Move your site to HTTPS – Get Better search rankings
If you’ve ever been to this site before, you may have noticed that all pages and links are now being served up through HTTPS. Most people are familiar with HTTPS being used exclusively for online shopping sites and user account login pages, but there’s a current trend happening wherein ALL pages on a domain are being secured through SSL/TLS (hopefully just TLS now). It’s no secret that many webmasters engineer their sites to play friendly with Google above all other search engines so that their sites may enjoy better search positions and I’m no different! So when Google announced back in 2014 that they were running tests to add more ranking weight to sites using HTTPS versus sites that weren’t, a lot of top websites responded.
Now this isn’t to say that websites like Twitter or Facebook moved to all HTTPS sites just because Google did it, but it’s a strong indicator of what’s to come when some of the most popular sites on the internet are starting (or continuing) a trend. Google sees the future of the internet as a more secure one and they are willing to
Brief overview of SSL/TLS and HTTPS
Back in the early days of the internet, websites were designed specifically with access speed in mind. Web pages were usually simple text documents with a little added flair thanks to HTML and sites that had tons of images and HTML code to parse were death sentences for those companies or institutions because nobody wanted to wait a few minutes for a page to load. I won’t get into all the gritty details of SSL/TLS, but essentially when you secure a webpage, it requires encryption and decryption processes each time the page is accessed. This added overhead to your web browsing experience and slowed things down a bit, so web designers usually only secured pages worth securing. This is why entire HTTPS sites still look foreign to some web users. I come from a time where you would only see a secured page when you were about to enter your credit card information.
But times have changed. Internet connections are faster, browsers are faster and computers are faster. Obviously as a result, the encryption/decryption process is much faster. Regardless, the majority of the web still uses HTTPS the way we used to and many webmasters who just have simple websites that aren’t acquiring any sensitive information from users just don’t have it all. But that’s changing too. We are all using the internet much differently than in the past and more and more sites are adding new functionality, collecting new data and asking users to interact more. These bits of data may not be full on credit card numbers, but much of it can still be used to identify a user. Add that to the increasing number of attacks that have been unleashed on the internet in the recent past and you have a recipe for disaster.
Getting Started With HTTPS
The first step in securing your website is to find out what kind of certificate you need/want. The differences will dramatically alter the price and you may not need all the features that the higher-end certificates offer. If you just need your site secured and you want to follow Google’s basic recommendations for better search rankings, here’s some basic tips:
- Domain Protection – A single domain certificate will protect one domain (example.com and www.example.com). A multi-domain cert will protect all your domains (example.com, test.com, website.com, etc.), but usually only up to 99 domains and the cost rises with the number of domains protected. A wild-card cert will protect one domain and unlimited subdomains (www.example.com, mail.example.com, store.example.com, etc.).
- 2048-bit keys – You’ll be hard-pressed to find a key with less than 2048 bit encryption these days, but that’s good because Google requires this at a minimum. Check out the math behind breaking a 2048-bit key!
- Relative URLs – Rather than using the full URL of links that reside on the same server, Google recommends that you use a relative URL. So instead of linking to https://www.example.com/category/page-name.html, always use /category/page-name.html. This is good practice no matter what, but if you’re using WordPress or some other CMS, you might notice that relative URLs are NOT the norm. Consider using a plugin for this or try modifying links by hand if you dare.
- Don’t block HTTPS with robots.txt – It’s common for a website to block all HTTPS pages from search indexing using the robots.txt. But that only applies to pages such as temporary shopping cart URLs or user account pages. If you block ALL HTTPS pages, then Google won’t index your site thus defeating the purpose of all this!
Another important decision to make is the type of validation you wish to use. I didn’t add it to this list above because it’s irrelevant to Google’s search rankings, but it might be relevant to your situation. In my case, I purchased the cheapest certificate you can buy…feature-wise. It still provides the same level of security as a high-end certificate, but it just visually looks different. There are basically three types of validation, but each certificate retailer might market them different to spice it up a bit. If you strip off fancy marketing, you’re left with these options:
- Domain Validation (DV) – This type of validation will validate your domain only. If you’re running a site like mine, this is all you really need. It informs the visitor via the green lock icon in the address bar that this is a secure site and all data transmitted is being encrypted.
- Organization Validation (OV) – In addition to validating your domain, this certificate will go a step further and validate your organization information like physical address, name and phone number. You won’t generally need this if you’re running a basic blog site. But if you’re running an online shop, this certificate will generate added peace of mind for shoppers by showing them your real-world information.
- Extended Validation (EV) – This validation includes everything provided by the previous two, but it also adds the green address bar to further your visitor’s peace of mind by actually changing the color of the entire address bar to green while also displaying your business/organization’s name prominently to the world. Note: the full green address bar is only applicable to Internet Explorer. Take a look at the image to the right for an example of an EV certificate on the various browsers.
As you might have guessed, these validation types are in order from least expensive to most expensive. There are many different places to purchase TLS certificates and as such, prices change dramatically. The first place you might want to look is your own webhost. They generally offer easy installation and configuration as well since everything is done in-house. You might even get a discount since you’re paying for hosting services as well. But keep in mind, you do not need to by a certificate from your web host OR your domain registrar. Feel free to shop around and get the best price for you.
Once you have decided on what type of certificate to purchase, get in touch with your webhost for information on how to configure everything and remember that even though Google has stated the increased weight applied to ranking for HTTPS is relatively low at the moment, there may come a time in the future where having HTTPS is as important as having great, original content.
Checking your Server for HTTPS vulnerabilities
If you already have HTTPS setup on your server, it’s highly recommended that you run a server check to ensure that you’re doing everything you can to protect not just your website, but the entire server as well. This mostly only applies to users who administer their own servers (like a VPS or co-location hosted solution), but running the test on any server will help identify any outstanding issues that should be worked out with your webhost. Hopefully they’re already on top of it before you are!
The SSL test is hosted by Qualys, Inc. and will produce a report similar to the one you see here. If your server contains any issues, they will let you know how to fix them. Assuming you have admin access to your server, you should follow these tips as soon as possible to ensure server security.