HTTPS vs HTTP: Differences and How to Enable HTTPS
Our journey in this article will be a deep dive into the world of HTTP vs. HTTPS, and how they work, and I will show you how to make sure your site survives any technical issues when migrating from one protocol to another. Here is a quick breakdown of what I will cover:
In the beginning, SEOs had HTTP, a protocol used to deliver web pages to the masses. The web was simple, and website migrations existed solely from domain to domain or server to server. You didn’t have to worry about all that much beyond the usual redirects and making sure that your website migration went off without a hitch. Then came HTTPS.
New technologies always create new issues that one must solve to continue achieving the same (or better) results than before.
HTTP, or hypertext transfer protocol, is the entire backbone of the world wide web. It is the protocol used to process, render, and deliver web pages from the server-side to the client browser. HTTP is the means through which most of the web is displayed.
COPYRIGHT_NOVA: Published on https://www.novabach.com/i/https-vs-http-and-how-to-enable-https/ by Daniel Barrett on 2022-08-18T09:51:39.000Z
HTTP and HTTPS work through what are called requests. These requests are created by the user browser when the user performs some interaction with a website. This is a critical element in page rendering, and without it, you would not be using the world wide web as it exists today.
Let’s say that someone searches for “how to do a website migration”. The request is sent to the server, which then sends another request back with the query results. These results are displayed on the SERP (search engine results page) that you see when you complete the search.
All of this takes place in a manner of milliseconds. But that is a very general overview of how hypertext transfer protocol works.
HTTP is the abbreviation for hypertext transfer protocol. This is the main method by which the data of web pages are transferred over a network. Web pages are stored on servers, which are then served to the client’s computer as the user accesses them. The resulting network of these connections creates the world wide web as we know it today. Without HTTP, the world wide web (WWW) as we know it would not exist.
When you connect to a website with regular HTTP, your browser looks up the IP address that corresponds to the website, connects to that IP address, and assumes it’s connected to the correct web server. Data is sent over the connection in clear text. An eavesdropper on a Wi-Fi network, your internet service provider, or government intelligence agencies like the NSA can see the web pages you’re visiting and the data you’re transferring back and forth. Any information transmitted over this network via HTTP is not private, so any credit card data and sensitive information should not be submitted if you are on an HTTP page.
HTTPS (Hypertext Transfer Protocol Secure) is a secure version of the HTTP protocol that uses the SSL/TLS protocol for encryption and authentication. HTTPS is specified by RFC 2818 (May 2000) and uses port 443 by default instead of HTTP’s port 80.
The HTTPS protocol makes it possible for website users to transmit sensitive data such as credit card numbers, banking information, and login credentials securely over the internet. For this reason, HTTPS is especially important for securing online activities such as shopping, banking, and remote work. However, HTTPS is quickly becoming the standard protocol for all websites, whether or not they exchange sensitive data with users.
Also read: The 403 Forbidden Error And How To Fix It
Unlike HTTP, HTTPS uses a secure certificate from a third-party vendor to secure a connection and verify that the site is legitimate. This secure certificate is known as an SSL Certificate (or “cert”). SSL is an abbreviation for “secure sockets layer”. This is what creates a secure, encrypted connection between a browser and a server, which protects the layer of communication between the two. This certificate encrypts a connection with a level of protection that is designated at the time of the purchase of an SSL certificate.
An SSL certificate provides an extra layer of security for sensitive data that you do not want third-party attackers to access. This additional security can be extremely important when it comes to running e-commerce websites.
- When you want to secure the transmission of credit card data or other sensitive information (such as someone’s real address and physical identity).
- When you run a lead generation website that relies on someone’s real information, in which case you want to use HTTPS to safeguard against malicious attacks on the user’s data.
- There are many benefits to HTTPS that are worth the slight cost. Remember, if the certificate is not present, a third-party could easily scan the connection for sensitive data.
CAs use three basic validation methods when issuing digital certificates. The validation method used determines the information that will be included in a website’s SSL/TLS certificate:
- Domain Validation (DV) simply confirms that the domain name covered by the certificate is under the control of the entity that requested the certificate.
- Organization / Individual Validation (OV/IV) certificates include the validated name of a business or other organization (OV), or an individual person (IV).
- Extended Validation (EV) certificates represent the highest standard in internet trust and require the most effort by the CA to validate. EV certificates are only issued to businesses and other registered organizations, not to individuals, and include the validated name of that organization.
There are multiple good reasons to use HTTPS on your website, and to insist on HTTPS when browsing, shopping, and working on the web as a user:
Integrity and Authentication: Through encryption and authentication, HTTPS protects the integrity of communication between a website and a user’s browsers. Your users will know that the data sent from your web server has not been intercepted and/or altered by a third party in transit. And, if you’ve made the extra investment in EV or OV certificates, they will also be able to tell that the information really came from your business or organization.
Of course, no one wants intruders scooping up their credit card numbers and passwords while they shop or bank online, and HTTPS is great for preventing that. But would you really want everything else you see and do on the web to be an open book for anyone who feels like snooping (including governments, employers, or someone building a profile to de-anonymize your online activities)? HTTPS plays an important role here too.
Recent changes to browser UI have resulted in HTTP sites being flagged as insecure. Do you want your customers’ browsers to tell them that your website is “Not Secure” or show them a crossed-out lock when they visit it? Of course not!
Compatibility: Current browser changes are pushing HTTP ever closer to incompatibility. Mozilla Firefox recently announced an optional HTTPS-only mode, while Google Chrome is steadily moving to block mixed content (HTTP resources linked to HTTPS pages). When viewed together with browser warnings of “insecurity” for HTTP websites, it’s easy to see that the writing is on the wall for HTTP. In 2020, all current major browsers and mobile devices support HTTPS, so you won’t lose users by switching from HTTP.
SEO: Search engines (including Google) use HTTPS as a ranking signal when generating search results. Therefore, website owners can get an easy SEO boost just by configuring their web servers to use HTTPS rather than HTTP.
In short, there are no longer any good reasons for public websites to continue to support HTTP. Even the United States government is on board!
An HTTPS URL begins with https:// instead of http://. Modern web browsers also indicate that a user is visiting a secure HTTPS website by displaying a closed padlock symbol to the left of the URL.
In modern browsers like Chrome, Firefox, and Safari, users can click the lock to see if an HTTPS website’s digital certificate includes identifying information about its owner.
To protect a public-facing website with HTTPS, it is necessary to install an SSL/TLS certificate signed by a publicly trusted certificate authority (CA) on your web server. SSL.com’s knowledgebase includes many helpful guides and how-tos for configuring a wide variety of web server platforms to support HTTPS.
For more general guides to HTTP server configuration and troubleshooting, please read SSL/TLS Best Practices for 2020 and Troubleshooting SSL/TLS Browser Errors and Warnings.
HTTPS adds encryption, authentication, and integrity to the HTTP protocol:
Because HTTP was originally designed as a clear text protocol, it is vulnerable to eavesdropping and man-in-the-middle attacks. By including SSL/TLS encryption, HTTPS prevents data sent over the internet from being intercepted and read by a third party. Through public-key cryptography and the SSL/TLS handshake, an encrypted communication session can be securely set up between two parties who have never met in person (e.g. a web server and browser) via the creation of a shared secret key.
Unlike HTTP, HTTPS includes robust authentication via the SSL/TLS protocol. A website’s SSL/TLS certificate includes a public key that a web browser can use to confirm that documents sent by the server (such as HTML pages) have been digitally signed by someone in possession of the corresponding private key. If the server’s certificate has been signed by a publicly trusted certificate authority (CA), such as SSL.com, the browser will accept that any identifying information included in the certificate has been validated by a trusted third party.
HTTPS websites can also be configured for mutual authentication, in which a web browser presents a client certificate identifying the user. Mutual authentication is useful for situations such as remote work, where it is desirable to include multi-factor authentication, reducing the risk of phishing or other attacks involving credential theft. For more information on configuring client certificates in web browsers, please read this how-to.
Taken together, these guarantees of encryption, authentication, and integrity make HTTPS a much safer protocol for browsing and conducting business on the web than HTTP.
TLS stands for transport layer security. It helps encrypt HTTPS and can be used to secure email and other protocols. It uses cryptographic techniques that ensure data has not been tampered with since it was sent, that communications are with the actual person the communication came from, and to prevent private data from being seen.
Things kick off with a TLS handshake, the process that kicks off a communication session that uses TLS encryption. This is where authentication takes place, and session keys are created. Brand-new session keys are generated when two devices communicate, from the two different keys working together. The result of this is deeper, more encrypted communication.
The most critical step for an HTTPS secure connection is ensuring that a web server is who they say they are. That is why the SSL certificate is the most important part of this setup; it ensures the owner of the web server is who they say the certificate says it is. It works very similarly to how a driver’s license works — it confirms the identity of the owner of the server.
A layer of protection from certain types of attacks exists when you implement HTTPS, making this a valuable staple of your website.
While outliers are few and far between nowadays, there are still outliers who have not made the full switch to https://. For certain outliers, this makes sense — if you are not serving users who regularly provide sensitive data for e-commerce or other reasons, you probably don’t need the increased better security.
In a perfect world, when everything is equal on a website, https:// is a tie-breaker for rankings. However, we seldom live in a perfect world when it comes to SEO. Thus, you are still able to rank when it comes to http://.
While the benefits of https:// are many, John Mueller has also said that HTTPS is a lightweight ranking factor, and that is it, but Google is on record as saying that “when everything else is equal, the ranking benefit of HTTPS is tie-breaker status.”
There are many benefits to switching from HTTP to HTTPS in SEO, especially from an SEO perspective. However, unless you are familiar with the process, you can cause more harm than good.
You must let Google know about the transition. You need to choose the certificate that is best for your situation, set up Google Search Console, set up Google Analytics, update internal links, and update any relative URLs. Let’s look at each of these a bit more closely.
This step involves setting up another Google Search Console profile. Don’t disable your non-secure GSC profile. Instead, you need to keep all profiles active. Set up a new profile for the HTTPS version of your site and ensure that it continues collecting data.
Also, in Google Analytics, you must make sure that you set your profile to secure. Otherwise, you will not be tracking the right data.
Don’t forget to update data collection parameters in Google Tag Manager where applicable. In addition, if you use Bing Webmaster Tools, updating http:// to https:// during the migration will also be necessary.
You would be surprised how often I encounter mistakes in http:// to https:// transitions that were caused by a lack of developmental oversight on the initial transition process and not updating critical data tracking profiles.
These types of mistakes can lead to both underreporting and overreporting of data, both of which can spell doom for the accuracy of your SEO strategy decisions.
You have SSL certificates for a variety of purposes. One for a single domain, another for multiple domains, not to mention Wildcard certifications. For smaller sites, a full wildcard certificate is usually not necessary. However, it can make your life much easier when working to control URL syntax across your websites.
An SSL certificate for a single domain is issued for one subdomain, or the single domain itself. An SSL certificate for multiple domains will allow you to secure the main domain name and up to 99 SANs, or subject alternative names.
The wildcard allows you to secure your initial website URL and any and all unlimited subdomains associated with it. What does this mean? This means that if you set up domain.maindomain.com and it is created with a wildcard certificate, it is automatically secure. You will not have to expend more effort in making sure that it fits within the existing security of your site. In other words, it will save you many headaches.
Clearly, the wildcard certificate is the clear winner here. But, as a robust certificate with many different features, it does cost more, so you will have to weigh the additional business expense and compare it with the features you will gain.
Also read: Slow Internet Connection On Mac? Fix Now!
There are some who recommend using only relative URLs for your resources. Assuming you are adept at managing the ongoing needs of your website, you don’t need to do this step. You just need to make sure that all on-site content is appended by the right protocol. And don’t forget your XML sitemap!
You would be amazed at how many audits I have done on sites that fail to complete this one step — making sure all of their content is secure.
It doesn’t matter if you use relative or absolute URLs so long as you keep them updated on-site. You can switch to relative URLs if you prefer, but if your site is built on absolute URLs, use a find-and-replace option with your database if your site allows it. This will help you eliminate all existing instances of mixed content.
Make sure that your URLs are properly pre-pended with https:// after you make the transition, and you should not experience any significant issues.
You must ensure that all elements are crawlable from your robots.txt. Unless you have a specific issue, such as a folder that really should not be indexed, then it makes sense to allow Google to crawl everything on the site, even CSS and JS files. If your site disallows the rendering of CSS and JS files, you could encounter problems.
An example of this is if you disallow a critical CSS or JS element from rendering on the page, then you can prevent Google from understanding the entire context of the page, which is an important part of achieving higher rankings. Also, in about 99% of cases, there is no reason to disallow CSS or JSS files in this manner.
SEMrush’s Site Audit tool will give you a lot of helpful information regarding your HTTPS implementation. It shows you any problems you may have and offers recommendations for fixing them.
Regular, ongoing monitoring of your site is critical to achieving a successful website migration to https://. Check Google Search Console, and Google Analytics, and double-check any other reporting software that you use. If you haven’t updated http:// to https://, you must do so as soon as humanly possible. That way, you don’t run into further issues that can seriously harm your SEO efforts.
The presence of HTTPS itself isn’t a guarantee a site is legitimate. Some clever phishers have realized that people look for the HTTPS indicator and lock icon, and may go out of their way to disguise their websites. So, you should still be wary: don’t click links in phishing emails, or you may find yourself on a cleverly disguised page. Scammers can get certificates for their scam servers, too. In theory, they’re only prevented from impersonating sites they don’t own. You may see an address like https://google.com.3526347346435.com. In this case, you’re using an HTTPS connection, but you’re really connected to a subdomain of a site named 3526347346435.com—not Google.
Other scammers may imitate the lock icon, changing their website’s favicon that appears in the address bar to a lock to try to trick you. Keep an eye out for these tricks when checking your connection to a website.