What Is HTTPS: The Definitive Guide to How HTTPS Works

A quick definition: HTTPS stands for hypertext transfer protocol secure and is the encrypted version of HTTP. It is used for secure communication across the internet or a network. The communication protocol is encrypted using Transport Layer Security (TLS) or, formerly, Secure Sockets Layer (SSL). 

Our journey in this article will be a deep dive into the world of HTTP vs. HTTPs, and how they work, and I will show you how to make sure your site survives any technical issues when migrating from one protocol to another. Here is a quick breakdown of what I will cover:

In the beginning, SEOs had HTTP, a protocol used to deliver web pages to the masses. The web was simple, and website migrations existed solely from domain to domain or server to server. You didn’t have to worry about all that much beyond the usual redirects and making sure that your website migration went off without a hitch. Then came HTTPS.

New technologies always create new issues that one must solve to continue achieving the same (or better) results than before.

HTTP and HTTPS: Their Importance to the WWW

HTTP, or hypertext transfer protocol, is the entire backbone of the world wide web. It is the protocol used to process, render, and deliver web pages from the server-side to the client browser. HTTP is the means through which most of the web is displayed.

HTTP and HTTPS work through what are called requests. These requests are created by the user browser when the user performs some interaction with a website. This is a critical element in page rendering, and without it, you would not be using the world wide web as it exists today.

How it works: Let’s say that someone searches for “how to do a website migration”. The request is sent to the server, which then sends another request back with the query results. These results are displayed on the SERP (search engine results page) that you see when you complete the search.

All of this takes place in a manner of milliseconds. But, that is a very general overview of how hypertext transfer protocol works.

What is HTTP? 

HTTP is the abbreviation for hypertext transfer protocol. This is the main method by which the data of web pages are transferred over a network. Web pages are stored on servers, which are then served to the client computer as the user accesses them.

The resulting network of these connections creates the world wide web as we know it today. Without HTTP, the world wide web (WWW) as we know it would not exist.

There is one major issue with an HTTP connection — the data that is transferred over an HTTP connection is not encrypted, so you run the risk of third-party attackers stealing the information. Any information transmitted over this network via HTTP is not private, so any credit card data and sensitive information should not be submitted if you are on an HTTP page.

What is HTTPS? 

HTTPS is the abbreviation for hypertext transfer protocol secure, or secure hypertext transfer protocol if you are not a stickler for semantics.

Me, I am always up for some antics. (bonus points if you can guess the movie where that joke is from).

How Does HTTPS Work?

Unlike HTTP, HTTPS uses a secure certificate from a third-party vendor to secure a connection and verify that the site is legitimate. This secure certificate is known as an SSL Certificate (or “cert”).

SSL is an abbreviation for “secure sockets layer”. This is what creates a secure, encrypted connection between a browser and a server, which protects the layer of communication between the two.

This certificate encrypts a connection with a level of protection that is designated at your time of the purchase of an SSL certificate. 

An SSL certificate provides an extra layer of security for sensitive data that you do not want third-party attackers to access. This additional security can be extremely important when it comes to running e-commerce websites.

Some Examples:

  • When you want to secure the transmission of credit card data or other sensitive information (such as someone’s real address and physical identity). 
  • When you run a lead generation website that relies on someone’s real information, in which case you want to use HTTPS to safeguard against malicious attacks on the user’s data.

There are many benefits to HTTPS that are worth the slight cost. Remember, if the certificate is not present, a third-party could easily scan the connection for sensitive data.

http vs https encryption graph

http vs https encryption graph

What is TLS? How it Applies to HTTPS

TLS stands for transport layer security. It helps encrypt HTTPS and can be used to secure email and other protocols. It uses cryptographic techniques that ensure data has not been tampered with since it was sent, that communications are with the actual person the communication came from, and to prevent private data from being seen.

Things kick off with a TLS handshake, the process that kicks off a communication session that uses TLS encryption. This is where authentication takes place, and session keys are created. Brand-new session keys are generated when two devices communicate, from the two different keys working together. The result of this is deeper, more encrypted communication.

TLS handshake infographic

TLS handshake infographic

Below are some mistakes Google suggests you avoid.

Google's recommendations on TLS, things to avoid

Google's recommendations on TLS, things to avoid

A Critical Step for HTTPS — Authenticating the Web Server

The most critical step for an HTTPS secure connection is ensuring that a web server is who they say they are.

That is why the SSL certificate is the most important part of this setup; it ensures the owner of the webserver is who they say the certificate says it is. It works very similarly to how a driver’s license works — it confirms the identity of the owner of the server.

A layer of protection from certain types of attacks exists when you implement HTTPS, making this a valuable staple of your website.

HTTP vs. HTTPS — HTTPS Builds Trust with Your Users

One big hidden benefit of HTTPS is that it helps build trust with your users. If you run an e-commerce site that accepts credit card data, the fact that a padlock appears on your site within the browser gives your users confidence that your site can handle credit card transactions without leaking data to prying eyes.

Example of a secure site with padlock

Example of a secure site with padlock

It will help users trust your site that much more than if it were an insecure site — and modern browsers warn users when sites are not “safe.”

With HTTPS, credit card data, passwords, private user data, and personal data are all encrypted with an industrial-strength level layer of security. This security is what will enable your site to continue remaining competitive against others in your niche.

Aside from protecting user data from prying eyes, https:// helps to protect your reputation. If you regularly have security breaches on your site, and user data is exposed, people will not want to use it. This can damage your online reputation beyond repair and can cost you in the long run.

HTTP Outliers

While outliers are few and far between nowadays, there are still outliers who have not made the full switch to https://. For certain outliers, this makes sense — if you are not serving users who regularly provide sensitive data for e-commerce or other reasons, you probably don’t need the increased better security.

In a perfect world, when everything is equal on a website, https:// is a tie-breaker for rankings. However, we seldom live in a perfect world when it comes to SEO. Thus, you are still able to rank when it comes to http://.

While the benefits of https:// are many, John Mueller has also said that HTTPS is a light-weight ranking factor, and that is it, but Google is on record as saying that “when everything else is equal, the ranking benefit of HTTPS is tie-breaker status.”

Migration SEO Issues: Moving from HTTP to HTTPS

There are many benefits to switching from HTTP to HTTPS in SEO, especially from an SEO perspective. However, unless you are familiar with the process, you can cause more harm than good.

You must let Google know about the transition. You need to choose the certificate that is best for your situation, set up Google Search Console, set up Google Analytics, update internal links, and update any relative URLs. Let’s look at each of these a bit more closely. 

Inform Google About the Transition, and Mistakes to Avoid

This step involves setting up another Google Search Console profile. Don’t disable your non-secure GSC profile. Instead, you need to keep all profiles active. Set up a new profile for the HTTPS version of your site and ensure that it continues collecting data.

Also, in Google Analytics, you must make sure that you set your profile to secure. Otherwise, you will not be tracking the right data.

Don’t forget to update data collection parameters in Google Tag Manager where applicable. In addition, if you use Bing Webmaster Tools, updating http:// to https:// during the migration will also be necessary.

You would be surprised how often I encounter mistakes in http:// to https:// transitions that were caused by a lack of developmental oversight on the initial transition process and not updating critical data tracking profiles.

These types of mistakes can lead to both underreporting and overreporting of data, both of which can spell doom for the accuracy of your SEO strategy decisions.

Choose the Right Security Certificate: SSL and Wildcard Certificates

You have SSL certificates for a variety of purposes. One for a single domain, another for multiple domains, not to mention Wildcard certifications. For smaller sites, a full wildcard certificate is usually not necessary. However, it can make your life much easier when working to control URL syntax across your websites.

An SSL certificate for a single domain is issued for one subdomain, or the single domain itself. An SSL certificate for multiple domains will allow you to secure the main domain name and up to 99 SANs, or subject alternative names.

The wildcard allows you to secure your initial website URL and any and all unlimited subdomains associated with it. What does this mean? This means that if you set up domain.maindomain.com and it is created with a wildcard certificate, it is automatically secure. You will not have to expend more effort in making sure that it fits within the existing security of your site. In other words, it will save you many headaches.

Clearly, the wildcard certificate is the clear winner here. But, as a robust certificate with many different features, it does cost more, so you will have to weigh the additional business expense and compare it with the features you will gain.

Make Sure All URLs Are Properly Updated Sitewide

There are some who recommend using only relative URLs for your resources. Assuming you are adept at managing the ongoing needs of your website, you don’t need to do this step. You just need to make sure that all on-site content is appended by the right protocol. And don’t forget your XML sitemap!

You would be amazed at how many audits I have done on sites that fail to complete this one step — making sure all of their content is secure.

It doesn’t matter if you use relative or absolute URLs so long as you keep them updated on-site. You can switch to relative URLs if you prefer, but if your site is built on absolute URLs, use a find-and-replace option with your database if your site allows it. This will help you eliminate all existing instances of mixed content.

Make sure that your URLs are properly pre-pended with https:// after you make the transition, and you should not experience any significant issues.

Don’t Prevent Google From Crawling Your New HTTPS Site

You must ensure that all elements are crawlable from your robots.txt. Unless you have a specific issue, such as a folder that really should not be indexed, then it makes sense to allow Google to crawl everything on the site, even CSS and JS files. If your site disallows the rendering of CSS and JS files, you could encounter problems.

An example of this is if you disallow a critical CSS or JS element from rendering on the page, then you can prevent Google from understanding the entire context of the page, which is an important part of achieving higher rankings. Also, in about 99% of cases, there is no reason to disallow CSS or JSS files in this manner.

SEMrush’s Site Audit tool will give you a lot of helpful information regarding your HTTPS implementation. It shows you any problems you may have and offers recommendations for fixing them. 

Site audit tool for https checking

Site audit tool for https checking

Double Check Everything During Your Migration

Regular, ongoing monitoring of your site is critical to achieving a successful website migration to https://. Check Google Search Console, Google Analytics, and double-check any other reporting software that you use. If you haven’t updated http:// to https://, you must do so as soon as is humanly possible. That way, you don’t run into further issues that can seriously harm your SEO efforts.

HTTP:// vs. HTTPS:// – Which is Really the Best?

If you are not well-versed in SEO, it is a daunting task to figure out the intricate details behind whether to choose a secure or insecure protocol. Here are a few points that might help you make a decision:

Are you an e-commerce store that deals with sensitive credit card information and personal data? Then securing your website with HTTPS is your best bet. It will help spread goodwill and trust to your online customers, and make sure that you don’t make the mistake of being too open to web attacks. Your online reputation will have a more positive positioning as well.

What if you are not an e-commerce store, but you deal with people submitting their information (e.g., through a lead gen site)? Then you want to use HTTPS. People count on the security of the web to protect them, along with their personal data from being compromised. This choice helps add yet another layer of trust and legitimacy to your company.

Should you use the free option of Let’s Encrypt? Well, that depends. Are you just starting out and you don’t have the budget for it? Then, this is a good option. But if you are a company that is making many thousands of dollars, using a more expensive option like GeoTrust or Comodo would be better. They both do the same thing when the implementation goes well, but in marketing, perception is important.

Whether you choose to stay http:// or make the move to https:// is up to you. But, when it comes to creating a more secure web, making the jump to https:// is a wonderful option to take advantage of.

More HTTPS Tips from Google – HSTS and Common Questions