Scared to Migrate from HTTP to HTTPS?

[djbaxter]

Scared to Migrate from HTTP to HTTPS?
by Mr-X on ThreadWatch
Wed, 2016-02-03

A lot of posts that I read on the 'Net lately are about how switching from HTTP to HTTPS leads to lost rankings and disaster. It doesn't have to be that way though. On SEO Chat, users are discussing what you need to do to prepare for an HTTPS migration in this thread. One of the mods there has transcribed some solid advice from John Mueller. The mod also says that he's never had major issues migrating, and he seems like an open dude. So if you have any questions, that'd be the thread to ask them in.

I was reminded of that thread because HTTPS migrations were in the news yesterday. The SEM Post published two stories: one story about how you can move partial sites to HTTPS, and another about how using a 301 or 302 to redirect to HTTPS results in no PageRank loss.

Read more...

What has been your experience in making the HTTP -> HTTPS transition?

 

[addaminsane]

What is the point tho?

how is a general info website different based on this factor?

It makes sense if you log into a website for it to change to https but i simply don't understand what the push is to make all websites https ...

 

[djbaxter]

To eliminate or minimize man in the middle attacks, loss of passwords and personal data, etc.


Sent from my iPhone using Tapatalk

 

[addaminsane]

To eliminate or minimize man in the middle attacks, loss of passwords and personal data, etc.


Sent from my iPhone using Tapatalk

i can understand a site that you log into being https but a website that has no user interaction other than clicking links and reading pages ... i don't understand.

 

[James Watt]

There's a writeup here by Yoast that answers some of that I think, though I know a lot less about this than some of the other people on this forum. My understanding, is there's a few reasons:
1 - a lot of people suck at adopting. Recommending that everyone does it everywhere will keep things from slipping through (like comment logins to leave something on a blog, that sort of thing). Telling everyone everywhere to do it might get better coverage, since a lot of people making websites don't really know what they're doing anyway, and most users use the same passwords everywhere.
2 - a lot of platforms (wordpress) suck at having a mixed http/https setup, better to recommend everyone migrates everything I guess.
3 - speed drops associated with https have workarounds now.
4 - I don't know much about the PPC/user tracking side of things, so someone else will have to weigh in more to correct me/elaborate, but it sounds like a web that's spotty between http and https makes it harder for data trackers to get full data from users browsing the web.

That's my layman's understanding at least. I imagine the real truth, it's not 100% important for everyone to switch from a pure security standpoint, but since Google's got so much influence on web best practices, and since people en masse are so bad at following directions, it was probably wisest to make a blanket recommendation than to say something more complicated and risk hurting adoption.

 

[Tim Colling]

Every time Google makes an arbitrary and high-handed pronouncement like this, regardless of whether or it is reasonable, necessary or "fair", it means more work for all of us. Just like every time the government fiddles with the tax laws, resulting in more work for accountants and tax lawyers. Sad but true.

Google <== "It's good to be the king" (obscure Mel Brooks reference)

 

[BrendanT]

From a biz perspective its an easy speed win, with https and cloudflare you get SPDY and http2 support, quite a big speed win.

Encryption is becoming increasingly important and there is an inbuilt expectation that the web is secure. EG 10 years ago encryption on email protocols (smtp, pop3, imap) was unheard of. Today it's standard largely because Gmail has pushed it along.

If you're running both http and https there is potentially some canonical benefit by having the http 301 to https

 

[CCarter]

SPDY

Just an FYI, Google is discontinuing support for SPDY within from Chrome in favor of http/2 since it's using spdy/2 as a base for http/2 now.

On February 11, 2016, Google announced that Chrome will no longer support SPDY and NPN since May 15, 2016

Source: https://en.wikipedia.org/wiki/SPDY

I assume it's an effort to make all this less confusing.

 

[addaminsane]

but still theres a reason http and https exist. If http seizes to exist i would assume hackers would simply become more fascinated and capable of hacking https.

There is sooo much logic in the world today that does so little if anything to improve anything at all.

 

[James Watt]

I mean... that's true I guess, but it's a little like saying that if everyone starts locking their doors, then thieves would start learning how to lock pick instead of just looking for easy marks. You're probably right, but there's still a pretty fundamental difference between 'encrypted' and 'not encrypted'.

I think at the end of the day, there's a giant arm's race going on. I heard a quote recently I liked too... we'll never be able to completely beat the hackers, because while both sides are working hard, they're the ones that are desperate.

 

[addaminsane]

Everythings gaining a much bigger learning curve without actually improving... like google fiber ... Yeah its fast, when you can actually connect to it. Hiccups Galore.

 

[BrendanT]

I mean... that's true I guess, but it's a little like saying that if everyone starts locking their doors, then thieves would start learning how to lock pick instead of just looking for easy marks. You're probably right, but there's still a pretty fundamental difference between 'encrypted' and 'not encrypted'.

I think at the end of the day, there's a giant arm's race going on. I heard a quote recently I liked too... we'll never be able to completely beat the hackers, because while both sides are working hard, they're the ones that are desperate.

Agree 1000%

Security is not an all or nothing game, it's a sum of a bunch of parts.

It's more like building a wall, the more bricks you have the bigger and better the wall is. HTTPS is just another brick in the wall.

Often security is more about not being the weakest link vs being the strongest link. Using HTTPS is one way to move you away from being weak towards strong - both as a website owner and as a website user.

 

[Margaret Ornsby]

This post is timely, as we've just finished auditing a couple of sites for a national company.

Both the sites were supposed to be https, but both were a badly batched job of it and valuable tools such as Search Console were knobbled due to the poor implementation. As well, many customers were receiving certificate errors before they landed on the site, so heaven only knows how much revenue walked right past their door.

I don't want to enter into the debate about whether to or not to https, but if you're going to do it, take the time and care to do it correctly ;-)

 

[djbaxter]

I think one thing everyone absolutely needs to do after the conversion is watch Google Analytics very closely for a time after the switch.


Sent from my iPhone using Tapatalk

 

[Laustin1878]

Much of this discussion seems to focus on the search engines or Google, but what about the visitors, the one's who are buying your product or service?

There is so much scare in people today with identity theft, big name businesses websites being hacked resulting in credit card and personal information being stolen.

Does anyone agree that seeing an https vs. http on a SERP would lead a user to likely click on the https site over the http site just for a better feeling of security? I feel it would help conversions, baring the visitor actually knows what the difference is between http & https. That would be a worthwhile argument.

I was just discussing this the other day as well so this article is timely. Some good information on an up and coming topic.

 

[James Watt]

I think it'd really need to be tested before anyone assumes that https is going to instill more consumer trust vs http. I'm on the pretty savvy end of the spectrum I think, and I don't always even notice how a site's being served to me. Most people I doubt would know the difference, unless a giant page pops up saying that your security certificate is screwed up and you shouldn't trust the site you're on. In lower-tech industries (aging demographics, etc) I'd be really, really surprised if https affected website conversion even a tiny bit. But! You know what they say about assumptions, I could definitely be wrong. Right now there's not a huge difference other than a little green padlock in chrome to show you're on an https site... could be that that gets changed down the road too, in which case you'll definitely be right. A giant red X on an http site would slow people down, especially people who don't know or trust technology all that well.

Also, if you look at the SERPs, for me at least, the only difference for http vs https, is in the actual address shown, and it's a minor one. I can't imagine anyone who doesn't know what https means will be put more or less at ease, given the way it's currently displayed.

 

[Laustin1878]

Thank you for your perspective on this. I can't disagree with you and in general, I am sure people wont be affixed to the URL in the SERP. It was a spitball thought and I had not reviewed any results to see how many sites are actually https.

A test would definitely be a telling story but how exactly would you test that, from a SERPs perspective? A/B for when the user on the site is feasible but displaying 2 different URL's for the same page in the SERPs has me puzzled at the moment.

 

[James Watt]

No worries, I'm all about spitball ideas! I love what (I think it was Dan Kennedy) said about copywriting too that I think relates. He said his massive amount of experience, track record, swipe file, etc. all gave him a huge advantage over a rookie. He could make the right guess as to the winning approach 50% of the time, instead of 5% of the time. Big bump, but even he said he was still wrong over half the time, hence the importance of testing when it comes to anything that influences conversion, regardless of how experienced you are.

If I was to approach testing it, I'd use adwords. The only way I'd consider doing it with organic SEO was if I had a whole bunch of affiliate or ecommerce sites that all served a similar demographic. Switch 50 over to https and leave the other 50 alone and see if there's any improvement on the https sites vs historical data and vs the sites that were left alone. A person with only a single site could still keep an eye on their analytics goals before and after... just that the numbers might not be big enough to show a statistically significant result if the difference is only a few percent uptick, especially since shifting positions in the SERPs can influence the kind of people who click. I'm not experienced enough in this stuff to know if there's a psychological difference in most markets for people who click a number 3 spot vs a number 7, but I suspect there's enough to make any small conversion swings untrustworthy if your spot changed at the same time.

 

[Laustin1878]

Well said and thank you. I agree with your testing methods and I think you'd need to take a large sample size, say a minimum of 6 months of testing the https and compare that to the previous year. It wouldn't be finite but it would still give you an idea.

The site that I was discussing making such a change to was a site that's been around for years and has recently been redesigned. I don't know that there'd be much to lose at this point but for a more seasoned and established site, I can see it requiring testing and more thought.

I think I'll pay attention a little more to the SERPs to see how many sites use https. I don't think using it would be an overwhelming trust factor but thought there could be more comfort among web searchers seeing a secure site.

 

[Campbell Mcarthur]

I have a couple of questions for those that have done this for a number of their clients before.

I just recently converted my entire site to https however, there a couple of things that I am unsure of.

1st question: when you add the https:// version of your website to WMT search console do you need to add the www and non-www version of the https site in the web master tools search console for site properties? As it stands, when I originally set up my website in web master tools years ago I added the www. and non-www. version of my website in the web properties and set the WWW. version as the preferred domain.

Do I need to add both of the https versions in search console as I did with the HTTP ones?

2nd question: Sitemap submissions: do both HTTP and HTTPS versions of my Sitemaps get uploaded into the https://www.pcmedicsoncall.com property?

3rd question: .htaccess question: in my .htaccess file I have had the non-www version of my site redirecting to the www. version of the site as not to get a duplicate content penalty.

with that said, my question is does that code need to be changed to reflect the HTTPS version of the website???

Original Code:
# Redirect non-www urls to www
Options +FollowSymlinks
RewriteEngine On
RewriteCond %{HTTP_HOST} ^pcmedicsoncall\.com$ [NC]
RewriteRule ^(.*)$ http://www.pcmedicsoncall.com/$1 [R=301,L]

Should code Above be modified to this below now that I am on HTTPS???

Modified Code:
# Redirect non-www urls to www
Options +FollowSymlinks
RewriteEngine On
RewriteCond %{HTTP_HOST} ^pcmedicsoncall\.com$ [NC]
RewriteRule ^(.*)$ https://www.pcmedicsoncall.com/$1 [R=301,L]