At its international developer conference, Google I/O, in 2014, Google called for “HTTPS everywhere.” The push for a secure web sits at the heart of Google’s philosophy and directly impacts its search algorithm.
As a search engine optimizer, it’s imperative to understand the difference between HTTP and HTTPS, along with how the protocol underlying both works and how to create your site in line with best HTTPS practices. By doing so, you are set up for the secure transfer of data, fostering user trust, and achieving the highest possible rankings for your site.
What are HTTP, HTTPS, SLS, TLS and HSTS?
The abbreviations HTTP, HTTPS, SSL, TLS, and HSTS all refer to different aspects of the same technology. Understanding how they function and overlap will ensure that you can use them effectively when optimizing your website.
Here are brief definitions of each of the terms:
HTTP – HTTP stands for Hypertext Transfer Protocol. It is an internet communication, or “application layer” protocol that enables the transfer of information between connected devices. In non-tech terms, HTTP is essentially the set of rules that computers on the internet follow to communicate with each other. Whenever you visit a website, your browser retrieves information from a host server using HTTP. There was, however, one significant downside to HTTP. When you use standard HTTP to send information, like bank details or a personal address, to a website, you do so in plain text. As a consequence, anybody that intercepts your connection could access your data.
HTTPS – HTTPS is an abbreviation for Hypertext Transfer Protocol Secure. It is based on the same underlying technology as HTTP but adds several layers of security that protect information during transit: encryption, data integrity, and authentication. HTTPS represents an important innovation because it acts as a safeguard for internet browsers against data theft.
SSL and TLS – HTTPS relies on secure socket layers (SSL) certificates to work. In order to establish an HTTPS connection, an SSL certificate must be installed on a website. Transport Layer Security (TLS) is the modern version of SSL, although the two terms are often and incorrectly used interchangeably. TLS is the technology responsible for encrypting information prior to transit.
HSTS – HTTP Strict Transport Security is a protocol that ensures a browser retrieves an HTTPS site, even if the HTTP version is requested. It is supported alongside HTTPS and recommended by Google.
Is HTTPS a Ranking Factor?
In a word, yes. Google has said explicitly that it takes HTTPS into account when evaluating sites. And there’s extensive documentation covering how to secure websites with HTTPS on Google Search Central.
In fact, Google actively penalizes websites that don’t use the HTTPS protocol, as part of its broader commitment to a secure web. Importantly this also applies to mixed content. The term “mixed content” refers to secure URLs that include page elements that are delivered through HTTP and, as a result, are unsecure.
“The future of the web is a secure one, so make sure people in your organization understand HTTPS. It should be on the roadmap.” Thao Tran, Global Product Partnerships at Google, speaking at BrightEdge’s SHARE16.
What Are the Drawbacks of HTTP?
Let’s take a look at the main drawbacks associated with HTTP. Investor of the World Wide Web, Tim Berners-Lee, outlined several security issues in 1999.
Here is a brief overview of the main points:
- Leakage of personal information – HTTP clients can “leak” sensitive information when interacting with other sources.
- Abuse of server log information – Interception of information about browsing activity stored on server logs can be used to identify an individual’s online behavior.
- Unsecure transfer of sensitive information – As a generic protocol, HTTP has no control over data based on its content.
- Encoding of sensitive information in URLs – Including the source of a link in a request can potentially disclose private information.
- Privacy issues associated with accept-request headers – The content of accept-request headers can reveal information, particularly related to location, to a server.
- Attacks based on file and path names – Bad actors can potentially access prohibited areas of a site’s directory by navigating up the directory taxonomy via HTTP requests.
- DNS spoofing – HTTP client reliance on the Domain Name Service (DNS) makes it possible for bad actors to mis-associate IP addresses and domain names.
- Authentication credentials and idle web clients – HTTP provides no means of discarding cached authentication details.
- Proxies and caching – The nature of HTTP proxies lend them to man-in-the-middle or “eavesdropping” attacks.
- Denial of service attacks on proxies – Denial of service attacks on HTTP proxies have been documented.
You can read more about each of these points (and others not mentioned here) by reading section fifteen of Tim Berners-Lee’s memo.
What Are the Benefits of HTTPS?
Outside of improving the chances that your site will rank highly in Google search results, HTTPS also provides additional benefits.
HTTPS overcomes the shortcomings described above by leveraging three technologies:
- Encryption – Data is encrypted during transit so malicious third parties can’t “listen in”
- Data integrity – Data cannot be modified during transit without detection
- Authorization – The server authenticates the user to prevent man-in-the-middle attacks
As soon as you switch your website to HTTPS, your users will automatically enjoy greater protection as a result of these security features.
How to Switch from HTTP to HTTPS
Fortunately, switching from HTTP to HTTPS isn’t as significant an undertaking as it was a few years ago. In many cases, your web hosting service will organize the transition (if your site isn’t already using HTTPS) and renew your certificates automatically.
Follow the six steps below to ensure a successful transition to HTTPS:
- Purchase an SSL/TLS certificate – An SSL certificate authenticates your website’s identity and allows for the encryption of data before transfer.
- Install it on your website – SSL certificates are small data files stored on your website’s server. Before you can create secure, encrypted connections, you will need to install your certificate.
- Ensure all internal links use HTTPS – You should ensure all internal website links use HTTPS URLs. Failure to account for remaining HTTP links can cause navigation and SEO problems.
- Set up 301 redirects from HTTP to HTTPS – 301 redirects let Google know that you have updated your site and reroute visitors using old URLs to the correct pages.
- Implement HTS – HTTP Strict Transport Security is a mechanism that ensures all connections to your site use HTTPS. Once you have installed your SSL certificate, implementing HTS is a straightforward process that involves adding several lines of code to the appropriate site file.
- Check indexation – Make sure you don’t have HTTP versions of web pages being crawled and indexed by search engines. To check this, type in “site:http://example.com” into Google search to see if any are still being indexed.
Download the Brightedge HTTP migration checklist to ensure a smooth transition from HTTP to HTTPS. Google Search Central also has extensive documentation about how to avoid common mistakes.
Conclusion: One Piece in the SEO Puzzle
Search engine optimization can seem like a jigsaw puzzle, with lots of different pieces including technical, on/off page, content and more. Businesses take account of a myriad of ranking factors, testing approaches, leveraging best practices and weave them into an effective SEO strategy.
HTTPS is one piece of that jigsaw puzzle. Migrating from HTTP to HTTPS is both straightforward and absolutely essential from an SEO perspective. If your site still uses HTTP, now is the time to transition to HTTPS. Once you see the increase in rankings, you’ll only wish you’d done it sooner.