Google’s Final Warning: New Security Requirements and How to Meet Them
When HTTP first appeared nobody thought that HyperText Transfer Protocol has to be secure. The intention of it was to establish the connection between a browser and server and make the data exchange possible.
For example, users want to read about RankActive on the web. What do they do?
They open a browser and drop RankActive.com in the search line. What happens?
This picture shows what HTTP looks like and how a browser finds a website by sending a DNS query.
How HTTPS appeared
Everything was going alright until something has changed. Some people, dressed like pizza delivery guys started to come. While a browser and RankActive were talking to each other and drinking beer together, something was happening. The masked pizza guy would break into the house without him being seen and start stealing credit cards, money, passport data, etc., from user’s bag. When the user went back home, all the data would have already gone.
These malicious actions have put a foundation to create a local police department. What they suggested was to build police checkpoints on the roads that ensured that a user has zipped his bag and put the wallet in the inside pocket. They would also make sure that the browser is safe at the RankActive’s house and nobody will listen behind the corner, while they are talking.
These police checkpoints were named SSL, but some people called it TLS. They have become a part of HTTP, and they were renamed into HTTPS. They needed support still, so police departments decided to take a fee from verified website owners and provide them with a beautiful green certificate (SSL) that was easily noticeable by a browser and user.
Google’s Final Warning: New Security Requirements
Everybody liked these certificates, especially Google because they cared a lot about their users and didn’t let anyone hurt them. When websites refused to install SSL to make the environment secure Google would become very angry and mark them accordingly.
And if you try to access the website with an insecure connection, you’ll be warned with this creepy-looking message after which one might be willing to reload computer out of harm’s way.
Google says that you should always protect your website with an SSL certificate even if there is no any sensitive information on your website. Here is why.
At Google I/O conference in 2014, they stated that all sources of communication, data and information must be secure. Today, they are concerned that if somebody collects your favorite playlist, images, places where you go on the web, what you’re looking for, etc., your intent may become quite clear and may be used for any purposes by some third-parties either with good or bad intentions.
There are 3 major points that SSL certificate covers:
- Authentication means that you’re talking to the right website, for example, if you asked for RankActive.com that means that you’re at the right website.
- Data Integrity. That means that SSL makes sure that nobody has interfered with the data and it’s not modified while being sent between the user and the website.
- Encryption ensures that the data that you send or receive (and it’s private) is not seen by anybody else.
Here is what this process looks like:
Google’s deadline that will push users to switch to https is scheduled for July, 2018. Google is mentioning the HTTPS to be set by default as soon as possible, however, it’s still can’t be easily reached even though 81 of 100 websites are using HTTPS by default.
Google’s persuades that the switch to HTTPS is also a big part of a highly user-engaging project, called Progressive Web Apps. Going back to the HTTP websites being marked as “not secure”, we would like to point out that this will negatively affect the number of leads and conversions on an insecure website and the bounce rate will enormously increase.
Apart from mentioning that HTTPS is the future of the web, and it will be required for a successful workflow of some APIs, such as geolocation – another reason for upgrading your website is that Google prioritizes HTTPS pages first. It means that they will be indexed by default if they, of course, meet all the requirements.
How to successfully migrate from HTTP to HTTPS?
The process of switching a website to HTTPS is a bit tricky and requires some technical knowledge. For the very same reason, it’s more preferable to choose the SSL certificate that is not only authoritative but also offers technical support. The best way to know which SSL certificate provider is trustworthy is to install Firefox and do the following steps:
Apart from paid certificates, there is more freedom today, so you can simply get a free SSL certificate from Let’s Encrypt which just as well ensures the data security. Comodo itself also provides a free SSL certificate for 90 days.
There are different types of certificates which you can go with: single, multi-domain or wildcard. A single SSL certificate only protects your domain without subdomains. A multi-domain SSL speaks for itself, and with a wildcard SSL, you can make all your subdomains secure as well.
When you get your certificate you have to go through one of the types or stages of validation from the simplest to the most detailed. These are domain validation (DV), company validation (CV), extended validation (EV).
After you’ve purchased SSL either for free or not you need to install it, the manual on how to do that is usually given by an SSL provider.
When you’ve installed your SSL, you need to set 301 redirects from your old HTTP pages to the new HTTPS, because Google counts such a switch as a full transfer of domain with all the URLs. During this switch drops in traffic are considered OK.
Apart from redirects, you can force HTTPS use on your website after you’ve installed the SSL certificate correctly according to the SSL provider instruction. If you’re using Apache, you’ll have to modify the .htaccess file by placing the necessary piece of code following this instruction. If you’re using Nginx web server, then you can configure the root file by following this guideline.
The next thing you should do is check your robots.txt file and make sure you’re not blocking the HTTPS pages from indexation.
At this stage, SEO experts suggest using Site Auditor tool to scan your website to see if you’ve transferred all the pages from HTTP to HTTPS.
This is just one of the parameters that Site Auditor has. It scans the website to reveal all the possible issues, such as non-existing pages or 404, loading time issues, duplicates, invalid images, pages with broken links, etc. We recommend using this tool everytime you’re making any change on your website or in case you’re doing SEO for somebody, this is also a great tool to start with. By the way, if you decide to do SEO using our platform, we will provide you with the white-label, and you’ll be able to do whatever you need to do under your own name.
Optimize for HTTPS and watch the tags
Does your website support different languages? If so, make sure all your tags, such as rel=canonical and hreflang are pointing to the correct HTTPS URLs.
If you are thinking about launching your website on a different language and expanding your business on different markets, then you may be interested in avoiding the most common international SEO mistakes.
Not only tags you should be taking care of, but every image, font, etc. If there is something that was used on HTTP version of your website it must be pointed to HTTPS.
After you’ve done the switch, it’s also necessary to let Google know that you’ve migrated, so you may want to set your Google Analytics and Google Search Console according to the changes. In order to do that correctly, check out this video instruction.
After you’ve made and tested all the changes, you can rescan your website with Site Auditor again and there you have it! You’ve successfully migrated to HTTPS!
HTTP is no longer considered a standard because a lot of malicious actions have led to a significant data loss over time. If you want to create the safe environment for your clients, their data as well as yours, a switch to HTTPS is a must. Sooner or later every website will migrate to HTTPS because Google wants and requires it to be so in July, 2018. Having an SSL certificate will definitely increase your rankings and website authority. And with a lot of opportunities for getting a free SSL is just irresistible not to migrate! So, why not?