By now even the most amateur Web user has noticed that some websites start with the traditional, http://, while others the slightly longer. https://. But far fewer realize the significance of that extra letter. Do you know what it means?
URLs that begin in, “https,” are encrypted to help prevent hackers from intercepting your data. If you haven’t figured it out yet, the extra “s” stands for security.
More specifically, https stands for Hypertext Transfer Protocol Secure, and the sites are encrypted using SSL, or Secure Sockets Layer. As more users began to engage in eCommerce and online banking, the demand for data integrity, security and confidentiality became paramount. Brands found it necessary to convert to the more secure protocol to compete for increasingly-conscientious consumers.
Because SSL promise a more secure Web, Google and other industry leaders began to encourage sites to migrate. The presence of SSL certificates became a ranking signal more than three years ago.
But with this month’s release of Chrome v62, Google will begin marking non-HTTPs that include text input fields – such as search bars or contact forms – with the label “NOT SECURE” in the address bar. Ouch! Bad news for bloggers who don’t engage in ecommerce but offer even a simple comment section or email sign-up form. Similar labels will be applied to sites that have outdated certificates.
What are SSL Certificates?
According to SSL.com, Secure Sockets Layer, “is the standard security technology for establishing an encrypted link between a web server and a browser.” This important link ensures that any data passing between a web and internet browsers remains securely private, inaccessible to hackers.
Millions of websites now use SSL certificates to protect the integrity of customer data and online transactions. How does it work?
When a user’s Internet browser – such as Chrome, Firefox or Safari – connects to a website’s server, the SSL certificate binds the two together with a connection so secure it cannot be seen by anyone but the website submitting data and the user entering it.
So that hacker who tries to place a listening program on the server? He or she captures nothing but scramble.
SSL certificates also tell users details of a website’s authenticity. When a visitor click’s their browser’s padlock symbol or trust mark while visiting a page, they can read details regarding the identify of the person, business or organization that owns the website.
History of Cryptology and SSL
People have been encrypting messages since ancient times, when leaders like Julius Caesar used a cipher to rearrange the order of letters in messages sent to his generals. Since each letter in the message was replaced by another a fixed number of positions away in the alphabet, the recipients could decipher the message, but eavesdroppers and hostile interceptors would have no idea what they were looking at.
Of course, modern cryptology is a bit more sophisticated. Ciphers used by computers can operate on large binary sequences and programs to instantly analyze encryption. In the mid-1970s IBM designed an algorithm that became the federal Data Encryption Standard, and other early data scientists published other key algorithms that supported more advanced cryptology.
SSL was originally developed by then-search giant Netscape in 1994 amid growing concern over cybersecurity. But because of some serious security flaws in version 1.0, the protocol was not publicly released until version 2.0 launched in 1995. It wasn’t until version 3.0 came along in 1996 that Netscape found the right formula, and later versions have been based on this third draft.
Technically, Secure Sockets Layer was replaced by Transport Layer Security protocols as early as 1999, but both are still generally referred to as SSL. The differences between the two was slight, but the privacy effects were significant and have only increased with each subsequent version. In fact, numerous updates have occurred over the years to respond both as weaknesses were recognized and as hackers found more sophisticated ways to crack the code.
Why the confusing name change? Remember that intense war between Netscape and its Navigator browser and Microsoft’s Internet Explorer? The one Microsoft ultimately and dramatically won? If you’re too young too recall, there was actually a time when Internet Explorer was crowned king.
At about the same time Netscape was working on version 3.0 of its SSL, Microsoft revised the flawed second version with its own protocol, one it named PCT. The budding internet community didn’t want a repeat of VHS vs. Betamax with two competing and incompatible protocols between which users must choose, so a deal was negotiated – one in which the competing tech companies would both support an open and standard protocol.
Microsoft, however, insisted on a new name, and TLS was born. Apparently, the joke was on Bill Gates, though, since the SSL label has stuck to this day.
Google’s changes to Chrome are really placing the heat on any blogger who hasn’t already migrated to https, but there’s plenty of additional value in SSL protocols. Obviously, if ecommerce occurs, https:// URLs lend to confident customers. And confident customers equal increased sales. Sites with a valid SSL certificate are immediately considered more trustworthy, credible and legitimate.
SSL not only protects’ the privacy of visitors’ information, but it helps ensure data integrity for a site owner. With a valid SSL certificate, bloggers can be assured that data input onto their site hasn’t been modified or corrupted during transfer. And with the rampant issue with phishing websites impersonating legitimate pages to steal visitors’ information, secured sites provide evidence to users that they are, in fact, in the right place.
SSL and SEO
But for the past few years, SSL has also affected the ever-important search ranking. Google factors security status in its infamous ranking algorithm, a development welcomed by bloggers who have already migrated. Secure websites are now placed higher in search results than those without SSL certificates, all other factors being equal.
In 2015 Google announced it would favor URLs beginning in https or http, under the following conditions:
- It doesn’t contain insecure dependencies, including insecure images, includes, embeds and videos.
- It isn’t blocked from crawling by robots.txt.
- It doesn’t redirect users to or through an insecure HTTP page.
- It doesn’t have a rel=”canonical” link to the HTTP page.
- It doesn’t contain a noindex robots meta tag.
- It doesn’t have on-host outlinks to HTTP URLs.
- The sitemap lists the HTTPS URL or doesn’t list the HTTP version of the URL.
- The server has a valid TLS certificate.
Understanding these conditions is important for bloggers hoping to capitalize on their TLS certificates. If a website is migrated to https, but the page includes links to other sites that do not have a valid certificate, Google will not rank the page as secure. Likewise, sites will not receive the extra ranking if they include images, videos or other graphics tied to URLS that have not migrated to TLS.
Ahrefs tested the algorithmic update in early 2016. Blogger Christoph Engelhardt analyzed the top 10,000 domains to examine how much an https URL boosted their SERP rankings.
While he found that qualifying websites indeed benefited in their rankings, his research determined only 10 percent of websites actually featured a “flawless” https setup that meets all of Google’s qualifications for preference. And 60 percent of websites at that time still had not migrated to https whatsoever.
Later in 2016, Backlinko’s Brian Dean analyzed 1 million Google search results and found that a site’s overall link authority, based on meeting all of Google’s qualifications, strongly correlated with higher rankings.
But that wasn’t all. Dean’s determinations also included:
- Backlinks are highly important Google ranking factors. The number of domains linking to a page influenced rankings more than any other factor.
- HTTPS had a reasonably-strong correlation with first-page rankings.
- Site speed is important. Based on Alexa data, pages on fast-loading sites ranking much higher than pages on slow-loading sites. Speed is an important consideration when choosing an SSL certificate.
Activating an SSL
Ready to migrate your blog to https? You first need to set up an SSL certificate for your website’s domain, then install it on the server and update all permalinks to an https URL. But before you can do any of that, you must decide what type of SSL certificate is most appropriate or your needs. It’s definitely not a one-size-fits-all scenario.
Types of SSL Certificate
Types of SSL certificates can be classified by their validation level and the number of secured domains that they cover. While some bloggers only need to migrate a single landing page to https, most website owners have at least a couple of landing pages and subdomains, not ot mention a separate URL for each of their blog entries.
SSL certificates also vary by their validity periods. While most standard certificates are available for one to two years before they must be renewed, longer-term advanced certificates are available for longer time periods.
A few types of SSL certificates include:
- Domain Validation
The least expensive of paid SSL certificates, domain validation is just as its name implies. A website owner must validate ownership of the domain using email or by adding a DNS record. It can be obtained in just a few minutes, and it’s ideal for those who aren’t supporting a larger organization and don’t need additional security.
- Organization Validation
The minimum required certification for e-commerce portals, the SSL certificate validates domain ownership, and usually takes 2-3 days to activate. Because the validation is completed by the certificate authority, it’s more secure than a DV certificate.
- Extended Validation
Highly-recommended for websites where transactions are preformed, the certificate requires a strict authorization process that takes 7-10 days to complete. The certificate displays organizational information and offers a green HTTPS address bar that instills greater consumer confidence. Thus, EV certificates are most popular among banking, finance and e-commerce sites.
- Single Name SSL Certificate
The certificate can only secure a single subdomain. Therefore, with this SSL certificate, the hypothetical URL example.domain.com can be secured, but not the coinciding example2.domain.com. Likewise, the main domain of domain.com would not be secured, either.
- Wildcard SSL Certificate
The SSL certificate type secures unlimited subdomains for a single domain. Therefore, not only can domain.com be protected, but also example.domain.com, example2.domain.com, example3.domain.com and so on.
Additional divisions beyond the subdomain, however, are not included in the certificate’s protection. So, for example, test.example.domain.com would not be covered under a wildcard certificate.
- Multi-domain SSL certificate.
The all-encompassing SSL certificate will secure all variations on a domain and its subdomains. It is highly recommended for site owners that want to secure multiple domains and subdomains.
7. Unified Communications Certificate
The UCC certificate can be thought of as the group discount SSL certificate. It allows a customer to protect as many as 100 domains using the same certificate. These are specifically designed to secure Microsoft Exchange and Office communications environments.
Registering a New SSL Certificate
Once you’ve determined the type of SSL certificate you need to migrate your blog to https, it’s time to purchase and activate the certificate. Some hosting companies such as Hubspot and WordPress offer their own migration programs, but a host of certificate authorities issue SSL protection, including SSLs.com, Media Temple, Namecheap, GoDaddy and Comodo.
Temok offers a variety of SSL certificates from many of the top issuers at as much as 70-percent less than vendor pricing.
If you’re on a budget but also tech-savvy, you can a acquire a free SSL certificate with Let’s Encrypt.
Once you obtain your SSL certificate, it’s time to install it on the server. The exact process of doing so will vary depending on your hosting environment and server setup. Check your host for details.
After the SSL certificate has been installed, its’ time to update all content references. Remember, for a Google SERP rating, all URLs on a page must adhere to TLS protocol. The easiest way to update internal links and redirects is by employing search-and-replace in a database and HTML code. Ensure that all URLS for images, scripts and other content are also updated.
After you’ve updated links, templates, images, tags and plugins, you’ll want to crawl the site and catch any URLs and tags that you might have missed. Searchengineland offers a detailed how-to guide that lists every possible script that might need updated.
Fortunately, Google has also updated its Webmaster Tools to better accommodate https sites and their analytics. Be sure you track any SSL migrations within Google Tools and through appropriate analytics software.
Renew an Existing Certificate
SSL renewals don’t happen automatically. If you’ve rec3eived notice that your existing certification will soon expire, it’s a good idea to renew it ahead of time. Otherwise, you might have to repurchase it as a new certificate. The exact process will vary depending on the certificate authority. Namecheap, for example, offers these steps to renew an SSL certificate.
Tips for painlessly migrating to https
It’s no longer any secret that encrypting website users’ information is not paramount to success. But Google Chrome now also visually penalizes websites that have not migrated to https://. Keep the following tips in mind when activating an SSL certificate for your blog:
- As a precaution, create a full backup of your website before you begin installing an SSL certificate.
- Use certificates with a minimum 2048-bit key.
- If you have resources residing on the same secure domain, identify them with relative URLs.
- Don’t’ block your https site from crawling using robots.txt or you won’t receive any SERP bonus from Google.
- Allow search engines to index your pages whenever possible.
- Make sure you include a canonical link within your <head>section so that traffic is properly redirected to the protected URL.
- Add an extra link into your site configuration so that any traffic that tries to visit the original version of your website is automatically redirected to the https URL.
- Test your SSL certificate by visiting SSL Labs. Just enter your domain name and see how your site scores.
- Don’t’ forget to update your search-engine indexes and your Google Analytics settings to reflect your new https URL.
Are you ready to migrate your blog to https? We hope this guide has helped!