Google is dedicated to the cause of making the internet a more secure place. They’ve been promoting HTTPS web hosting for a while now, and HTTPS-hosted sites have been gaining an edge on the competition in search engine rankings (SERPs) since 2014. Not everyone has been so quick to adopt better security practices though, and much of the internet still resides on HTTP pages (though the scales have finally started to tip).
In an effort to encourage the rest of the internet to at least migrate to HTTPS, Google is getting more aggressive in its tactics. But why are they pushing for HTTPS in the first place, and is it worth all the pain of making the change?
A Crash-Course for Beginners
First, a quick review on what HTTP and HTTPS are for those who might be unfamiliar. HTTP stands for HyperText Transfer Protocol, and it’s the set of rules and protocols the internet uses. It’s what makes the blue text send you to a different web page when you click on it, and without it, you’d have to enter the exact URL for every different page you wanted to visit.
HTTPS stands for HyperText Transfer Protocol Secure, and it serves the same function, except HTTPS encrypts communication between the server and the client. In regular HTTP, information passing between the two parties is transmitted via plaintext, meaning that anyone with the right tools can “listen in” on the conversation and read what’s being sent. Or, worse yet, they can insert themselves in the middle of the conversation and steal or alter information before it reaches its intended destination.
With HTTPS, the identity of the parties is verified beforehand, and a unique secret code is established and then used to encrypt the data being sent. That way, even if someone intercepts the information, they’re not likely to get any useful information out of it, because they don’t have the keys to unlock it.
What HTTPS is Good For
HTTPs is designed primarily to do two things: ensure the client (the user) is communicating with the intended server, and ensure that only the client or the server reads the data being sent. The former is accomplished with digital certificates -- a kind of virtual signature. Websites obtain them from Certificate Authorities, and they verify that, say, google.com is really Google, and not some hacker attempting a man-in-the-middle attack. That way, information from the client is not being stolen, and information from the server is not being altered.
The latter is achieved via public-key (a.k.a. “asymmetric” ) encryption. This ensures that any client connecting to the server can encrypt information to send to the server, but only the server has the key to unlock the client’s data and read it.
To show users that they’re connected to an HTTPS site, web browsers put a little green padlock symbol in the URL bar (usually accompanied by the word “Secure”). This helps promote faith and trust in the website, so users can feel confident sending their sensitive information (like credit card numbers) to the server.
Another thing that HTTPS helps with is de-anonymizing. Even when sensitive, personally identifying information (like login credentials or credit card info) is not being transmitted, a user can still be identified if enough of their traffic is observed. Internet Service Providers, government organizations, and unscrupulous individuals are all included on the list of who would want this aggregated data. HTTPS denies them access to it.
HTTPS also has an added benefit in that it usually speeds up page load times, which is a factor in Google SERPs rankings.
What Google’s Doing to Promote HTTPS
Google rolled out its first pro-HTTPS update back in 2014. It updated the ranking algorithm so that HTTPS hosting would act as a tiebreaker if two pages were equally ranked. It’s accounted for a moderate boost in results for those who have migrated to HTTPS, but it didn’t exactly revolutionize the system.
So Google’s taking it a step further. Just like HTTPS, HTTP pages have an accompanying symbol. It’s a little circle with an “i” inside it, indicating that you can click on it to see information about the page (which explains that it’s not secure). That’s soon about to change.
In the near future (in Google Chrome, at least), that symbol will change to a red triangle, accompanied by the words “Not Secure.” This is done in an effort to discourage users from trusting the site, or giving the site any sensitive information.
And with Google's dedication to making the internet safer for users, it’s safe to assume that there will be additional tactics forthcoming in future years.
How HTTPS Benefits Your Business
Ok, Google wants you to switch to HTTPS. But how much does it really impact your business?
Many companies have switched to HTTPS seeking that SEO boost. While it’s true that migrating can have an impact on SEO, experts agree that it’s not enough of a jump to justify switching all on its own. That doesn’t mean you shouldn’t, though.
With Google placing increased emphasis on the unsecure nature of HTTP communications, it’s becoming increasingly easy to notice when websites aren’t encrypting the transmissions. And as cybersecurity threats become more common, and users become warier, it will be less and less likely that those users will be spending their time on unsecure sites. That means a drop in click-through rates and conversions.
So while you may not be ranking higher SEO-wise, a HTTPS web address means that users will be more trusting of your site, and will feel safer communicating with you. Plus, it will actually be safer for your users.
A Warning About SHA-1 and SHA-2
Speaking of safety for your users, there is one warning to be raised when discussing HTTPS: not all encryption algorithms are created equal.
HTTPS encryption is done using mathematical tools called Secure Hash Algorithms (SHA). The first generation of algorithms (SHA-1) has, in recent years, been proved to be less than robust when it comes to cracking them. As a result, SHA-2 was created, and most HTTPS sites have migrated to the SHA-2 certificate for added security.
There’s still a few laggers-behind, though. That’s why popular browsers like Chrome and Firefox now block webpages with SHA-1 certificates, giving an error message to the user.
If you have any intention of switching -- and you should -- you’re going to want to make sure you’re getting SHA-2 certificates (or, if you’ve already switched, you’ll want to make sure all your certificates are SHA-2), both so users aren’t directed away from your site, and so your users are more secure.
on
Thanks, Danielle! That’s right, HTTPS is now very important, especially for ranking. After 2 or 3 years most websites will have the protocol, but for now this is a real advantage over competitors.
on
Danielle, thanks for writing this timely blog…. many of my clients do not understand the value… until I sent them screen shots!!! I will refer to this , and share it!
I would add one tip,
Ensure your developer/hosting company has installed the SSL certificate correctly. I’ve seen a large national (Canadian) association and they didn’t do it correctly, and some pages are NOT secure.. including the member “login” section.
Lastly, if you add a screen shot for Firefox (i noted that it changed on Nov 22) to show a green padlock and red one for insecure… as it had moved from the “i” information.
on
Maureen, thanks so much for your comment and helpful tips! I’m happy that you enjoyed the article.
on
This post is amazing! Thank you so much!
on
Great informative article about HTTPS! We also believe in SSL Certificates very much. I’d like to hear your thoughts on different kinds of SSL’s & the difference between them. Especially Extended Validation SSL’s.