Unconvinced HTTPS is Worth It? Better Read This #SMX Liveblog (with Insights from Google)
If you’re unconvinced that a move to HTTPS is for you … then keep reading. Google Webmaster Trends Analyst Gary Illyes will share why Google values secure search so much, and what he and the Google team are planning next when it comes to secure search. Joining Illyes on the stage are fellow search savants Eric Enge (president of Stone Temple Consulting and author of “The Art of SEO”) and Bill Hartzer (senior SEO Strategist at Globe Runner), who will also share their insights into secure search.
Gary Illyes: Why Secure Search Matters, Plus What’s Next
More and more companies realize that users must feel safe. That’s why Google began experimenting with HTTPS rankings. Google Webmaster Trends Analyst Gary Illyes mentioned this idea to Google Head of Webspam, Matt Cutts, back in March. Illyes says that before he could get the idea fully out, Cutts got super excited. By the end of July, Google was ready to make the change. They published a blog post and turned it on.
Internal Statistics from Google
- 10 percent of discovered URLs are HTTPS. It’s really low, Illyes says. He thinks it should be at 100 percent.
- 30 percent of the queries have at least one HTTPS URLs in the results.
Why Aren’t More Sites Switching to HTTPS?
- People complain that HTTPS is slow. But it’s not, Illyes says. It has long been known that Google is obsessed with site speed. Google would not launch a search feature that slowed down the SERP, even by milliseconds. The notion that HTTPS slows down a site is simply false. (Click to Tweet)
- People say “it’s not worth it.” They are just plain wrong, Illyes contends. Users have a basic need for security — it’s in Maslow’s Hierarchy of Needs. Sites must offer users security and safety.
- People say HTTPS is complicated. Illyes says if he can do it, anyone can do it. He migrated his site in just four hours.
What’s Next for HTTPS?
Illyes says he’s seen a significant number of sites with broken certificates. This is a bad user experience and needs to be addressed. In the future, these sites will somehow be highlighted as unsafe. Illyes says he plans on starting to work on this next week.
Google is interested in implementing a stronger ranking boost for secure login and purchasing pages. This is something that Google is thinking about because security is so important on these pages.
Illyes Answers Audience Questions
Does Google have a list of certificates that they accept or do not accept?
There is no list. Just make sure to follow industry standards. Certificate providers should know, for example, that SHA-1 is deprecated. Perhaps — in the future — a list would be helpful, though.
What are the hurdles that more complex sites need to overcome when switching to HTTPS?
The main struggle for big sites that I talk to is the inability to get the CDN to serve scripts from HTTPS. We are working with CNDS to try to convince them to offer better SSL or HTTPS services. It’s an ongoing effort. There are good people working on it so at one point it will happen.
How important is it for smaller non-ecommerce sites to switch to HTTPS? Does, say, a plumber’s site need to be secure?
I would say so. I have a scuba blog and I switched to HTTPS. I love it, although I might be a touch biased.
Does secure offset page speed? If it’s slowing you down a tiny bit from moving to secure will it hurt me?
What’s the benefit of going secure for a site that has no log-in, nothing for sale, etc.?
Every time I do a 301 redirect from HTTP to HTTPS, am I losing a little link juice?
I think it would actually be a 100 percent transfer.
Is it worse to be secure and have your security fail or be non-secure?
It is worse to just be non-secure. If you’re certificate is not correct, you’re not doing anything for the user.
How often do you use Bing?
20 or 30 times a week. For some queries they perform better. (Illyes is investigating.)
If a website is using schema markup, will review stars be affected by a move to secure search?
No. As soon as you start the redirect, all the information from URL A will be transferred to URL B.
Eric Enge: The Hack that Preserves Your Social Share Count
Tracking the pages that had been converted to HTTPS on StoneTempleConsulting.com, Enge found that changing to HTTPS had a very small impact. Based on a sample of twelve pages, Enge found:
- 6 rankings improved
- 5 rankings got worse
- 1 had no change
- Net impact: no material change
Enge reminds the audience that SHA-1 certificates are deprecated. Avoid them. (Click to Tweet)
Useful Tip for Lost Social Share Data
HTTPS can disrupt social sharing. All your social share counts will revert to zero. This PHP code (featured in slide) will make the HTTPS page pull the social sharing data from the HTTP post. If a post is prior to migration date use the PHP code in this slide:
Bill Hartzer: Step-by-Step Checklist for Moving to HTTPS (Click to Tweet)
Part One: Preparation
- Choose the right certificate: 2048-bit key
- Choose the right, trusted provider
- Talk to your web host about the switch
- Review current server needs
- Check if CDN can handle SSL
- Consider moving and/or upgrading server at the same time
- Consider adding CloudFlare to hosting
- Decide whether to move all content or just some of the content
- Prepare your site (internal links, canonical tags, etc.)
- Review links to site and identify links to update
- Create a list of all social accounts and profiles to update with new link
- Perform a Google Webmaster Tools review
- Make a copy of the site by going through Screamingfrog and making a list of all the URLs for later reference
- Ensure all internal links point to HTTPS
- Check CMS settings
- Check canonical tags
- Set up 301 redirects (always use 301 Permanent Redirect)
Part Two: Plan for the Move
- When will you switch/move?
- Detail the process for moving to HTTPS
- Decide internally: who is responsible for what?
Part Three: Moving Day
- Verify your site in Google Wbmaster Tools
- Test the website
- Test SSL with the Qualys Lab Tool
- Test for heartbleed vulnerability
- Perform a server header check
- Crawl site with Screamingfrog SEO spider
- Switch social media profiles
- Check Google Analytics for referrers
Part Four: Post-Moving Day
- Update and watch Google Analytics
- Update social media accounts and profiles
- Update email signatures with new URL
- Update company themes and templates
- Contact link owners
Results: BillHartzer.com Case Study
One month out from moving his site from HTTP to HTTPS, Hartzer saw:
- Sessions up 9.56 percent
- Uses up 11.01 percent
- Page views up 93.91 percent
- Pages/Session up 7,699 percent
- Average session duration up 8.67 percent