HTTP or HTTPS – What’s the right answer for SEO?

It was back in August 2014 when Google officially announced that they would be using HTTPS as a positive – albeit lightweight – ranking signal. Three years on, the number of websites being served on HTTPS has significantly increased, but there are still plenty of sites that are still on HTTP. Those include the likes of The Daily Mail, The Independent, Mashable and even The BBC.

So should you be moving your site to HTTPS? Before I answer that question, it’s important to understand the differences between HTTP and HTTPS, why Google are pushing it so hard, and some changes that are coming around the corner that could well force your hand.

HTTP vs HTTPS – What are the differences?

So what are the basic differences between HTTP and HTTPS?

Hypertext Transfer Protocol (HTTP) has been around since 1989 and is the foundation of data communication for the World Wide Web. In basic terms, HTTP is a system for transmitting and receiving information across the internet. As each command on HTTP is executed independently, it’s known as a stateless protocol as it has no prior knowledge of the commands that came before it. This does bring potential site speed benefits, as there is less data to retrieve or send to the browser. Traditionally – and even in a lot of cases today – sites who do not require a user to enter personal information (such as bank details) have tended to be setup on HTTP.

Hypertext Transfer Protocol Secure (HTTPS) is a system for transmitting and receiving secure information across the internet, and was developed to allow confidential information to be entered on websites securely and without the risk of being compromised. HTTPS consists of communication over Hypertext Transfer Protocol (HTTP) with a connection encrypted by Secure Sockets Layer (SSL), which it uses to transport data safely. SSL acts as the extra level of security that helps to keep confidential information – such as credit card details or passwords – secure.

So HTTPS is basically HTTP with added security.

Google pushing hard for HTTPS

When announcing HTTPS as a ranking signal in 2014, Google’s statement at the time made their intentions with HTTPS pretty clear:

“Security is a top priority for Google. We invest a lot in making sure that our services use industry-leading security, like strong HTTPS encryption by default…

“We’re also working to make the internet safer more broadly. A big part of that is making sure that websites people access from Google are secure.”

Ever since that statement, Google have continued to push for HTTPS and more and more websites have listened. In my opinion, Google has good intentions with HTTPS and anything that makes the internet more secure can only be a good thing.

HTTPS as a ranking signal

Where I do take issue with Google is encouraging websites to move to HTTPs by dangling the carrot of seeing ranking improvements. I get that by doing that they’ve ensured that a huge amount of sites have moved over to HTTPS, but if those sites have migrated to HTTPS expecting to see a ranking boost, they’ve probably been disappointed.

Here’s what Google said about HTTPS as a ranking signal back in 2014:

“…we’re starting to use HTTPS as a ranking signal. For now it’s only a very lightweight signal — affecting fewer than 1% of global queries, and carrying less weight than other signals such as high-quality content – while we give webmasters time to switch to HTTPS. But over time, we may decide to strengthen it, because we’d like to encourage all website owners to switch from HTTP to HTTPS to keep everyone safe on the web.”

That line highlighted in bold is the key. It’s been three years since HTTPS as a ranking signal was announced and Google recently confirmed that the weight of the signal has yet to be increased, yet I bet a ton of sites moved purely for SEO reasons.

Will you receive improved rankings by moving your site to HTTPS? If that’s all you do then I’d say it’s very unlikely. More traditional factors like your actual content and the signals pointing to your site remain vitally important. Moving to HTTPS won’t solve your SEO problems.

That’s the thing with HTTPS, it’s goes beyond SEO. Don’t do it just for SEO reasons, do it for your users.

Upcoming Google Chrome changes – a HTTPS gamechanger

If you have sites on HTTP and have yet to be convinced to make the move to HTTPS, there are some upcoming changes to the Google Chrome browser that might make you think again.

From October 2017 when we hit Chrome 62, when users enter data on any HTTP pages, Chrome will show them a ‘Not secure’ warning. In addition, all HTTP pages visited in Incognito mode – which is typically used by users who want to browse the internet privately – will also be shown a ‘Not secure’ warning.

That’s big news.

If you have any forms on your site or any text fields where users can enter information and you’re on HTTP, from October you risk users leaving your site because their browser is telling them your site may not be secure.

And even if you have no forms or ways for users to enter information and a user visits your HTTP site in incognito mode, the same goes.

Suddenly all arguments you might have for not moving to HTTPs should go out of the window. This is now about user experience, not a perceived ranking benefit. And this is what Google should have done in the first place when they wanted to encourage sites to move to HTTPS.

It goes further too, with this snippet from the Chrome team:

“Eventually, we plan to show the “Not secure” warning for all HTTP pages, even outside Incognito mode.”

When that day comes is anyone’s guess, but it’s probably not worth waiting around to find out.

It’s not just Chrome either. Mozilla Firefox have similar plans. Back in January 2017 they also made changes to how they display non-secure sites in their browser:

“In order to clearly highlight risk to the users, starting this month in Firefox 51 web pages which collect passwords but don’t use HTTPS will display a grey lock icon with a red strike-through in the address bar.”

And like Chrome, they also plan to eventually highlight all sites that are not secure:

“To continue to promote the use of HTTPS and properly convey the risks to users, Firefox will eventually display the struck-through lock icon for all pages that don’t use HTTPS, to make clear they are not secure.”

Migrating from HTTP to HTTPS

So if you’ve now decided that you do need to migrate to HTTPS, it’s important to understand the steps that need to be taken to do so without risking a significant loss in organic traffic. There are a huge amount of great articles online with tips for migration to HTTPS, including Aleyda Solis’ HTTPS checklist which you can also download as a Google doc. I’ve also written a step-by-step guide on how to migrate to HTTPS using Cloudflare.

So rather than list out all the steps, here are my HTTPS must-haves:

  • Acquire a SSL certificate and test that it works
  • Implement permanent 301 redirects from each HTTP URL to its HTTPS equivalent and clean up redirect chains
  • Update all existing URLs from HTTP to HTTPS
  • Update all canonical URLs from HTTP to HTTPS
  • Update all sitemap URLs from HTTP to HTTPS
  • Verify a HTTPS profile in Google Search Console and don’t forget to copy the disavow file over to this profile
  • Verify that your existing web analytics software (e.g. Google Analytics) will also monitor traffic to the HTTPS version

Any migration is always a big job and the above is just some of the basic steps you have to take, so make sure you’re well prepared before making the switch. 

HTTPS adoption

If you do decide to switch to HTTPS, you’ll be joining a growing number of websites who have made the switch over the last few years.

In fact, a recent study by Moz in April 2017 estimates that half of Google’s first page organic results are now sites on HTTPS, up from around 30% just nine months previously. There are plenty of other studies too, including another April 2017 study by SEMRush, who estimate that HTTPS adoption has tripled over the past three years for the top 100,000 domains in their US database.

Google also updated us on HTTPS adoption back in November 2016, with the following statement:

“More than half of pages loaded and two-thirds of total time spent by Chrome desktop users occur via HTTPS, and we expect these metrics to continue their strong upward trajectory.”

Despite this, Google still have no plans to boost the HTTPS ranking signal, or not right now at least:


Google on HTTPS

Summing up

If you still have sites on HTTP, hopefully this article has convinced you that it’s time to make the switch to HTTPS.

HTTPS is not going away and migrating or not is no longer an SEO question. This will soon start to affect the user experience of people who visit your site, and if they have a bad experience such as not secure warnings, they are unlikely to ever want to come back.

You probably won’t see any improvements in your rankings just by moving to HTTPS, but you will be safe guarding your site against future browser changes that could cause a lot of problems further down the line.

Google are winning the war with HTTPS, it’s time to listen or be left behind.

1 thought on “HTTP or HTTPS – What’s the right answer for SEO?

  • hi, great article about why to switch to https, it’s not for seo reason, it’s for warning and fear that the CTR will drop if you don’t do that.

    I ‘ve ask the question about the https boost and gary Illyes tell me, even if you will be on the hsts list you won’t have a boost, and the boost is probably already activate because a regex on the five characters on the url.

    I wrote an article about what mean https for security with chuck norris inside, but in french. 😉

Leave a Reply

Your email address will not be published. Required fields are marked *