The first part of a URL tells you what protocol — or method — it uses to transmit data. When visiting a website, you either go to an HTTP site or an HTTPS site.
Now, you may have noticed a shift in URLs over the past few years with more sites beginning with the HTTPS protocol. If you’ve wondered why more websites have created an HTTPS version, read our HTTP vs. HTTPS guide to uncover the differences between these two protocols, the SEO concerns they raise, which you should use for your website, and how to change from HTTP to HTTPS.
What is HTTP?
HTTP stands for Hypertext Transfer Protocol, and it’s the foundation of how data is transferred online.
When you type a website’s URL into your browser, you’re directing it to access data from a specific location. Your browser then communicates with different servers to gather the various pieces that make up your destination website, including the text, the layout, ads, multimedia, and more.
Of course, all we see are the components popping up quickly on our browser. Behind the scenes, HTTP is the protocol used to transfer the information you need to shop your favorite site, read the news, or stream the latest episodes of your favorite HBO show from the server to your browser.
What is HTTPS?
HTTPS is the secure version of HTTP. It stands for Hypertext Transfer Protocol Secure. For a site to use HTTPS, it must have a Transport Layer Security (TLS) certificate.
With HTTPS, HTTP code is encrypted to protect private information and minimize the risk of certain cyber attacks.
HTTPS works in tandem with TLS to:
- Encrypt data,
- Authenticate that users are who they say they are, and
- Verify that the transmitted data has not been altered.
Because of the encryption at the heart of HTTPS, it’s much more difficult to intercept information through man-in-the-middle attacks. These attacks happen when a bad actor mimics communication with a website.
If you accept payment or request personal information online, having a secure website helps you cultivate trust with your customers since all their data is protected.
Secure sockets layer (SSL) is a security protocol that automatically creates an encrypted connection between a user’s browser and a web server.
While many SEO sites still refer to SSL certificates, that’s not a totally accurate way to put things. TLS is a more secure version of SSL that’s being updated regularly. You’ll often see “SSL certificate” and “TLS certificate” used interchangeably, even though TLS is the predominant cryptographic protocol used for HTTPS sites. Even sites selling TLS certificates will call them SSL certificates because the terminology stuck.
That said, true SSL certificates still do exist. Technically either SSL or TLS will get you HTTPS recognition in a browser, and Google recognizes both as secure. TLS is more secure, though, and is the type of certificate Google recommends in their documentation on HTTPS.
Certificate Authorities (CAs) issue TLS certificates and are tasked with verifying the identity of those seeking certificates. Google and other web host providers may provide this as a service to their users. In addition, there are third-party CAs that sell certificates.
You can tell that a site has an active TLS certificate by looking in your browser’s address bar. Right before the URL, there should be a lock. A closed lock signifies a secure website connection. Depending on your browser, you may be able to click on the lock to see who issued the TLS.
If the lock is open, this means it’s not a secure site. Some web browsers, like Chrome, will inform users that the site they’re on isn’t secure and that they should be careful sharing personal information.
Types of TLS Certificates
Not all TLS certificates are created equally. You’ll want to select the TLS that is most appropriate for what you host on your website:
- Domain Validated (DV) Certificates: If you’re not collecting any customer data on your website, you can opt for a DV, the least expensive TLS certificate type. This type of certificate doesn’t provide information regarding who’s running a website.
- Organization Validated (OV) Certificates: If you’re collecting emails for your newsletter or other types of contact info to engage with potential customers, you can use an OV to secure your site. When generating this type of certificate, a CA authenticates the website’s owner.
- Extended Validated (EV) Certificates: Websites that regularly collect personal or financial information, like healthcare portals or retailers, should opt for an EV as they provide the highest level of security.
Once a website administrator has secured a TLS certificate, they’ll need to have it recertified every couple of years. The reverification process differs by CA, so look into it when first purchasing your TLS.
What’s the Difference Between HTTP and HTTPS?
The biggest difference between HTTP and HTTPS sites is that the latter are encrypted to help diminish security threats and protect people’s data.
Another difference between HTTP and HTTPS is that HTTPS uses TCP Port 443 as the communication channel between your browser and the end server. This is a secure port. TLS is responsible for transferring data safely, while HTTPS works by making sure the transmitted information is visually understandable but with an extra layer of protection. This protocol secures any information that the user encounters on a website. HTTP, on the other, uses Port 80 to communicate. Port 80 isn’t considered a secure port.
HTTP vs HTTPS for SEO?
So does HTTPS matter for SEO? Yes. Not only is it a ranking factor, but its status as a ranking factor has helped drive the adoption of HTTPS across the web.
HTTP has been around in some form since 1989. In 1994, Netscape released a version of HTTPS, and other browsers followed over the years. However, wide adoption of HTTPS sites didn’t occur until the late 2000s and early 2010s, thanks to a push from media giants like Google, Facebook, and Twitter. According to W3Techs, almost 80% of all websites are now on HTTPS (this figure is updated daily).
In 2014, Google announced site security as a ranking factor, making it clear there are SEO benefits to switching to HTTPS. While their algorithm is constantly changing, one thing you can bet on is that Google will always try to make sure websites provide visitors with a good user experience. They want to provide searchers with results that are relevant and helpful.
By adding site security as a page rank factor, Google signaled that a secure connection is a key component of a trustworthy website. This means if you’re establishing a new site, you should opt for HTTPS from the beginning. And if you have an existing site and are wondering whether switching to HTTPS for SEO is worthwhile, the answer is an unequivocal “YES.”
While having a secure site won’t automatically bump you to the top of the search results page, Google does rank HTTPS sites above HTTP sites when all other factors are equal. (Not that all Google ranking factors could ever be equal.) Think of it like a preference. If Google has two pages that are just as relevant to the query, they would prefer to serve the more secure one. It’s a safe bet that other search engines will also prefer secure sites.
Beyond SEO: HTTPS for UX
Imagine if you tried to go to your favorite online shop and your browser returned this message:
Your connection to this site isn’t secure. You should not enter any personal information on this site.
How willing would you be to input your credit card information to place an order?
When faced with a security warning like this, most people won’t risk jeopardizing their financial safety. To help visitors feel confident they can make a purchase with you, give you their contact information, or schedule an appointment, website owners should invest in creating a secure domain — and that means using HTTPS.
How to Change from HTTP to HTTPS
If you’re ready to transfer your site from HTTP to HTTPS, you’ll need to create a plan to migrate your existing web pages from HTTP to HTTPS URLs.
Depending on the size of your website, you may need to work with an SEO agency on your site migration to make sure it’s all done correctly and safely. Having a trusted partner supporting you through the process can reduce the possibility of mistakes and get you set up on your new HTTPS site faster.
Apply for a TLS Certificate
To switch from HTTP to HTTPS, you need to purchase a security certificate. First, check whether your web host offers certificates. Remember, they may call it an SSL certificate even though it’s really a TLS certificate. If they don’t, you can get a TLS certificate from a third-party CA.
Back Up Your Site
Before making any changes to your website, run a full backup. This can save you a lot of time if something goes wrong.
Install Your TLS Certificate
Have your web host install your TLS certificate. It will work slightly differently depending on your host, but they should be able to point you in the right direction since this is very common.
Redirect Your Relative URL to HTTPS
A relative URL is the domain name most of us associate with a brand. For example, ours is victoriousseo.com.
When someone types that into an address bar, they’re actually redirected to https://victoriousseo.com/.
Once you have your certificate installed, you’ll want to update your relative URLs to send users to your new HTTPS URLs. You’ll also want to add a rel canonical tag to your homepage.
Update All Internal Links to HTTPS
It’s time to switch everything to your new protocol. All of your internal links should be to HTTPS. Your web dev can do a “find and replace” to help migrate everything to your new protocol. In addition to your web pages, fonts, images, CSS files, etc., should all be switched to HTTPS.
This is where many people make a mistake. A page can often display as not completely secure due to a single image on HTTP. If this is the case, don’t worry. You simply need to find any assets on HTTP and change them to HTTPS. An easy way to check is to search for “http:” in the source code of the page that’s not showing up as secure.
Set Up 301 Redirects
Make sure search engines and previous web visitors can find you by setting up 301 redirects. A 301 redirect tells a search engine that a page has permanently moved and that they should note the new address. For users, this is an almost seamless redirect that quickly loads the new version of the page they typed into their browser. A 301 redirect also keeps your backlinks functioning. Otherwise, users clicking on an HTTP link to your site will be redirected to an error page.
Your web developer should be able to redirect all necessary pages. Make sure they redirect each page on a 1:1 basis from an HTTP URL to the new equivalent HTTPS URL.
Update your XML sitemap.
Update your XML sitemap to reflect your new HTTPS pages, and remove the HTTP URLs from the sitemap.
Update Your Google Search Console and Google Analytics
Enter your HTTPS address in Google Search Console. Because Google views HTTP and HTTPS versions of the same site as two distinct websites, you may need to reverify your account. Submit your new XML sitemap simultaneously to get all your data into Google Search Console.
You should also update your Google Analytics with your new secure URL.
Audit Your Site to Look for HTTP Links
Once you think you’ve updated everything, run an audit to verify that nothing slipped through the cracks. If you have your entire URL on your social media accounts or business cards, you’ll also need to update those.
Need an SEO Partner?
Ready to make the switch? Our SEO agency offers site migration support to help businesses safely move their data to a new protocol. Combine site migration with additional SEO services to help you climb up the search rankings and draw more traffic to your website. Schedule a free consultation to learn more.