On August 17, 2017, Google sent an email to operators of unencrypted websites warning them that from October 2017, their users would see a “not secure” notice.
Google has been promoting the use of HTTPS in the world wide web for years - this is because it wants to make the web safer. Just how important the extensive use of HTTPS is to google became clear in August 2014, when Google made it known that HTTPS was a ranking signal. In December 2015, Google announced in the Google Webmaster Central Blog that the HTTPS version of a website would be favored in its index.
The email sent in the night of August 17th is therefore just another step for Google on the way to completely encrypted WWW.
Figure 1: Screenshot of the warning email
The most important thing now is to stay calm - the changes that were announced will be implemented in October. However, it would be advisable to convert to HTTPS already, as it can take a while for the conversion of a website from HTTP to HTTPS to be registered in Google’s index. As many websites are experiencing a “summer slump” in traffic numbers, now would the best time for such “renovation”.
If website operators don’t convert to HTTPS, from October, the indication shown in Figure 2 will appear in Google’s browser Chrome if, on a page, data can be submitted via a form, or if an unencrypted website is retrieved in Incognito mode.
Figure 2: The not-secure warning
This is already partially the case today, for example on log-in pages. On such pages, Chrome has already been showing a not-secure warning for a while.
The first step is to obtain an SSL Certificate. There are many different types of certificate – the CA Security Council shows you a useful overview in this infographic. A “Basic” certificate will be enough to avoid the warning notice in Chrome. This type of certificate will also confirm the owner of the domain, as well encrypting the data. This certificate is also known as the DV(Domain-validated)-Certificate, and you can obtain one for free on https://letsencrypt.org. You will also find a detailed guide regarding how to implement the certificate. If you use WordPress, you can, for example, use the Really Simple SSL-Plugin to install the certificate, which is recommended by many SEOs.
After you have installed the certificate on your server, you should then test whether all of the URLs of your website are available in the HTTPS version. If this is the case, then the next step is to redirect the HTTP-URLs to HTTPS. Through this redirection, you ensure that both the user and search machine can only access the HTTPS version of your website, thereby giving Google a sign that your content is only accessible as HTTPS. To do this, you have to make an adjustment to the .htaccess-file on your server:
RewriteEngine On
RewriteCond %{HTTPS} off
RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI} [R=301, L]
Ideally, before converting, you should make a list all the HTTP-URLs of your website, so that afterwards you can test whether all of the URLs were redirected correctly. You can do this for free for websites smaller than 100 URLs with the Ryte Software using the FREE Account.
The next step is to check the internal links of your website. If you use relative links, this shouldn’t be a problem. However, if you use absolute links, you'll have to convert every single link to HTTPS to prevent internal redirecting. Be careful with references which are not visible on your site, for example Canonical Tags. In case your CMS doesn’t automatically update the Sitemap.xml, you should ensure that HTTP-URLs are replaced with the HTTPS variation.
Don’t forget to convert the external links on your website, for example links from Facebook or Google AdWords. You can’t convert the links from other websites to your website, but it would be worth asking the owners of these sites to convert the links.
Because Google sees the encrypted and unencrypted versions of a website as two separate websites, you have to create and verify a HTTPS version of your website in the Google Search Console. At the same time, you should also submit your new Sitemap in the GSC – it may be tempting to apply for a change of address in the Google Search Console for the conversion from HTTP to HTTPS, but as this function isn’t meant for this, it would be better not to use it in this way.
You should also check whether your Google Analytics implementation works properly on the HTTPS version of your website.
Aleyda Solis provides a detailed checklist for converting from HTTP to HTTPS, and you can find more information in this article about SSL and SEO.
The significance of HTTPS for website operators through Google’s SSL-Promotion is increasing. The latest announcement about the Google Search Console is essentially just another step in the development that Google started years ago. In order to remain competitive in search engines, website operators should convert to HTTPS now. As there are many technical aspects to consider, the conversion should be prepared and tested thoroughly in order to prevent any damage to rankings or reachability.
Published on Aug 18, 2017 by Kate Aspinwall