HTTPS vs. HTTP: What Is a Secure Website, and Is It a Ranking Factor?

6th June 2019Chase Lyne

By Chase Lyne, Principal Search Data Strategist, Botify

People are more concerned with security than ever before, and rightfully so. In years past, many of us wouldn’t have given a second thought to inputting our personal information on a website. In the aftermath of highly publicized and far-reaching privacy breaches like Facebook’s Cambridge Analytica scandal however, the general population is much more scrupulous in deciding whether or not to hand over their data.

Google has been actively moving toward a secure web for over a decade. Naturally, this has implications for Google search results. A big move came in 2010 when they introduced encrypted search. Instead of searching on http://www.google.com, people had the option to start searching on https://www.google.com. The difference is so subtle you may not have even seen it — a single “s” that stands for “secure.”

What is the “s” in HTTPS?

Whereas HTTP stands for hypertext transfer protocol, HTTPS stands for hypertext transfer protocol secure. But before you can fully appreciate the difference between the two, you have to understand what HTTP does.

HTTP vs. HTTPS

HTTP is used to transfer data from a web server (where a website is stored) to a browser (where you view a website, like Chrome). The only problem with HTTP is that the information passing between the server and the browser is open to people who might want to misuse it.

With HTTPS, you’re adding a layer of security to that connection so they can’t be intercepted. The data passing back-and-forth between the server and the browser is encrypted, converted into a code to conceal it from those that are not authorized to view it.

What makes a website secure?

So how do you get from HTTP to HTTPS? You add a security certificate to your website, called a secure sockets layer (SSL) or transport layer security protocol (TLS). Adding this to your website provides three key layers of protection:

1. Data is encrypted, keeping it safe from unauthorized access.
2. Data integrity is preserved, meaning it can’t be modified or corrupted during transfer.
3. Prevents “man in the middle” attacks, ensuring your visitors are interacting with the intended website.

The security certificate must be issued by a certificate authority. Once you implement an appropriate certificate, you and your website visitors will be protected from people who might try to read private information, track activity, corrupt files, and other cyberattacks.

The Google padlock: flagging websites that aren’t secure

As of July 2018, Google Chrome started flagging all websites that hadn’t been secured with a security certificate (Safari and Firefox now display similar warnings). Even prior to this, Google was flagging non-secure websites but only ones that collected passwords and other visitor information.

You may have seen a warning like this in your browser:

This lets website visitors know that their connection is not secure. If your website was not secure when Google Chrome made this switch, you likely scared off some of your website visitors with this warning.

Since Chrome is the leading desktop internet browsers with ~67% market share, this was a big step in the fight for a secure web.

HTTPS as a ranking signal in search engines

Years before Google Chrome started flagging non-HTTPS websites as not secure, Google announced that they would be incentivizing people to make the switch to HTTPS by offering a slight ranking boost to secure websites.

All other factors remaining equal, HTTPS could act as the tiebreaker that caused one webpage to outrank another.

Google remained consistent in their position that the main goal behind moving to HTTPS should be security, not rankings, saying that while HTTPS is currently only a slight ranking boost “we may decide to strengthen it because we’d like to encourage all website owners to switch from HTTP to HTTPS to keep everyone safe on the web.”

Although the slogan “don’t be evil” has since been retired from Google’s Code of Conduct when Google was reorganized under its new parent company Alphabet, it still remains a part of their DNA.

Google has always been concerned with doing the right thing, and pushing for a secure web is par for the course. They want people to feel secure, and when they’re not, they want to alert them to that risk. Because of Google’s massive push for a secure web and educating people on its importance, the population as a whole is much more informed about digital security.

Other benefits of migrating to HTTPS

In addition to the slight ranking bump, migrating to HTTPS has other benefits:

• HTTPS preserves referral information. If someone is referred to your non-secure website from a link on a secure website, Google Analytics will count that as direct traffic instead of the referral that it is. If both the referral and destination pages are secure, however, Google Analytics counts it as a true referral.
• HTTPS allows you to use AMP. If you want to use accelerated mobile pages (AMP), your site has to be secure. You can read more about AMP and how Botify lets you audit them.
• HTTPS allows you to use HTTP/2. Google wants your website to be secure if it uses HTTP/2, which allows for a faster web experience. Since we know that speed is a ranking factor, the move to HTTP/2 should definitely be considered.

Successfully migrating from HTTP to HTTPS

Botify shares Google’s passion for a secure web, which is why we have so many tools to help organizations confirm that they have successfully migrated from HTTP to HTTPS.

Here’s how Botify can help you with the transition from HTTP to HTTPS:

• We have a trained services team here to help educate your company about the importance of HTTPS and help guide that transition.
• Our platform can also help you identify whether there are any links to non-secure URLs on your site after an HTTPS migration. Continuing to link to non-secure resources like HTTP pages or static resources like CSS and JavaScript can send confusing signals to Google, so crawling to ensure that all your resources are secure after the migration is crucial.
  • Referencing non-secure resources like CSS and JavaScript can also invalidate your security certificate. Because Botify crawls your JavaScript resources, you’ll be better able to detect these types of issues.
• After migrating to HTTPS, the Botify Log Analyzer allows you to see how Google is crawling less of your HTTP resources and more of your HTTPS resources over time.

• Botify pulls in data from Google Search Console and Google Analytics (or Adobe Analytics) so you can see things like how many impressions the new HTTPS URLs are getting vs. the old HTTP URLs.

Our support team has worked with countless enterprises to help guide their transition over to a secure website. If you’ve migrated over to HTTPS within the last few years, or you’re planning on making that change soon, we’d love to show you how Botify can help. Request your demo today!