As of mid-June 2023, almost 83 percent of all sites in the world use the HTTPS protocol by default, and more specifically, data from W3Techs reveal that nearly 97 percent of the world’s top 1,000 sites by ranking have adopted the HTTPS procotol. This means that there is still a remaining portion of sites that continue to prefer the old HTTP system, but it is mostly a sign of how much the new protocol is now an integral and relevant part of the Web, in line with the goals of ensuring more secure browsing for users on sites that adopt the latest resources in data transmission security. So let’s focus on the HTTPS protocol, how it works, why a site might be persuaded to use it, but also how to plan a migration from HTTP to HTTPS and some of the most common questions on this topic, thanks in part to advice and best practices from Google.
What is the HTTPS and what protocol means
The HTTPS protocol is a more secure communication system between site and user, thanks to the use of an SSL certificate that encrypts data transmitted in and out. More precisely, HTTPS stands for Hyper Text Transfer Protocol Secure, and is thus a communication protocol that allows for the secure transmission of data over the Internet, which protects the integrity and confidentiality of data between the user’s computer and the site. This is made possible by the use of the SSL (Secure Sockets Layer) protocol or its successor TLS (Transport Layer Security), which serve precisely to encrypt data and ensure a secure connection.
Due to its innovative features compared to the previous HTTP protocol, it has become a standard for ensuring greater security and privacy for users, particularly when entering sensitive information, such as login credentials and banking details. More specifically, HTTPS — as the name suggests — adds a layer of security to traditional HTTP, ensuring that transmitted data is encrypted and therefore inaccessible to third parties.
Definition of HTTPS according to Google
As John Mueller, Search Relations Lead at Google explained in one of the Search Central Lightning Talk series on YouTube, the definition of HTTPS is “a protocol that identifies a secure connection between a site and its users, protecting the site from unwanted activity.”
On the security side, HTTPS ensures three things in particular:
- Authentication. The SSL (Secure Sockets Layer) or TLS (Transport Layer Security) certificate used in the https protocol allows verification of the identity of the site, in turn, ensuring that users are connected to a legitimate site. This is a way to give users confidence that they are interacting with the desired website and not an intermediary.
- Data integrity. La crittografia utilizzata nel protocollo stabilisce una connessione sicura, che impedisce la modifica ela manomissione dei dati trasmessi, garantendo l’integrità delle informazioni scambiate tra gli utenti e il sito web e consentendo agli utenti di vedere il contenuto come previsto.
- Encryption. Le informazioni scambiate tra il client e il server vengono criptate, e questo è una garanzia sul fatto che le informazioni scambiate tra un sito Web e i suoi utenti saranno mantenute al sicuro e sulla sicurezza della comunicazione dei dati e della protezione dall’intercettazione da parte di terzi.
These are three key pillars for a modern, secure and trustworthy web, because “your users should feel safe on your site, just as they feel when they visit your company in person.”
What HTTPS means and why to use it on your site
From a literal perspective, the term HTTPS means Hypertext Transfer Protocol Secure and specifically refers to the secure hypertext communication protocol made possible by creating an encrypted connection between the user and the website using SSL/TLS (Transport Layer Security) encryption.
This is an evolution from the previous standard Hypertext Transfer Protocol (HTTP), which we can describe as the set of rules used by browsers to determine the exact way to read and transfer data on the Web. Using encryption, the new system masks data and reduces the possibility that user information can be viewed or manipulated, an important action especially when a website requires sensitive data such as personal information or financial information to be entered.
Certificate and site security, clarifications needed
In any case, it is good to clarify a few more aspects about what security really means with respect to the HTTPS issue: what is secure is the connection between users and the site, as mentioned, and therefore not the navigation as a whole or the site itself. Wanting to go to extremes, even a phishing page might possess an SSL certificate, but this does not mean that it is a secure site (and in fact, even the FBI has frequently alerted on this issue): regardless of the locks and browser indications, therefore, it is always good to keep your eyes open when it comes to entering sensitive data on the Web.
What the new certificate is for
Using the new system, the information entered in the course of browsing is indecipherable to any malicious third parties, and ultimately the user can complete operations with greater peace of mind. For this reason, adoption of the protocol was first recommended for websites that perform economic transactions or contain forms for entering personal data, but it has since been extended to all online sites, including blogs and editorial portals that do not involve transmission of sensitive data. More specifically, HTTPS protects website integrity by preventing man-in-the-middle attacks and ensuring that no one can alter or corrupt website content during data transfer; this new protocol protects user privacy and security by ensuring that sensitive information, such as passwords or credit card information, is transmitted securely.
HTTP and HTTPS: the main differences between the protocols
HTTPS has emerged as a more secure and effective version of the previous generation of data transmission protocol between a browser and a server over the Net, namely HTTP, adding a layer of security through SSL/TLS encryption.
One of the main differences between HTTPS and HTTP is precisely the security in the transmission of data: in the case of the HTTP protocol, the data transmitted between the client and the server is unencrypted, which means that it could be intercepted or manipulated by malicious parties; in contrast, HTTPS protects the information exchanged, using precisely the SSL/TLS encryption that renders the data unreadable and therefore unusable by third parties. Still on the subject of security, HTTP uses port 80 for data communication, while HTTPS uses port 443, which is considered more secure and reliable.
In addition, HTTPS provides an authentication mechanism through the use of SSL/TLS certificates, which allow users to verify the identity of the website they are accessing, thus ensuring that it is a legitimate website and not a fraudulent copy. In contrast, HTTP has no such authentication system, making it difficult for users to tell whether a website is genuine or fictitious.
Another important aspect of the differences between HTTP and HTTPS concerns data integrity: with HTTP, transmitted data could be altered by malicious external agents during transit between the client and the server. This risk is essentially eliminated with HTTPS, as encryption prevents data modification, ensuring that the information being exchanged is not compromised.
In summary, the move from HTTP to HTTPS represented a fundamental evolution in the security of online communications. With the encryption of data, the authentication offered by certificates, and the integrity of information provided by HTTPS, users can navigate the Internet with greater security and privacy. At the same time, organizations can offer a more trustworthy online environment, protecting their reputation and the sensitive data of their customers.
The history of protocols: from SSL to HTTPS
Going even further back in time, the history of HTTPS-or, more accurately, the history of a protocol universally adopted to enable communications on the Internet-has its roots in the 1990s, and is divided into these most relevant events:
- 1989: Introduction of HTTP
HTTP (Hypertext Transfer Protocol) was conceived in 1989 by Tim Berners-Lee, the British engineer working at CERN (the European Organization for Nuclear Research), developed along with HTML (Hypertext Markup Language) as part of the World Wide Web project, which aimed to create a system of interconnected documents accessible via the Internet.
- 1991: The first version of HTTP
The first version of HTTP, known as HTTP/0.9, was documented in 1991 and limited to the management and retrieval of HTML documents.
- 1994-1995: Introduction of SSL
In 1994, the Netscape Communications Corporation team, led by Taher Elgamal, develops the first Secure Sockets Layer (SSL) protocol to ensure secure transactions between the Netscape browser and Web servers. In 1995, Netscape released SSL 2.0, which introduced new features such as support for public key encryption and session key generation, making communications even more secure.
- 1996: SSL 3.0 and HTTP/1.0
In 1996, again under the supervision of Netscape, version 3.0 of the SSL protocol was released, which further improved encryption and authentication over version 2.0. The infrastructure of SSL 3.0 was later adopted as the basis for the creation of the TLS protocol.
Also in the same year, HTTP/1.0 (RFC 1945), which introduced new features and improvements over the previous version, was released as a standard. HTTP/1.1, released in 1997 as RFC 2068 (later updated with RFC 2616 in 1999), became the most commonly used version and is still widely used today, despite improvements with the introduction of HTTP/2 in 2015 and HTTP/3 in 2020.
- 1999: TLS 1.0
In 1999, the Internet Engineering Task Force (IETF) published the specification for the Transport Layer Security (TLS) 1.0 protocol. TLS was intended to be an update to SSL 3.0 and offered improvements in encryption, authentication, and data integrity.
- 2000: The birth of HTTPS
In 2000, combining TLS with HTTP, the HTTPS protocol was introduced as an evolution of HTTP, providing additional security with the mighty TLS-based encryption. Since then, HTTPS has gradually become a standard for secure communications on the Internet.
- 2006-2008: TLS 1.1 and 1.2
The IETF continued to develop the TLS protocol in the following years. In 2006, it released TLS 1.1, an improved version with security updates over its predecessor. TLS 1.2, the next version, is released in 2008, including new, more secure encryption algorithms and a more robust key management process.
- 2014: Google launches “HTTPS Everywhere”
In 2014, Google encouraged web developers to move to HTTPS by encouraging adoption on a global scale. Google defined HTTPS as a ranking factor in its search results, prompting many websites to opt for the secure protocol.
- 2018: TLS 1.3
In August 2018, the IETF released the latest version of the TLS protocol, namely TLS 1.3, which offers further improvements in security and reduced connection times.
Google and HTTPS, the push for adoption
Pushing for the spread of HTTPS-certified sites was certainly Google, which first took a soft approach – inviting site owners to embrace the new method – and then pushed on the accelerator: for some time now, connections to sites with old HTTP have been identified in the Chrome browser as “not secure,” complete with a note in the address bar, but even more interesting was the SEO aspect of the issue.
HTTPS as a ranking factor for Google
The use of the SSL certificate has indeed become a ranking factor on Google, i.e., something that is evaluated by the search engine’s algorithms to determine relative rankings for queries, but there are also other advantages of using HTTPS over the old HTTP.
Let’s start, however, with the aspect that is probably of most interest: in fact, it has been since 2014 that HTTPS has been a sure ranking factor for Google, which in an official post announced precisely that a website encrypted with HTTPS would get a boost in search rankings over HTTP sites from that point on.
The real impact of this boost was never specified, of course, but from the very beginning it nevertheless proved to be at least “slight”-at best, HTTPS was a signal tiebraker, that is, capable of the difference in ranking positions only in the case of two relatively equal pages. For as we know, relevance is and remains the key when it comes to ranking: if the most relevant content for a query is found on a non-HTTPS site, it is likely to rank ahead of encrypted sites even today, whereas if a site offers poor content, the mere use of HTTPS will not get it quickly to the first page of Google.
Yet, that Google had and still has an eye toward this aspect was also evident by the warning that, as mentioned, appears on the Chrome browser before users visit non-HTTPS websites, as well as on other popular browsers such as Mozilla Firefox, where in particular as of version 70 updated in October 2020 we find a similar icon next to the address of the site that does not use HTTPS or has problems with the certificate.
This focus, however, can be explained by Google’s broader commitment to rewarding Web sites that offer a good user experience, and increased security is one way to improve sites for users. And so it is not all that surprising that it is precisely the presence of an active HTTPS protocol that has become part of the Page Experience factors, the algorithmic update by which Google wanted to crack down with respect to precisely the gratification of the user experience on Web pages, grouping together a set of indicators that measure how users interact with a Web page, beyond its purely informational value, on both mobile devices and desktop computers.
Ultimately, then, though slight HTTPS is a confirmed ranking factor on Google, and the search engine’s guidelines strongly recommend that we use HTTPS for our site to protect the security and privacy of users; moreover, if the site has a page with both HTTP and HTTPS addresses, Google prefers to index the HTTPS version.
The benefits of Hypertext Transfer Protocol Secure
As a fundamental element of the modern Web, HTTPS is also a basic requirement for modern browsers to enable certain features, such as
- Geolocation
- Automatic compilation for forms
- Camera
- Progressive Web Apps (PWA)
- Push notifications
- Caching
The protocol is also shown directly in modern browsers, or rather–since it should be on by default – the absence of HTTPS is reported as mentioned (and thus it is not possible to hide whether a site adopts the system or not).
When users access a website that does not use HTTPS in Chrome, for example, it will be marked as not secure in the browser bar, with red writing alerting the visitor (while sites with HTTPS are labeled as “secure” with more reassuring green writing).
Among other possible advantages, connecting via HTTPS is estimated to be faster than connecting to the previous protocol, and this can make a difference in performance. Also, returning to the topic of security, HTTPS prevents intermediaries from inserting content into the Web site without the owner’s knowledge: without HTTPS, a bad actor could inject online ads, for example, to profit from that Web traffic (but, we reiterate, it does not protect the user’s computer or the Web server itself from hacker or malware attacks).
Therefore, although like any form of security it has weaknesses and may not be foolproof, HTTPS is undeniably better than HTTP both in technical terms and from an SEO and user presentation perspective.
How to switch to HTTPS
Thus, there are many reasons to adopt HTTPS, and switching from HTTP to HTTPS, while not too complicated, can still be considered a site migration, as HTTPS URLs are different from their HTTP counterparts and therefore, to perform the transfer, it is necessary to redirect all users with a server-side 301 redirect for all URLs on the site.
In general, a TLS/SSL certificate is needed to add HTTPS: in some cases, it is the web hosting provider itself that makes the certificate available (even for free, if included in the current plan), while in other situations it may be necessary to purchase, through the hosting, certificate authorities, CDNs such as Cloudflare or companies such as Digicert, and then install it yourself.
SSL/TLS certificates may need to be renewed periodically, but more importantly, they need to be monitored carefully, because there is a possibility that someone may be able to forge an SSL/TLS certificate: when this happens, HTTPS’s preventive action against man-in-the-middle (MitM) attacks is clearly lacking. To avoid trouble and unpleasant situations, therefore, Google also advises to examine the certificates issued for the website we do not recognize and to limit the authorities that can issue certificates for a domain using CAA (Certification Authority Authorization) resource records.
How to check the validity of the SSL certificate
It is therefore important to remember that only a valid SSL certificate – and in use on the totality of the site’s pages – allows the establishment of encrypted HTTPS connections. The absence of encryption or the presence of errors makes all data sent and received by the site visible, exposed, and therefore potentially manipulable by third parties.
To check the validity of the SSL certificate we can run manual tests on the pages, and find out if the browser correctly identifies the lock, or use some special tools. For example, in September 2022 Google activated a new report in Search Console, simply called HTTPS report, which allows us to check precisely which pages on our site are not published over HTTPS, but also why they are not served as HTTPS.
How to migrate pages from HTTP to HTTPS
If we own or operate a site that has not yet adopted the new protocol and want to make the transfer, we can follow Google’s official advice to reduce the margin of error.
John Mueller breaks down the process of migrating from HTTP to HTTPS into six steps:
- Configure the HTTPS site.
- Verify the property in Google Search Console.
- Extensively test the HTTPS site.
- Redirect all HTTP URLs to HTTPS URLs.
- Monitor the migration in Google Search Console.
- Configure HTTP Strict Transport Security (HSTS) – optional step.
Steps to successfully complete the migration from HTTP to HTTPS
First, then, you need to configure the HTTPS site, possibly asking for support from the hosting service and acquiring the appropriate HTTPS certificate (in principle, all certificates supported by modern browsers such as Chrome, even free ones, are fine).
The exact steps to follow here vary from website to website, Mueller explains, “Sometimes it’s just a matter of changing a setting, other times there’s a lot more.”
Second, you need to verify the property in Google Search Console, a crucial step to track down any problems associated with HTTPS version 2. You may also choose to verify the entire domain as well, to merge HTTP and HTTPS data in the same place, taking care to use the same settings. In particular, care should be taken to review the settings for geotargeting URL removal, URL parameter settings, crawl rate settings, and disavow file, adding any co-owners in the Search Console.
The elements to be tested on the site
The work continues with an important and thorough testing phase of the site, opening the test to some users as well. “Sometimes there are quirks that we missed, and it’s best to recognize them and fix them before moving to HTTPS,” Mueller explains.
First and foremost among the things to check for is the possible presence of mixed content, i.e., when a page on HTTPS includes elements from HTTP, which may be embedded images, advertisements, or analytics script, for example. This is a security downside, and browsers warn users when they recognize this problem.
We also need to check internal links, to make sure that all links on the website point to the HTTPS version-there are various tools to check this, but you can also just click on the browser bar and look at the URL that is displayed.
Also important is analyzing hidden references – bringing in HTTPS elements such as rel=canonical, rel=alternate, hreflang= link, as well as structured data – and checking sitemap files, which help Google crawl and index more efficiently.
The work of implementing an HTTPS site
With the first three steps completed, “the HTTPS site is ready, congratulations! Time to change everything,” jokes Mueller, who urges using server-side redirects to forward all requests from the HTTP version to the new and correct HTTPS version.
It’s advisable to double-check all old URLs to make sure they redirect right, either by manually spot-testing each part of the website or by using an automated tool for all URLs. If we have a sitemap, it’s a good time to submit it, adds Google’s Search Relations Lead, because from this point on, search engines will start using our HTTPS URLs.
We then move on to monitoring the migration in Search Console: it is best to check Search Console regularly at the beginning, to detect any situations before they degenerate into problems. In particular, we need to check that the sitemap files are processed normally, that no unexpected crawl errors appear, that the index coverage ratio shows an increase for the HTTPS site, and last but not least, that users are finding the HTTPS site in Search.
What is HSTS enablement
The last step is optional and allows you to “take it to the next level”: after making sure that everything is working as expected, and waiting a few months to settle the migration, it might be worth considering the HSTS – HTTP Strict Transport Security – enabling a way “to let browsers know that they no longer need to check the HTTP version of your site any further,” because “it’s a long-term commitment on your part.”
Setting up HSTS is easy enough: just add a header to server responses that tells browsers that they no longer need to check the old HTTP version of your site’s URLs, even when a user tries to go there directly. In addition, there is one more step you can take, which is to add your site to the HSTS preload list, a shared list of sites that have committed to HTTPS used directly in Chrome: “a pretty big step, so it’s only recommended if you’re absolutely sure everything is working properly on your HTTPS site.”
Frequently asked questions about switching to HTTPS
Migrating to HTTPS is not something that “a site does every day,” so it’s natural to have doubts and ask questions.Before concluding his talk, Mueller precisely collected some of these FAQs and provided the answers and best practices for completing the steps accurately and without errors.
- How long should I keep redirects active?
Redirects should remain active forever: there is no reason not to redirect from HTTP to HTTPS after a migration.
- Can I move only a few pages?
Technically you can only move a few pages to HTTPS, such as only the user login page. In practice, Mueller says it doesn’t take much extra work to do to move the whole site, which is what should be done anyway.
- Which HTTPS certificate should I use?
Any certificate supported by a modern Web browser will do, and Mueller specifically mentions free certificates from the nonprofit organization Let’s Encrypt.
- How long does a migration take?
Google has a lot of experience with HTTPS migrations, Mueller says, so they can usually be processed within a week if all the steps are correct. However, in practice the exact timeline doesn’t matter much, since users will be redirected anyway.
- Will the migration hurt my site’s ranking?
“Usually not,” Mueller says, because it is still the same site, included on the Web in the same way. In fact, rankings may benefit from the slight increase mentioned earlier.
- Can I restore the previous status if necessary?
Technically, yes, but it is not a recommended practice. Rather than going back, Mueller recommends fixing any problems and moving forward.
How many HTTPS sites are there in the world?
Despite the many advantages and persuasive effect of the padlock, however, there is still some impediment to the full expansion of HTTPS protocol sites even though, according to the aforementioned latest report by W3Techs updated to June 2023, they nowadays account for close to 80 percent of the total number of sites surveyed, with a steady growth rate that has not yet, however, led to the disappearance of sites based on the non-secure mode.
While it is indeed true that nowadays most popular and high-profile websites have already adopted HTTPS to ensure secure communications and protect user data, some lesser-known web pages and sites may in fact not have made the switch yet. In addition to this, many government and institutional sites have not yet migrated to using HTTPS.
According to experts, among the reasons for the lack of global deployment of HTTPS have historically been technical, economic, and practical issues: adopting the SSL certificate had a cost that for many sites is excessive, especially for small projects that perhaps do not deal with sensitive user data; then, HTTPS often does not work with cheaper virtual hosts and causes them to lose caching capacity. Problems, however, can also be overcome as technology advances, and in fact today HTTPS is free (at times), easy, and increasingly ubiquitous.
Important sites not yet in HTTPS
However, there are still plenty of sites that are exceptions, even relevant and important domains that have not yet adopted the HTTPS standard for their pages. It is important to note that, given the dynamism of the Web, the situation could change rapidly and the sites mentioned could switch to HTTPS at any time.
Editorial portals such as FoxNews and the BBC, hotel chain sites such as Hilton, and even the institutional portal of the United Nations have long been part of this “list of shame“, and today the website https://whynohttps.com/ still censuses “many of the world’s largest Web sites that continue to deliver content over unencrypted connections, putting users at risk even when no sensitive data is involved.”
On the list of the top 100 Web sites that do not automatically redirect unsecured requests to secure ones are 6 percent of the world’s 1,803 largest Web sites, and especially domains such as baidu.com (China’s national search engine), myshopify.com, videolan.org (the site from which to download the popular VLC media player) and openoffice.org (the official site for downloading the Apache project’s free software).