What is HTTPS?
HTTP stands for Hypertext Transfer Protocol and the added “S” in HTTPS stands for “secure.” With this protocol, communication is encrypted by Transport Layer Security (TLS) or, previously, a Secure Sockets Layer (SSL). As Wikipedia explains it, “HTTPS provides authentication of the website and associated web server with which one is communicating, which protects against man-in-the-middle attacks.” Historically HTTPS has been enacted to protect user privacy during data exchanges, specifically financial transactions. However in the last decade we’ve seen the use of HTTPS become more widespread and common among all pages of a website to provide added levels of protection for both users and the site’s themselves. There are a few different ways that HTTPS can make a website more secure.
Even when sensitive information is not being exchanged, on a standard HTTP connection user behaviors can be tracked and aggregated to reveal information about user identities. On HTTPS, user activities are better protected from outside parties looking to gather and utilize identifying information. In addition to increased privacy, HTTPS can help prevent external intrusions like the injection of malware into user communications. There are also less nefarious, but still undesirable, manipulations of a non-secure transfer protocol like the injection of ads into web pages where they shouldn’t be. Using encryption will make that impossible. HTTPS also helps protect data integrity and authenticates that users are in fact giving their information to the intended recipient website.
There are certainly limitations to the protections provided by HTTPS; for example, it cannot eliminate persistent attacks or network hacks. But, the data encryption created through a secure transfer protocol protects both the website and its users from external interference to the traffic between their browsers and the website while also improving overall user privacy.
In the past we’ve discussed understanding direct traffic in Google Analytics. One of the murkier aspects of direct traffic is the way that traffic coming from a secure source to a non-secure page can be attributed to direct traffic. The nature of this security is that when traveling from an HTTPS source to an HTTP one, the browser should not report where it has been, and therefore even organic traffic may be attributed as direct. This discrepancy may skew our understanding of traffic volume by channel. But moving to HTTPS will preserve secure referral information, which will provide a more accurate picture of where visitors are coming from.
One of the more popular reasons for changing from HTTP to HTTPS in recent years has stemmed from Google’s announcement that sites using HTTPS might receive a rankings boost. While the Google statement indicated this would be a minor ranking factor, when it comes to organic positioning, any advantage, no matter how small, is worth the effort in the long term. That news came out about two years ago, meaning that there has been plenty of time for more websites to use HTTPS and allow the industry to analyze the results.
In a recent study of ranking factors, SEMRush found that 65% of domains ranking for the high volume keywords they studied are using HTTPS. This insight is not, on its own, definitive though because there are several other ranking factors that contribute to these positons. It does however support a strong correlation between organic search performance and the use of secure transfer protocol.
While the process of switching to HTTPS isn’t necessarily difficult, it does require meticulous attention to detail, and considerations of everything from CSS elements to page speed as part of the implementation process. But for the potential organic search performance enhancements, as well as other benefits, it is a change worth considering, particularly if there are other major structural or design related changes happening.
Chrome’s Form Warnings
Finally, another recent Google related announcement adds an additional impetus to switch to HTTPS. In August of 2017, Google sent emails through Search Console, notifying webmasters that beginning in October of 2017, Chrome would begin showing a “not secure” warning to users who were entering information into a form on HTTP pages or visiting HTTP pages in “incognito mode.”
Even though HTTPS use has been a security standard for the exchange of password or financial information, a simple contact form or email opt-in on a non-secure page has not been flagged. While the warning itself will consist simply of a “Not Secure” label alongside the URL in the URL bar, its very existence could deter some users from proceeding with inputting information. Considering the importance of form completions and email acquisition as part of ongoing marketing campaigns, this change could be counterproductive to those efforts.
Aspects of AMP Require HTTPS
The growing popularity of mobile search gave rise to the introduction of AMP pages. AMP stands for Accelerated Mobile Pages which is a Google supported open source initiative for content delivery. The idea is that AMP allows publishers to serve content more quickly on mobile devices. Specifically this mobile-friendly content loads almost instantly for a better mobile user experience.
We are seeing the growing influence of AMP as it pervades search results. According to amprpoject.org there are already over 1.5 billion AMP pages published, and content management systems and analytics programs are embracing this as a new standard. Given this assimilation, AMP is likely to continue to play an important role in mobile content delivery. The fact that many URL values in AMP require HTTPS is another supporting argument to move to a secure transfer protocol.
Website security may feel like a matter best left to the developers, but the issues and opportunities associated with secure transfer protocol affect an entire organization from the CEO to the content writers. While any one of these reasons might be enough to support an eventual move from HTTP to HTTPS the combination of all of them creates a greater sense of immediacy. There are multiple levels of the protection, prevention and benefit associated with implementing a secure transfer protocol. Considering the current and potential future advantages to having a secure website, making the move as soon as possible is an action item that belongs on everyone’s to do list.