Yesterday, Google officially announced that sites with SSL (https) would get a bump in rankings. Multiple news sites ran it like it had to be done tomorrow. All manner of developer forums lit up with folks asking how to do it. And a few of us, said “not so fast!” The media circus on this will be going for at least another year. Here’s a follow up on yesterday’s post with more info and things to consider before you make this move to HTTPS.
A Cautionary Tale
Here’s my original post on this topic, advising that folks should take a moment to consider the bigger picture.
In it mentioned several caveats without explanation. Most of them can be fixed, but require either research or more investment.
What I was mainly wanting to address in that post, and in a hurry, were the folks having a knee jerk reaction and leaping before looking by just getting an SSL certificate and changing all of their permalinks over from http to https and then having to fix all of the issues I mentioned after the fact.
A minute of planning is worth an hour of troubleshooting.
Today I want to go more in-depth about what’s really going on, and give you some resources to help you make a good decision for your site and avoid expensive pitfalls.
Is HTTPS More Secure?
Yes, but… It’s an encrypted connection. It makes trading info back and forth between a site and a visitor safe from middle man attacks.
Let’s have an example of that. You’ve heard of computer hacks where someone can record all of your keystrokes? That’s a middle man attack.
Sites that take transactions, like credit cards, have to use the highest level of SSL certificate to ensure that the information they are being given by the visitor remains private.
And that’s also why a lot of site owners use services like PayPal. Let them worry about the security. That’s also smart.
The Other Side of HTTPS
Security goes both ways. If a visitor wants to download a file from your site, if it’s over an HTTPS connection, there are no middle man hacks.
But, that does not guarantee the file is free from malicious code. It could still infect your computer, or other device you’re downloading it to.
So, is it worth having an SSL certificate for folks to get a PDF from you?
Hasn’t been so far. But that may change. More on that in a moment.
Does it make reading your blog post safer? Not really.
You’re still going to start hearing more about why your blog-only site needs SSL anyway. In fact, you’re going to hear 100s of opinions about this from all manner of “experts” for at least another year. And all of those opinions are not going to be in agreement. In fact, they will be from one end of the spectrum to the other.
Google’s Looking Out for Google
Here’s a quote that got overlooked in yesterday’s announcement from Google.
“We invest a lot in making sure that our services use industry-leading security, like strong HTTPS encryption by default. That means that people using Search, Gmail and Google Drive, for example, automatically have a secure connection to Google.”
So, it makes sense that Google wants you to just stay secure the whole time you’re connecting with them. That ensures there are no middle man attacks when you jump between their products.
Follow the Money
Think about it. Google makes money from the premium version of Google Apps. And those products are specifically geared to appeal to businesses with teams that want to get rid of the expense of buying Microsoft Office products.
To encourage folks to store everything in the cloud, including spreadsheets, emails, and other documents that may contain sensitive information, security has to be a top priority for Google.
Rise in Middle Man Attacks
We are in the midst of the highest sustained bot attack in history, and it’s still growing.
For the last several months, I’ve been encouraging folks to shut of XML-RPC completely on their site.
For the last several weeks I’ve been encouraging folks to shut down unsecured FTP accounts and ensure that they are retrieving their email via an encrypted connection.
Middle man attacks are on the rise.
Jumping from encrypted site to encrypted site as you surf the web and then grab email from an encrypted source and then go to an encrypted file storage, like Google Drive, helps keep you secure.
And that’s one of the reasons some folks have been screaming for years that all sites should be encrypted as https from the get go.
Google makes things like authorship, publishership, and now encryption a ranking factor to drive adoption.
Who Has to Have SSL Already
Any site that is taking transactions, like e-comm stores and payment gateways, are required to have an SSL certificate.
And some folks think those are the only types of sites that will ever need them. While true, that may be changing due to the middle man attacks and other factors.
If you made your site secure from the onset, good for you! You’re ahead of the game already. And now you get brownie points and a pat on the head from Google too.
If your site is not on https already, here’s more of what you need to consider.
Do it Because it’s Right For You
First, don’t make this change because of the ranking factor bump alone.
The original release from Google stated that it is a minor ranking factor, and that the might at some point give it more weight. If you read other reports from major news services, they make it sound like it’s a mandate from Google and factors big in ranking. Not so.
Changing permalinks is no small thing, whether it’s to https or just another permalink structure.
Until you can get all of that done, and maybe even after, you have to set up redirects. (There are a LOT of varying opinions on this.) That can be accomplished a lot of ways, perhaps one of the best is via the .htaccess file. And then change your URLs in Settings > General. (There are a LOT of varying opinions on this too.)
Then, refresh your XML and HTML sitemaps. Then submit the new sitemap to Google Webmaster Tools. Your old permalinks will still show up in SERPs until Google finishes indexing to show the new ones. And if someone clicks one of those links, they will be redirected to the new page.
A redirect means that there are more requests. Most performance graders don’t like too many redirects.
And redirects take more time to deliver the page. It may a super small time, but it’s there. Depends on your server and database, and a whole host of other factors.
After a while, Google will have re-indexed all of your pages and visitors will have updated their bookmarks and it will not be much of a factor. But that does take time.
(More on redirects from Yoast in a moment.)
Google is encouraging folks to use the TLS (Transport Layer Security) way of delivering encrypted pages.
Here’s what they said in their announcement.
“In the coming weeks, we’ll publish detailed best practices (we’ll add a link to it from here) to make TLS adoption easier, and to avoid common mistakes.” (emphasis added)
For a long time, establishing a connection over an encrypted channel caused a speed issue. Only with advancements in tech, hardware, and faster ISP has that improved.
Even so, you need to help it out a bit.
SPDY is an open-source protocol has been developed that offers better data compression, among other things, thus faster delivery.
To give you a relatable example, when .mp3 compression came along, music downloads stopped taking forever and sites like iTunes boomed. Same with the compression types used over the years by YouTube. Now it’s so good, and base ISP and wi-fi speeds are so fast, that they can deliver HD video quality.
The bottom line is that you have to make sure you have the proper compression available so that your new https pages don’t take a performance nose dive and lose ranking.
The prices for SSL certificates are all over the place.
And, there are different types of certificates.
One type is Shared, and this is the most common type that hosts offer for free. It’s “shared” because it is a blanket certificate, and not just for you. It is also the least secure of them.
This is the type of SSL certificate that everyone went scampering after when Facebook required content for gated pages to be encrypted.
More on costs in the next sections.
Integrating with Other Services
You may need to either get a static IP address for your site, which is an extra cost at some hosts. Or, check to see if your host supports Server Name Indication.
If you’re using a CDN like CloudFlare, the free version does not accept SSL encrypted sites. You have to get at least the $20/mo plan for that. And Amazon CloudFront CDN is even higher, to the tune of $600/mo for some setups (so I’m told, trying to verify this)
UPDATE: CloudFlare just announced they would make SSL available for free accounts beginning in mid October!
Read Google Now Factoring HTTPS Support Into Ranking; CloudFlare On Track to Make it Free and Easy
Some existing code on your site may not play so well with SSL.
Joost de Valk (Yoast) has a nice post about moving his site to SSL back in April, shortly after Matt Cutts announced he would “love to make it part of the ranking algorithm.”
Here’s what he said about internal links and redirects:
Yoast mentions many other implementations and integrations that he made to make the site run fast and smooth with SSL. You’ll want to at least scan that post, even if you don’t fully understand all of the tech, just to see what it takes to make SSL work well on a converted site.
As mentioned already, you’re going to see a plethora of posts on this topic for another year as the conversation about online security escalates.
And, you’re going to see opinions from both sides, in the middle, and every place in between. It’s almost as divisive as talking religion at dinner. Folks hold these opinions with passion, whether they know what they’re talking about or not. And yes, even highly regarded experts have been known to be wrong on occasion.
Plus, there are lots of designers, developers, coders, security and web specialists who are drooling right now. All they see are the $$$$ of folks who will hire them to get their sites converted. They will NEVER tell you it’s not a good idea for your site. They will also never tell you the color bright orange isn’t a good background either. They are going to deliver what you pay them to deliver. Knowing what and why is up to you.
Do What’s Right For You
You’ll have to make up your own mind about what’s best for your site. At this time, I will not be converting BlogAid to SSL. That’s not to say that I won’t build a new client site from the ground up without it, though. That’s different.
I’ll keep you posted as I consider more data coming in about security, and Google’s motives, including how much this is going to line their pockets and those of their shareholders.
I can tell you now that I won’t be chasing the bump in rankings for this. It’s not a good enough reason for my site or my niche. I’ll let you know if that changes.
I’ll also be periodically updating this post as news is released, or security changes happen. If you see something out of date, please let me know. It’s changing rapidly.