SSL, HTTPS, HTTP, TLS, HSTS… these terms appear to be nothing more than just a meaningless sequence of letters for the better part of online users. But not for you. Even if you are not an IT geek or server administrator guru, you are likely to have at least a general idea of what these confusing high tech buzzwords mean. Especially now, when Google uses HTTPS as a ranking signal and gives HTTPS pages a huge bump in rankings. And taking into account that this behemoth search engine is responsible for a whopping 77,82% of organic search traffic, you’d better take it seriously.
What is HTTPS?
If you're an SEO and you're recommending against going HTTPS, you're wrong and you should feel bad.— Gary Illyes ᕕ( ᐛ )ᕗ (@methode) August 18, 2015
HTTPS (Hypertext Transfer Protocol Secure) is a network protocol designed to protect your store from possible cyber attacks and secure all sensitive data transfers, such as credit card transactions, logins and other personal information passed from a visitor’s browser to your website.
There’s no need to go into the mind-bending process of HTTPS configuration to understand the basics. There are merely three simple things you should know:
- All transferred data is safely encrypted and therefore makes no real sense for web hacker as they do not have the key to decipher it. So, no one can copy your customers’ credit card info or read your Facebook messages, phew!
- Data integrity is additionally controlled, which means that sensitive data cannot be modified in any way during the transfer. At least without being noticed.
- Authentication prevents your store from the so-called man in the middle attacks, when a hacker gets full access to the data transmitted between your store and customers, browsing it.
With HTTPS on board, all these crafty scams are in no way possible.
Does your business need HTTPS?
Google’s HTTPS algorithm was first announced on August 6, 2014 (it’s been almost 2,5 years already!), held the same sway over SEO in 2016 and is still prioritized now.
On January 27, 2016, Parisa Tabriz, Google’s self-appointed “Security Princess”, tweeted about the company’s plans towards the future of unsafe HTTP-sites. They are going to shame them with a big fat red “X” mark placed over the padlock icon in the URL bar for Chrome users.
Is this what your plans were about? Hope, not. So don’t hesitate to start planning your HTTPS migration today.
Luckily, you can make your store HTTPS-compliant with absolutely no hassle at all. First of all, you’ll have to install SSL certificate. There is a wide range of SSL certificate providers in the World Web. Just Google it.
Luckily, you don’t have to travel far afield as this option is also offered by X-Cart. And it’s rather cost-efficient. For instance, standard Comodo SSL, providing strong protection and great flexibility, costs from $6/mo and is installed in less than 10-15 minutes.
Not sure if you already have SSL installed? Run a free SSL Server Test — if the results are other than A, you’ve got some security issues.
It’s not only about security…
It’s quite clear that HTTPS has something to do with security of your customers’ data, stored and transferred via non-secure-by-default public networks. How else can migrating to HTTPS be important for your business?
- You get an additional boost in search engine rankings. Though migrating to HTTPS can not instantly make your website rank #1 for every single keyword, it will definitely impact your rankings on Google’s first page in the nearest future. HTTP-websites, marked with red crossed out icon, will be considered as insecure and, I believe, soon be totally ignored by search engines.
- More trust and credibility. The first thing your visitors see entering your store is the green address bar, which instantly adds trustworthy to the products you offer. And it works! According to recent studies, 28.9% of visitors won’t take a chance to buy anything, if they don’t see a green padlock. Moreover, 35% want to see the name of the company in the address bar to consider your store secure enough to make a purchase.
- Better referral data. Did you know that HTTP to HTTPS referral data is completely lost in your Google Analytics report, as it looks like “direct” traffic? Let’s say, your website is still on HTTP and you went viral on Facebook or YouTube. As both sites are running over HTTPS, all your referral data will be labeled as “direct” in Google Analytics, which really means “we have no clue where it came from, maybe they typed the URL in or hit a bookmark” and is not quite helpful. That’s not the case with HTTPS.
HTTPS myths and challenges. Oh boy, are there any?
Myth #1. Only enterprise companies can afford the move to HTTPS
Nowadays big companies, like Moz or Buffer, love to boast about switching to HTTPS: “our SEO-specs made a thorough link analysis”, “devs prepared the environment”, “data scientists made a bottom-line report” and other blah.
Reading these reviews here and there you might think that only million-dollar businesses (with thousands of visitors crawling their pages daily) have enough power to move to a new protocol. Hopefully, there’s nothing to be afraid of and even if you are the only employee, you can do it right.
Myth #2. OMG, migration to HTTPS will crash my store!
Major sites like Wikimedia or Reddit were quite quick to migrate to a safer world. Everything went smooth and none of the passengers was hurt.
However, not everyone was that lucky. Buffer, for instance, faced a steep drop in organic traffic accurately after their move to HTTPS. Later on, Google admitted that it was their fault and traffic was restored soon.
Yes, there may be some obstacles, but they are hardly possible to bear upon small and medium businesses, we’ve tested it.
And, needless to say, your store won’t be cracked into pieces, be sure!
Myth #3. There would be a number of errors & Google will ban me forever (I’m feeling lucky).
No, it’s not true. Of course, mistakes can happen, but one can easily eliminate them.
Have a look at your URLs — some of them may be blocked by robot.txt, or canonical tags can point at the wrong HTTP URLs. Do not forget to carefully check it all before making any move. Or ask your sysadmin to fix it for you, he knows it for sure.
When done right, you won’t find a single error, don’t fret ahead of time.
Myth #4. My store will be slower than a herd of snails traveling through peanut butter, boo-hoo…
As HTTPS requires extra client-server communication “handshakes”, speed issues can occur. In extreme cases, SSL negotiation may add an additional half a second to your page loading time.
It can be caused by various reasons: data center location, where you host your DNS records, ping issues etc. Good news is that all these things can be easily fixed.
For example, one of our customers, Hwai Shieh at Boba Tea Direct, did experience some speed issues after migrating to HTTPS. SSL negotiation took the whole 400 ms which was way too much. With a bit of magic applied, our hosting pros managed to boost speed by as much as 4 times.
The speed problems are totally unlikely for those who host their stores on X-Cart fully-managed VPS servers.
Myth #5. I’ll have to pay a whole lot of money for keeping my store HTTPS-ready.
Many webmasters pay up to $800 per year for SSL certificates. That’s a significant amount for those who are just starting out.
But, of course, there exist cost-efficient options. For instance, X-Cart costs range from US $73/yr for a standard SSL to $299/yr for Extended Validation SSL, when the name of your company is written in the URL. By the way, you can get a life-time certificate at no charge at all, if you switch to any Hi-Volume Hosting plan.
What’s more exciting is that X-Cart partnered with Comodo to swing you a 20% discount for all SSL certificates. It means that X-Cart prices are currently lower than official Comodo retail prices. So, you can save big.
SSL installation costs $99, but it is totally free if you host your store with us, or if you purchase either a standard 3-year SSL certificate or a 2-year EV SSL.
Myth #6. My store is not yet ready for migration. Maybe tomorrow?
No doubt, migration to HTTPS takes a certain time and a bit of preparation. But, as we all know, forewarned is forearmed. So, if you heed our advice, you won’t make any mess. Be sure to do the following:
- If possible, make as few redirect jumps as possible. Some browsers find it difficult to follow too many redirects and sometimes even refuse to load a page. Multiple 301 redirects are often used by spammers, so in the nearest future such links may be penalized by Google and you may lose some link value.
- Turn on HSTS, which tells browsers to use HTTPS instead of HTTP to access your web server. If you’re not using HTTPS only, as Gary Illyes says, “weird stuff happen in indexing”.