HTTPS protocol, its meaning and importance for sites

Tempo di lettura : 11 minuti

As of mid-October 2022, 80 percent of all sites in the world use the HTTPS protocol by default, and more specifically, data from W3Techs reveal that nearly 95 percent of the world’s top 1,000 sites by ranking have adopted the HTTPS procotol. This means that there is still a remaining portion of sites that continue to prefer the old HTTP system, but it is mostly a sign of how much the new protocol is now an integral and relevant part of the Web, in line with the goals of ensuring more secure browsing for users on sites that adopt the latest resources in data transmission security. So let’s focus on the HTTPS protocol, how it works, why a site might be persuaded to use it, but also how to plan a migration from HTTP to HTTPS and some of the most common questions on this topic, thanks in part to advice and best practices from Google.

What is the HTTPS protocol

The HTTPS protocol is a more secure communication system between site and user, thanks to the use of an SSL certificate that encrypts data transmitted in and out.

As John Mueller, Search Relations Lead at Google explained in one of the Webmaster Conference Lightning Talk series on YouTube, the definition of HTTPS is “a protocol that identifies a secure connection between a site and its users, protecting the site from unwanted activity.”

On the security side, HTTPS ensures three things in particular:

1. Authentication. It is a way to give users confidence that they are interacting with the desired website and not an intermediary.
2. Data integrity. A secure connection prevents data tampering so that users see the content as intended.
3. Encryption. It is a guarantee that information exchanged between a Web site and its users will be kept secure.

These are three key pillars for a modern, secure and trustworthy web, because “your users should feel safe on your site, just as they feel when they visit your company in person.”

What HTTPS means and why to use it on your site

From a literal perspective, the term HTTPS means Hypertext Transfer Protocol Secure and specifically refers to the secure hypertext communication protocol made possible by creating an encrypted connection between the user and the website using SSL/TLS (Transport Layer Security) encryption.

This is an evolution from the previous standard Hypertext Transfer Protocol (HTTP), which we can describe as the set of rules used by browsers to determine the exact way to read and transfer data on the Web. Using encryption, the new system masks data and reduces the possibility that user information can be viewed or manipulated, an important action especially when a website requires sensitive data such as personal information or financial information to be entered.

Certificate and site security, clarifications needed

In any case, it is good to clarify a few more aspects about what security really means with respect to the HTTPS issue: what is secure is the connection between users and the site, as mentioned, and therefore not the navigation as a whole or the site itself. Wanting to go to extremes, even a phishing page might possess an SSL certificate, but this does not mean that it is a secure site (and in fact, even the FBI has frequently alerted on this issue): regardless of the locks and browser indications, therefore, it is always good to keep your eyes open when it comes to entering sensitive data on the Web.

What the new certificate is for

Using the new system, the information entered in the course of browsing is indecipherable to any malicious third parties, and ultimately the user can complete operations with greater peace of mind. For this reason, adoption of the protocol was first recommended for websites that perform economic transactions or contain forms for entering personal data, but it has since been extended to all online sites, including blogs and editorial portals that do not involve transmission of sensitive data.

Google and HTTPS, the push for adoption

Pushing for the spread of HTTPS-certified sites was certainly Google, which first took a soft approach – inviting site owners to embrace the new method – and then pushed on the accelerator: for some time now, connections to sites with old HTTP have been identified in the Chrome browser as “not secure,” complete with a note in the address bar, but even more interesting was the SEO aspect of the issue.

HTTPS as a ranking factor for Google

The use of the SSL certificate has indeed become a ranking factor on Google, i.e., something that is evaluated by the search engine’s algorithms to determine relative rankings for queries, but there are also other advantages of using HTTPS over the old HTTP.

Let’s start, however, with the aspect that is probably of most interest: in fact, it has been since 2014 that HTTPS has been a sure ranking factor for Google, which in an official post announced precisely that a website encrypted with HTTPS would get a boost in search rankings over HTTP sites from that point on.

The real impact of this boost was never specified, of course, but from the very beginning it nevertheless proved to be at least “slight”-at best, HTTPS was a signal tiebraker, that is, capable of the difference in ranking positions only in the case of two relatively equal pages. For as we know, relevance is and remains the key when it comes to ranking: if the most relevant content for a query is found on a non-HTTPS site, it is likely to rank ahead of encrypted sites even today, whereas if a site offers poor content, the mere use of HTTPS will not get it quickly to the first page of Google.

Yet, that Google had and still has an eye toward this aspect was also evident by the warning that, as mentioned, appears on the Chrome browser before users visit non-HTTPS websites, as well as on other popular browsers such as Mozilla Firefox, where in particular as of version 70 updated in October 2020 we find a similar icon next to the address of the site that does not use HTTPS or has problems with the certificate.

This focus, however, can be explained by Google’s broader commitment to rewarding Web sites that offer a good user experience, and increased security is one way to improve sites for users. And so it is not all that surprising that it is precisely the presence of an active HTTPS protocol that has become part of the Page Experience factors, the algorithmic update by which Google wanted to crack down with respect to precisely the gratification of the user experience on Web pages, grouping together a set of indicators that measure how users interact with a Web page, beyond its purely informational value, on both mobile devices and desktop computers.

Ultimately, then, though slight HTTPS is a confirmed ranking factor on Google, and the search engine’s guidelines strongly recommend that we use HTTPS for our site to protect the security and privacy of users; moreover, if the site has a page with both HTTP and HTTPS addresses, Google prefers to index the HTTPS version.

The benefits of Hypertext Transfer Protocol Secure

As a fundamental element of the modern Web, HTTPS is also a basic requirement for modern browsers to enable certain features, such as

• Geolocation
• Automatic compilation for forms
• Camera
• Progressive Web Apps (PWA)
• Push notifications
• Caching

The protocol is also shown directly in modern browsers, or rather–since it should be on by default – the absence of HTTPS is reported as mentioned (and thus it is not possible to hide whether a site adopts the system or not).

When users access a website that does not use HTTPS in Chrome, for example, it will be marked as not secure in the browser bar, with red writing alerting the visitor (while sites with HTTPS are labeled as “secure” with more reassuring green writing).

Among other possible advantages, connecting via HTTPS is estimated to be faster than connecting to the previous protocol, and this can make a difference in performance. Also, returning to the topic of security, HTTPS prevents intermediaries from inserting content into the Web site without the owner’s knowledge: without HTTPS, a bad actor could inject online ads, for example, to profit from that Web traffic (but, we reiterate, it does not protect the user’s computer or the Web server itself from hacker or malware attacks).

Therefore, although like any form of security it has weaknesses and may not be foolproof, HTTPS is undeniably better than HTTP both in technical terms and from an SEO and user presentation perspective.

How to switch to HTTPS

Thus, there are many reasons to adopt HTTPS, and switching from HTTP to HTTPS, while not too complicated, can still be considered a site migration, as HTTPS URLs are different from their HTTP counterparts and therefore, to perform the transfer, it is necessary to redirect all users with a server-side 301 redirect for all URLs on the site.

In general, a TLS/SSL certificate is needed to add HTTPS: in some cases, it is the web hosting provider itself that makes the certificate available (even for free, if included in the current plan), while in other situations it may be necessary to purchase, through the hosting, certificate authorities, CDNs such as Cloudflare or companies such as Digicert, and then install it yourself.

SSL/TLS certificates may need to be renewed periodically, but more importantly, they need to be monitored carefully, because there is a possibility that someone may be able to forge an SSL/TLS certificate: when this happens, HTTPS’s preventive action against man-in-the-middle (MitM) attacks is clearly lacking. To avoid trouble and unpleasant situations, therefore, Google also advises to examine the certificates issued for the website we do not recognize and to limit the authorities that can issue certificates for a domain using CAA (Certification Authority Authorization) resource records.

How to check the validity of the SSL certificate

It is therefore important to remember that only a valid SSL certificate – and in use on the totality of the site’s pages – allows the establishment of encrypted HTTPS connections. The absence of encryption or the presence of errors makes all data sent and received by the site visible, exposed, and therefore potentially manipulable by third parties.

To check the validity of the SSL certificate we can run manual tests on the pages, and find out if the browser correctly identifies the lock, or use some special tools. For example, in September 2022 Google activated a new report in Search Console, simply called HTTPS report, which allows us to check precisely which pages on our site are not published over HTTPS, but also why they are not served as HTTPS.

How to migrate pages from HTTP to HTTPS

If we own or operate a site that has not yet adopted the new protocol and want to make the transfer, we can follow Google’s official advice to reduce the margin of error.

John Mueller breaks down the process of migrating from HTTP to HTTPS into six steps:

1. Configure the HTTPS site.
2. Verify the property in Google Search Console.
3. Extensively test the HTTPS site.
4. Redirect all HTTP URLs to HTTPS URLs.
5. Monitor the migration in Google Search Console.
6. Configure HTTP Strict Transport Security (HSTS) – optional step.

Steps to successfully complete the migration from HTTP to HTTPS

First, then, you need to configure the HTTPS site, possibly asking for support from the hosting service and acquiring the appropriate HTTPS certificate (in principle, all certificates supported by modern browsers such as Chrome, even free ones, are fine).

The exact steps to follow here vary from website to website, Mueller explains, “Sometimes it’s just a matter of changing a setting, other times there’s a lot more.”

Second, you need to verify the property in Google Search Console, a crucial step to track down any problems associated with HTTPS version 2. You may also choose to verify the entire domain as well, to merge HTTP and HTTPS data in the same place, taking care to use the same settings. In particular, care should be taken to review the settings for geotargeting URL removal, URL parameter settings, crawl rate settings, and disavow file, adding any co-owners in the Search Console.

The elements to be tested on the site

The work continues with an important and thorough testing phase of the site, opening the test to some users as well. “Sometimes there are quirks that we missed, and it’s best to recognize them and fix them before moving to HTTPS,” Mueller explains.

First and foremost among the things to check for is the possible presence of mixed content, i.e., when a page on HTTPS includes elements from HTTP, which may be embedded images, advertisements, or analytics script, for example.  This is a security downside, and browsers warn users when they recognize this problem.

We also need to check internal links, to make sure that all links on the website point to the HTTPS version-there are various tools to check this, but you can also just click on the browser bar and look at the URL that is displayed.

Also important is analyzing hidden references – bringing in HTTPS elements such as rel=canonical, rel=alternate, hreflang= link, as well as structured data – and checking sitemap files, which help Google crawl and index more efficiently.

The work of implementing an HTTPS site.

With the first three steps completed, “the HTTPS site is ready, congratulations! Time to change everything,” jokes Mueller, who urges using server-side redirects to forward all requests from the HTTP version to the new and correct HTTPS version.

It’s advisable to double-check all old URLs to make sure they redirect right, either by manually spot-testing each part of the website or by using an automated tool for all URLs. If we have a sitemap, it’s a good time to submit it, adds Google’s Search Relations Lead, because from this point on, search engines will start using our HTTPS URLs.

We then move on to monitoring the migration in Search Console: it is best to check Search Console regularly at the beginning, to detect any situations before they degenerate into problems. In particular, we need to check that the sitemap files are processed normally, that no unexpected crawl errors appear, that the index coverage ratio shows an increase for the HTTPS site, and last but not least, that users are finding the HTTPS site in Search.

What is HSTS enablement

The last step is optional and allows you to “take it to the next level”: after making sure that everything is working as expected, and waiting a few months to settle the migration, it might be worth considering the HSTS – HTTP Strict Transport Security – enabling a way “to let browsers know that they no longer need to check the HTTP version of your site any further,” because “it’s a long-term commitment on your part.”

Setting up HSTS is easy enough: just add a header to server responses that tells browsers that they no longer need to check the old HTTP version of your site’s URLs, even when a user tries to go there directly. In addition, there is one more step you can take, which is to add your site to the HSTS preload list, a shared list of sites that have committed to HTTPS used directly in Chrome: “a pretty big step, so it’s only recommended if you’re absolutely sure everything is working properly on your HTTPS site.”

Frequently asked questions about switching to HTTPS

Migrating to HTTPS is not something that “a site does every day,” so it’s natural to have doubts and ask questions.Before concluding his talk, Mueller precisely collected some of these FAQs and provided the answers and best practices for completing the steps accurately and without errors.

• How long should I keep redirects active?

Redirects should remain active forever: there is no reason not to redirect from HTTP to HTTPS after a migration.

• Can I move only a few pages?

Technically you can only move a few pages to HTTPS, such as only the user login page. In practice, Mueller says it doesn’t take much extra work to do to move the whole site, which is what should be done anyway.

• Which HTTPS certificate should I use?

Any certificate supported by a modern Web browser will do, and Mueller specifically mentions free certificates from the nonprofit organization Let’s Encrypt.

• How long does a migration take?

Google has a lot of experience with HTTPS migrations, Mueller says, so they can usually be processed within a week if all the steps are correct. However, in practice the exact timeline doesn’t matter much, since users will be redirected anyway.

• Will the migration hurt my site’s ranking?

“Usually not,” Mueller says, because it is still the same site, included on the Web in the same way. In fact, rankings may benefit from the slight increase mentioned earlier.

• Can I restore the previous status if necessary?

Technically, yes, but it is not a recommended practice. Rather than going back, Mueller recommends fixing any problems and moving forward.

How many HTTPS sites are there in the world?

Despite the many advantages and persuasive effect of the padlock, however, there is still some impediment to the full expansion of HTTPS protocol sites even though, according to the aforementioned latest report by W3Techs updated to October 2022, they nowadays account for close to 80 percent of the total number of sites surveyed, with a steady growth rate that has not yet, however, led to the disappearance of sites based on the non-secure mode.

According to experts, among the reasons for the lack of global deployment of HTTPS have historically been technical, economic, and practical issues: adopting the SSL certificate had a cost that for many sites is excessive, especially for small projects that perhaps do not deal with sensitive user data; then, HTTPS often does not work with cheaper virtual hosts and causes them to lose caching capacity. Problems, however, can also be overcome as technology advances, and in fact today HTTPS is free (at times), easy, and increasingly ubiquitous.

Important sites not yet in HTTPS

However, there are still plenty of sites that are exceptions, even relevant and important domains that have not yet adopted the HTTPS standard for their pages.

Editorial portals such as FoxNews and the BBC, hotel chain sites such as Hilton, and even the institutional portal of the United Nations have long been part of this “list of shame“, and today the website https://whynohttps.com/ still censuses “many of the world’s largest Web sites that continue to deliver content over unencrypted connections, putting users at risk even when no sensitive data is involved.”

On the list of the top 100 Web sites that do not automatically redirect unsecured requests to secure ones are 6 percent of the world’s 1,803 largest Web sites, and especially domains such as baidu.com (China’s national search engine), myshopify.com, videolan.org (the site from which to download the popular VLC media player) and openoffice.org (the official site for downloading the Apache project’s free software). Looking at Italy, sites such as turismovenezia.it (the portal of the tourism promotion company of the Province of Venice, which, however, is “no longer updated”) and some domains related to Confindustria, such as confindustriaceramica. it (official website of the section of the association that groups producers of ceramic tiles and related) and, paradoxically, confindustriadigitale.it (the Federation of Industrial Representation in the Digital Economy).