whole site to HTTPs.
  • Add the HTML5 tag <meta name="referrer" content="always" /> to the head of the HTML document.

Because the HTML5 tag is cur­rent­ly sup­port­ed on lim­it­ed browsers, it’s wise to ful­ly migrate to HTTPs to pre­vent data con­fu­sion in your ana­lyt­ics plat­form. Here’s how you do it.

How to Migrate to HTTPs

First things first: obtain an SSL certificate

Before you start migrat­ing to HTTPs, you need to make sure you obtain an SSL cer­tifi­cate from a provider and install the cer­tifi­cate on your serv­er. This cer­tifi­cate enables an encrypt­ed con­nec­tion to the web­site and pro­vides secu­ri­ty for online communications.

There are three types of certificates:

  • Sin­gle cer­tifi­cate — for sin­gle site (e.g. www.site.com).
  • Mul­ti-domain cer­tifi­cate — for mul­ti­ple well-known sites (e.g. www.site.com, m.site.com, site.co.uk).
  • Wild­card cer­tifi­cate — for a site with many dynam­ic sub­do­mains (e.g. x.site.com, y.site.com).

Google rec­om­mends that your cer­tifi­cate be 2048 bits, and the author­i­ty issu­ing the cer­tifi­cate will need to ver­i­fy that the web address belongs to your organization.

Google also rec­om­mends that web­mas­ters use a web serv­er that sup­ports HTTP Strict Trans­port Secu­ri­ty (HSTS) and that it is enabled. HSTS tells the brows­er to request pages using HTTPs auto­mat­i­cal­ly even if the user enters “http” in the brows­er. HSTS also indi­cates to Google to serve secure URLs in search results.

The SSL cer­tifi­cate should also be installed on your Con­tent Deliv­ery Net­work (CDN). Addi­tion­al­ly, your ori­gin URL should be updat­ed on your CDN to point to HTTPs rather than HTTP. Dur­ing this process, Search Dis­cov­ery rec­om­mends enabling HTTP/2 simul­ta­ne­ous­ly. But more on that in part 2.

Requirements Checklist for Analytics, Organic, & Paid

In order to suc­cess­ful­ly migrate to HTTPs, make sure you do all of the following:

  • Update all links (hard cod­ed and dynam­ic) to point to HTTPs
  • Update canon­i­cal tags, alter­nate tags and rel=prev/next tags to point to HTTPs
  • Update any cus­tom JavaScript and AJAX Libraries to HTTPs
  • Add serv­er-side 301 redi­rects from HTTP to HTTPs
  • Update lega­cy 301 redi­rects to point to their new HTTPs target
  • Ensure that HTTPs is not blocked in the site’s robots.txt file
  • Update all exter­nal plu­g­ins to ensure that they are HTTPs compliant
  • Update ad code and pix­els to sup­port HTTPs
  • Ensure that ana­lyt­ics is con­fig­ured to track HTTPs
  • Update social shar­ing counts (if applic­a­ble) to count both HTTP and HTTPs or choos­es one based on cut-off date
  • Also update social media links to point to HTTPs
  • Devel­op and sub­mit new HTTPs sitemaps
  • Ver­i­fy HTTPs site(s) with Google Search Con­sole and Bing Web­mas­ter Tools
  • Update any paid search cam­paigns to avoid redirects

Possible Impact on Organic Search

As with any sig­nif­i­cant site change, there is a strong like­li­hood of incur­ring rank fluc­tu­a­tions while search engines re-crawl and re-index your site. This fluc­tu­a­tion can take sev­er­al weeks to set­tle, but engag­ing a part­ner to help pro­vide guide­lines, gov­er­nance and migra­tion assis­tance can great­ly min­i­mize vis­i­bil­i­ty fluc­tu­a­tions and/or traf­fic loss.

As a gen­er­al rule, a medi­um-sized web­site can take a few weeks for most pages to move in our index; larg­er sites can take longer. The speed at which Google­bot and our sys­tems dis­cov­er and process moved URLs large­ly depends on the num­ber of URLs and your serv­er speed. Sub­mit­ting a sitemap can help make the dis­cov­ery process quick­er, and it’s fine to move your site in sec­tions. -Google

While secur­ing your web­site may lead to some increased rank­ings in Google, secur­ing your customer’s data is sim­ply the right thing to do for your brand. Cus­tomers trust web­sites that are secure, and HTTPs will build that trust while also increas­ing con­ver­sions. Plus, you’ll be mak­ing the web a more secure place for every­one in the process.

Now, for part two: HTTP/2 migra­tions! Read on to learn more about how the site speed improve­ments with HTTP/2 can have a major impact on your site traf­fic and revenue.

Got more ques­tions? Need some help get­ting your HTTPs migra­tion up and run­ning? Our SEO team has a proven record of seam­less­ly migrat­ing sites with­out sac­ri­fic­ing search rank­ings. Con­tact us for more information!