27. Http2 …
For HTTP2 – use HTTPS, because …. It
is required by most browsers.
Gerry White @dergal
28. Google knows, that without HTTPS – your data, and the
content on your site … might not be what the webmaster
intends. Plus … tracking benefits (less direct more
attribution!)
29. But we aren’t here to talk about cyber
security, because I’m not that guy…
Gerry White @dergal
36. Google Recommendations
• Decide the kind of certificate you need
• Use 2048-bit key certificates
• Use relative URLs for resources that reside on the
same secure domain
• Use protocol relative URLs for all other domains
• Don’t block your HTTPS site from crawling using
robots.txt
• Allow indexing of your pages by search engines where
possible. Avoid the noindex robots meta tag.
• Use HTTP Strict Transport Security
• Use SPDY (deprecated)
39. SSL Vs TLS ?
SSL was originally developed by Netscape and first came onto the scene
way back in 1995 with SSL 2.0, Netscape owned SSL, so the next
iteration needed to be called TLS …
TL:DL
It is now called TLS, SSL is out of date & insecure, so should be
disabled, but you can still call it SSL if you want to.
Gerry White @dergal
40. Relative & Protocoless URLs
Drop the http:// &
Start URLs with // or / or … https://
• Images, (particularly in WordPress posts. )
• JavaScript libraries hosted on CDNs (like jQuery),
• CSS (including images or fonts loaded in using CSS),
• Form end points (the target of a form)
• Embeds such as Facebook, YouTube or other
51. 4. Track in GA using GTM
You can track who is on HTTP and HTTPS easily if
you are using Google Tag Manager as a built in URL
Variable. This allows you to see the proportion of
traffic not on HTTPS at a later date.
This can either be setup as a content group or a
custom dimension by editing the main tracking…
Gerry White @dergal
77. Some final thoughts
• Add the renewal of the certificate to a
calendar
• URL changes? maintain the old site
certificate
• When moving to HTTPS don’t use the
change of address feature in GSC.
• Migrating in sections is ok!
• Your Moz DA dropped ? Don’t worry
about it…
78. Summary
Track GTM, CSP & More…
Test Browse with Chrome Console open
How Do it step by step, test and test again
Opportunities Migrate to HTTPS to take advantage of PWAs & everything else coming out soon
Why Migrate to HTTPS for security, but get it right for SEO
Gerry White @dergal
The best example of why HTTPS is so critical I have seen is where free wifi providers have been inserting scripts to push in adverts.
HTTPS alone isn’t enough, but if as a user I feel like if they haven’t managed that part right, then would I trust them to manage the rest?
Majority of sites span multiple subdomains, If you host blogs, forums or anything similar on a separate sub domain then I would recommend you use an appropriate wildcard. In the past I would have always recommend using a subdomain to load assets, particularly if mobile speed is important Most browsers limit the amount of files they can retrieve from a single host at once, so where files can’t be combined they should be split over multiple hosts.
This solution is referred to “Parallelism”, you can also ensure that a subdomain is optimised for static assets (using cookieless and a 304 status header).
This changes a little with HTTP2 – which if we have time to get to, we will chat about.
For the required organic boost get the best certificate you can, as a minimum I would recommend that the cert has the following criteria;
provided by a trusted organisation….
2048-bit key
It is critical when loading assets you use https, otherwise they will not appear in some browsers or where they do appear they will be not show the green padlock.
There are a number of digital assets tend to present the most issues -
Images, particularly where the image was loaded using a page editor such as in WordPress posts.
JavaScript libraries hosted on CDNs (like jQuery),
CSS (including images or fonts loaded in using CSS), Form end points (the target of a form)
Embeds such as Facebook, YouTube or other
In the past I would have recommend changing all absolute urls (where it would normally start with http) to being protocoless this means omitting the http prefix, for example ‘http://’ becomes simply ‘//’ . Today however, I would say push for HTTPS for assets rather than worrying about protocoless,
After migration I would recommend that urls become exclusively “https” this is simply because I would increasingly recommend pushing towards 100% HTTPS.
Further in this discussion we will take you through some tools to test this with …
Sometimes to ensure that there is no duplicate content web managers would block the HTTPS version of the site. This is less common when it is a single site available on both http and https. If you block anything that stops Google from being able to tell you are on HTTPS, this won’t have the obvious benefit. Typically if you have canonical tags (which I always recommend), these will be pointing to the http version at this point.
“…This mechanism tells the browser to automatically request pages using HTTPS even when the user enters http in the browser location bar. It also tells Google to serve secure URLs in the search results. All this minimizes the risk of serving unsecured content to your users…” https://support.google.com/webmasters/answer/6073543?hl=en
This is an additional similar to your Content Security Policy (CSP) however this should be the very last step as it can create functional problems if something critical becomes blocked, however for the maximum organic boost, this step is required.
Most sites don’t seem to have a CSP at all at the moment, but as this is a fun and interesting part – we should definitely make time to talk about it later…
“…This mechanism tells the browser to automatically request pages using HTTPS even when the user enters http in the browser location bar. It also tells Google to serve secure URLs in the search results. All this minimizes the risk of serving unsecured content to your users…” https://support.google.com/webmasters/answer/6073543?hl=en
This is a change to your Content Security Policy (CSP) however this should be the very last step as it can create functional problems if something critical becomes blocked, however for the maximum organic boost, this step is required.
Most sites don’t seem to have a CSP at all at the moment, but as this is a fun and interesting part – we should definitely make time to talk about it later…
SPDY is a protocol that incorporate TLS, which attempts to reduce latency when loading pages. It is not an HTTP standard but is widely supported, created by Google and can significantly improve HTTPS page speed, as this is a bit more technical, the best thing would be for you to read the details at - chromium.org/spdy/
Last year Google have deprecated support for Spdy as HTTP/2 becomes a standard. The core developers of SPDY have been involved in the development of HTTP/2. HTTP2 is cool and there are exciting things that are being done here, but this usually does require https in many browsers.
So what is our best practice for moving to https
Ideally moving to HTTPS gradually allows you to test along the way, avoiding any issues as you go. This approach minimises any potential for users (or search engines) to experience issues.
At this point we will assume you don’t have a separate server for HTTPS, in fact we will assume you are running off one main server with a https cert installed, if this isn’t the case you will need to adapt these recommendations accordingly, (it can complicate the process).
Now you have a acquired and installed a certificate the next steps are as follow;
Test the certificate
A quick test of the certificate is available online at SSLLabs.com/ssltest This free online service performs a deep analysis of the configuration of any https web server on the public Internet. This free service gives you a grading, aiming for an A is preferable, but many large companies only attain a C, it does tell you the steps required to improve.
You know – before this step, test it in Chrome
Formerly called Google Webmaster Tools (GWT), Google sees https and http as separate websites so within GSC both need to be authorised to see the complete picture.
Depending on the authentication method you are using, simply adding the new site will ‘just work’. If you access has been given to you from another account, unfortunately you would need to ask them to do this.
Running the site on both HTTP and HTTPS allows you to scan for any issues, checking internal links, giving you the opportunity to resolve any issues before pushing users and search engines to HTTPS. This is the point where you try to make URLs relative if possible.
You can track who is on HTTP and HTTPS very easily if you are using Google Tag Manager as a built in URL Variable. This allows you to see the proportion of traffic not on HTTPS at a later date.
This can either be setup as a content group or a custom dimension by editing the main tracking…
Use Googles Fetch and Render within webmasters tools to ensure there are no issues with Google crawling the content - google.com/webmasters/tools/googlebot-fetch – EVERY SINGLE TEMPLATE TYPE REPEATEDLY!! Best way to check it is all working and on mobiles
Chrome and Mozilla support the ability to push mixed content reports out to a 3rd party reporting tool. An excellent tool was developed by Scott Helme (which at time of publish is free). Scott has written an excellent post on “how to”ScottHelme.co.uk/fixing-mixed-content-with-csp/
When your site is fully tested and you are confident that everything is in place then push organic value to HTTPS rather than HTTP
Change the canonical tags across the site to ensure they are pointing to HTTPS
Change the XML Sitemap
Make sure that traffic on HTTPS stays on HTTPs by crawling it with Screaming Frog
This pushes the organic traffic rankings to HTTPS consolidating the link equity and allows for further testing it also gives further time to update any inbound marketing.
Within Screaming Frog there is an export called “insecure content” that is invaluable to tracking down where links to http are within your site.
Redirect all traffic using a 301 (although Google have said that a 302 will carry 100% of the ‘PageRank’ I would absolutely go with a 301 otherwise you are potentially neglecting Bing).
To improve security, something Google recommend “enable HTTP Strict Transport Security”, this significantly improves security.
This is another change to your Content Security Policy (see above) and will enforce HTTPS for all content, protecting your content from injection and cookie hijacking which is one of the main reasons for this push from Google. When you are completely confident you are going to be able to maintain HSTS a final step is to get onto the chrome preload list - https://hstspreload.appspot.com/
Add the renewal of the certificate to a calendar and make sure you renew it ahead of time (it might be worth making sure there are multiple people who are responsible for this) if you are on the HSTS list and the certificate expires, you can loose all traffic.
Any site migrations become more complex with additional certificates required, if a domain name change is done then it is critical that the old site certificate is maintained.
When moving to HTTPS you do not need to use the change of address feature in Google Search Console.
Migrating in sections is ok! As mentioned above, blogs are sometimes more challenging so migrate the main site first!