Did you know that the media giants WIRED and the Guardian switched to HTTPS last year? As challenging and time-consuming the process might have been, these media houses kept at it and finally moved to the more secure version of the web protocol.
While priorities driving this change tend to vary from business to business, there are some common compelling reasons to migrate to HTTPS.
HTTPS Affects SEO Ranking
HTTPS is gaining significance in the context of search engine optimization. With Google indexing system favoring HTTPS pages, potential boost in search results is indicated as a benefit of migrating to HTTPS. Google has always been advocating for a more secure Internet and over the years, it has taken many measures to ensure websites switch to the secure HTTPS protocol.
3 More Reasons to Migrate to HTTPS
Seeing how advantageous HTTPS migration can be, you may be tempted to make the switch right away. Go through this step-by-step guide below to avoid pitfalls and ensure a successful migration.
Protect Your Site Visitors
Disruptive technologies such as Internet of Things and blockchain are pushing us towards a situation where secure websites have become the norm and necessity. With everything from your insurance records to your crock-pot and refrigerator connected to the Internet, the mere possibility of a cyber onlooker is enough to make your blood run cold. And, responsible businesses are migrating their websites from insecure HTTP protocol to HTTPS with Strict-Transport-Security header to effectively prevent cyber attackers from wreaking havoc.
According to Kayce Basques, a technical writer at Google, “One common misconception about HTTPS is that the only websites that need HTTPS are those that handle sensitive communications. Every unprotected HTTP request can potentially reveal information about the behaviors and identities of your users.” Any business that is genuinely concerned about the privacy of its customers cannot but secure their website with HTTPS.
Build Trust and Credibility
Installing valid SSL certificates indicates to search engines and users that yours is a legitimate business and not a spam website. The padlock icon or green browser bar instills trust in potential buyers. Enhanced trust leads to increased sales, reports Globalsign, the leading certificate authority. According to its survey findings, 84% of customers would abandon a purchase if the connection is not secure.
That’s not all. Starting October 2017, Chrome will show a “Not Secure” warning when users type data into non-HTTPS sites. I would hesitate to use a website that throws up such a warning; wouldn’t you?
Switch Unless You Want to be Left Behind
The desktop web is moving towards new and exciting features, such as geolocation and offline app experiences, which require a secure transmission protocol to process requests. HTTPS is a prerequisite for certain AMP implementations too. Moreover, to take advantage of the performance benefits of HTTP/2, your website has to upgrade to HTTPS.
Steps to Migrate from HTTP to HTTPS
Buy SSL certificate
There are different kinds of security certificates. You can decide on the best SSL certificate based on the level of encryption you require.
Do you need the SSL certificate for your personal website or business portal?
Some businesses may need SSL for encryption while some may use the certificate to enhance trust and indicate they are a legitimate business.
From the standard Domain Validation (DV) certificates to the Organization Validation (OV) and Extended Validation (EV) SSL, security certificates differ in their features and consequently in their pricing too. The certificate authority checks and verifies the applicant to varying extent before issuing the requested SSL certificate.
DV SSL requires only an email verification for checking domain ownership. EV certificates, on the other hand, are the most expensive and require thorough vetting of the organization. The validation process for EV certificates involve physical, legal, and operational verification, which can take up to a week.
The number of websites (domains and subdomains) to be covered can also influence the purchase decision. For instance, if you want to secure a single site, a standard DV SSL certificate may be enough. However, if there are multiple domains and subdomains to be secured, you should go for UCC certificates or a Wildcard SSL.
Upload and Install the Certificate
Once you have your SSL certificate, you will need to install it on your website(s). The steps for this will vary depending on where your site is hosted. Your hosting provider can help you with it.
If you choose not to involve them, check whether the certificate is in the format appropriate for your web server and proceed to install as per available documentation. The IT support team at QBurst will do it if you don’t want to do it alone.
Check Your Internal Links
With the SSL certificate installed, you have enabled the HTTPS protocol. But there is more! If you look in the browser console, you may see some errors listed. These will mostly be mixed content errors caused while loading external resources such as fonts, images, or scripts over an insecure HTTP connection. Such external references have to be changed to use the corresponding HTTPS version. You also need to check for links within your website content. All hardcoded internal links have to be modified to use the HTTPS or the relative path.
Update Redirection Logic
We realized the need for this while migrating QBurst domain to HTTPS protocol. Being a global service provider, we had multiple domains and custom redirection logic implemented for each domain. It was necessary to update this logic to ensure the final URL was loaded over a secure connection. Similarly, any redirects and canonical tags have to be changed to point to the new HTTPS version.
Correct Inbound Links
Your website may have collected backlinks from numerous sites over the years. While it is not feasible to reach out to all of them to update to the latest HTTPS URL, there are certain external links that you can control. These include links from your social media profile pages and ad campaigns. Remember to check and update them to the HTTPS version of your website URL.
Switch to HTTPS URLs
Finally, the change from HTTP to HTTPS is sealed by setting permanent redirects for all your HTTP URLs. Putting a 301 redirect in place ensures that anyone accessing your site (including all third-party backlinks) will now be automatically redirected to the new HTTPS version.
This can be achieved in multiple ways depending on the web server that hosts your site. For instance, the process involves setting the secure flag to “always” in the app.yaml file for sites hosted on the Google App Engine and updating the .htaccess file for sites running on Apache web servers.
Add the HTTPS Version to Webmaster Tools
Once your website is running on HTTPS, you need to create a new profile for the site with HTTPS URL in all the search engine webmaster tools that you use. Just add a new property and claim it as usual.
Update Sitemap and Submit
Enabling SSL changes all your website URLs. Therefore, it is prudent to generate a new sitemap with HTTPS URLs and load it under the newly created property. Though not mandatory, sitemap submission can facilitate faster indexing of the new URLs. You will eventually see the migration of traffic to the new HTTPS property.
Update Your Analytics Platform
Another important step after switching from HTTP to HTTPS is to update the tracking URL in your analytics account. If you use Google Analytics, go to the admin settings of your account and change the URL to the HTTPS version.
Now that everything has been done for a smooth transition from HTTP to HTTPS, it is time to sit back and monitor. Keep watching your server logs for errors. If you notice something that is not working as intended, fix it immediately.
Check Google Search Console to see how the migration is progressing in Google search. Comparing the Index Status of HTTP and HTTPS properties will tell you how the URLs are being updated to the HTTPS version by Google search bots.
[caption id="attachment_17410" align="aligncenter" width="814"] Search console report showing Google index status of our website post HTTPS migration.[/caption]
Should You Implement HSTS?
While some HTTPS migration guides stop right there, an additional step is often recommended to fully secure a website. The Internet security services provider Netcraft reports that 95% of HTTPS servers are vulnerable to man-in-the-middle attacks and suggests a combination of HTTPS and HSTS for better defense.
Implementing HSTS is simple when you have migrated your website to HTTPS. A simple one-line response header will suffice. Along with applying the HSTS policy, getting listed in the browser preload list is also recommended. You can request for inclusion in the HSTS preload list maintained by Google by filling in this request form. Once the domain is added to the preload list, all users of supporting browsers will benefit from the added security.
A word of caution: HSTS preloading should be initiated only if your entire site operates over HTTPS. In our case, we identified certain subdomains that would be inaccessible if HSTS preloading was enabled and decided not to request inclusion for the time being.
To Sum Up
HTTPS migration is a significant step that signals to search engines and site visitors alike that yours is a responsible business committed to protecting customer data. It is also a step towards an exciting future where technological advancements ride on secure transmissions.
Switching to HTTPS itself is not cumbersome if you follow the steps outlined above. You will need to check and cross-check your redirections for that is where most sites tend to falter. Tools like Screaming Frog are handy while checking for improper or failed redirections.
With proper planning and rigorous post-implementation monitoring, migration from HTTP to HTTPS can be executed seamlessly. And finally, HSTS implementation can help seal your website’s HTTPS migration.