Don't SSL Yourself Short:
Tips to Help Communicate the SSL Transition
Rather than perpetuate any arguments regarding overall-effect, I’d like to instead concentrate on implementation. Since SSL implementation can vary in difficulty based on a client's online presence, the migration effort can quickly become a joint Marketing / Developing project. At the end of the day, we don't want to end up with a site-wide 302 redirect issue (you know it happens).
I have personally been involved in multiple site migrations to SSL (97thfloor.com being one simple example)and have compile a list of aspects to remember when making the move to SSL.
Quick Tips on Moving Your Site to Always On SSL
As you’ve probably already heard, on August 6 Google announced that they are now giving an SEO boost to sites secured with SSL. HTTPS everywhere/Always On SSL (AOSSL) is the practice of securing your entire site with SSL, not just pages that handle sensitive information like login or checkout pages.
Though SSL is currently considered a lightweight ranking signal in Google’s organic search algorithm, Google has promised that the weight of SSL’s influence will increase once webmasters have time to migrate their sites to HTTPS. Unlike most of the ranking factors in Google’s ranking algorithm that are vague or difficult to measure, having site-wide SSL is a guaranteed way to make your site rank higher.
Now that Google has added a rank boost for AOSSL, it makes sense to enable HTTPS site-wide—both for the ranking boost and added privacy for your users. But where do you start?
What is SSL/HTTPS?
First, let’s talk about what SSL/HTTPS is. When you go to a Website in your browser, an https:// or http:// will show up in front of the page URL in the address bar. HTTPS is the secure version of HTTP (Hypertext Transfer Protocol). You can tell that you are securely connected to a Website if the URL begins with https://. When you connect to a Website through https://, your session is encrypted with a digital SSL certificate.
Most websites currently use SSL Certificates to secure pages that handle sensitive data, like login pages and shopping carts. However, by having SSL on all of the pages of your Website your users’ sessions are secure no matter what page they go to.
Implementing Site-Wide SSL
Moving your site to HTTPS involves more than just going out and purchasing an SSL Certificate. There are different steps you should consider depending on your hosting situation and server platform. In general, below is the workflow you should follow when you move to HTTPS:
- Figure out what certificates you already have (if any).
- Decide what kind of certificate you need (see this page for tips).
- Create a CSR (Certificate Signing Request).
- Purchase the certificate.
- Install the certificate.
- Migrate your site to HTTPS.
We recommend that you work with your IT team, your hosting company, or a trusted Certificate Authority to complete these steps.
Migrating Your Site to HTTPS
Before the announcement, some companies were worried that implementing HTTPS would actually have a negative effect on page rank. However, if you implement HTTPS correctly it should have no negative effect on your SEO. Big companies including Yahoo, Microsoft, Facebook, Twitter, and PayPal have all implemented HTTPS everywhere without any negative side effects. To properly implement HTTPS everywhere, keep the following tips in mind:
Test your Website to make sure your SSL Certificate was installed correctly.
Just because your SSL Certificate is on your server doesn’t mean it’s working. Use a certificate checker like this SSL Installation Diagnostics Tool to make sure your certificate is installed correctly.
Add a server-side 301 redirect.
Set up your server to redirect all traffic from port 80 (HTTP) to port 443 (HTTPS). Google considers your HTTP and HTTPS sites to be different Websites. Because of this, if you do not redirect traffic Google may see your HTTP and HTTPS sites as two separate Websites with the same content and penalize you.
Track your site migration in Google Webmaster Tools.
List your HTTP and HTTPS sites separately in Webmaster Tools. Because all of your traffic is going to move to the new HTTPS version of your site you should track both sites in your analytics software and in Webmaster Tools to watch site traffic.
Move all resources to HTTPS.
Use relative URLs for resources that are on the same secure domain.
For example, use
to link to a page on your site instead of
This ensures your links and resources always use HTTPS.
Use protocol-relative URLs for all other domains.
For example, use
Or update all external links on your site links to go directly to the HTTPS resource.
Use a server that supports HTTP Strict Transport Security (HSTS) and enable it.
HSTS tells the browser to automatically request pages using HTTPS even when the user enters HTTP in the address bar. It also tells Google to serve HTTPS URLs in the search results.