Why Switching your Site to SSL Isn’t as Easy as Flipping a Switch

In 2014 HTTPS was under fire following the massive Heartbleed bug scandal. The Heartbleed bug let people intercept traffic and data being transferred over “secure” SSL connections. The bug was patched shortly after its discovery, but that didn’t prevent the PR nightmare and mass panic that ensued.

It served as a reminder that adequately encrypting user data online is a necessity and not a luxury. As of January 2017, Google Chrome displays a visual warning whenever users visit a site that doesn’t encrypt data.

SSL encryption provides your site, and your visitors, with a myriad of benefits we’ll cover in depth in this guide, from SEO, to security and even increasing conversion rates.

But contrary to popular belief, making the switch to SSL isn’t as easy as pushing a button. This guide will help walk you through what to expect, and how to make the switch without breaking your site.

But First – What is HTTPS

HTTPS — short for Hypertext Transfer Protocol Secure — is the underlying technology that keeps websites secure so that users can browse safely without the risk of their sensitive data being leaked to malicious parties.

It is especially important on checkout pages where people submit private information such as credit card numbers or home addresses. But don’t get us wrong, you should have it on all your pages, not just those you deem “sensitive.”

When a user uploads their data to your website, HTTPS adds multiple layers of protection to ensure that data doesn’t fall into the wrong hands.

Here are some of the layers:

• Serving as the first line of defense, encryption protects your data by keeping it encoded. Even if your information is intercepted, the data isn’t easily viewable without the decryption key.
• Data integrity. Data integrity ensures the data you submit won’t be corrupted. While not exactly a defensive measure against hackers, it sure is a convenient feature to have.
• Authentication is arguably one of the most important layers of security that an SSL offers because it protects you from “man in the middle attacks”. When an SSL is active, hackers can’t trick — using your website’s name — site visitors into giving them sensitive information.

Verification Types

The past decade has seen a significant rise in the number of companies using SSL certificates. The applications of SSLs have also expanded.

Some companies use SSLs not for security, but to gain consumer trust by displaying a sense of legitimacy with their emphasis on value.

As the applications continue to widen, more types of SSLs are popping up. Here are the main three:

Extended Validation

EV SSLs are harder to acquire than other certificate forms. Certificate authorities first conduct an extensive audit of the applicant to ensure that it is a legitimate business and has the right to use the specific domain.

Some of the auditing steps include:

• Verifying the legal, physical, and operational existence of the applicant’s company, organization, etc.
• Verifying that the identity of the entity matches official records
• Verifying that the entity has exclusive rights to use the domain specified in the EV SSL certificate
• Verifying that the entity has properly authorized the issuance of the EV SSL certificate

EV SSLs are available to all kinds of businesses including corporations, sole proprietorships, government entities, and unions. The audits are conducted yearly to ensure that companies wielding an EV SSL are deserving of the certificate.

Organization Validation

OV SSLs are similar to EV SSLs in that an audit is necessary prior to receiving the certificate. When customers click on the website’s seal, they will be supplied with more information about the organization. This is often used to gain exposure and trust.

Domain Validation

DV SSLs are easier to come by as no audit takes place. However, no additional information will be displayed when customers click your website’s seal. The only check that takes place prior to the release of the certificate is verification that the applicant has the right to use the domain name.

SSL Types

Single SSL

Single-name SSL certificates only protect one subdomain. If you get a certificate for www.mywebsite.com, it won’t secure my.mywebsite.com.

Some certificate authorities may secure root domains. For instance, a certificate for www.mywebsite.com may also cover mywebsite.com.

Multiple SSL SAN

SANs — short for Subject Alternative Name — are certificates that are capable of securing multiple domain names. You could get a certificate for business.com then extend the coverage to business.org, business.net, and business.co.uk without having to apply for a new certificate.

Generally, you can add, remove, and edit the domains covered at any time provided the certificate is still valid. However, some certificate authorities require a re-issue after making changes.

Wildcard SSL

Wildcard SSLs let you cover multiple subdomains with a single certificate. Wildcard SSLs are more sought after than SANs because you can add an unlimited number of subdomains and you don’t need to choose which ones at the time of purchase.

You won’t even have to redeploy the certificate whenever you add a new subdomain or remove an existing one. You could get a Wildcard SSL for company.com and it would also work for my.company.com.

SSL Migration Checklist

The following represents a checklist you can follow to ensure your SSL migration goes off without a hitch. In no particular order….

1. SSL Certification Setting

Where this Takes Place: Server

Steps to Take: Get, configure and test the TLS certificate using SHA-2 for SSL. In the event that you are limited on resources, this action can be completed with free SSL options. While this may be limited it is a good option.

2. Google Search Console Registration

Where this Takes Place: Google Search Console

Steps to Take: Head over to Google Search Console and make sure to register all versions of your website: http & https, as well as the www and non-www versions. In the event that you have also registered separate sub-directories or sub-domains in the Google Search Console, make sure to replicate that registration & configuration with their https version.

3. Rankings Monitoring

Where this Takes Place: Rank Tracking Software of Choice

Steps to Take:  If you don’t measure and track performance, you won’t have any insight into how the switch to SSL has impacted your site. While a positive impact is expected, decreases in ranking may indicate that you have some improper SSL configurations going on.

4. Current Top Site Pages & Queries Identification

Where this Takes Place: Google Search Console & Google Analytics

Steps to Take:  Identify the top pages, and corresponding related queries, that attract organic search visibility & traffic. Prioritize these pages when validating & monitoring the site performance

5. Current Site Crawling

Where this Takes Place: Staging / Test Environment

Steps to Take:  Crawl the http version of your site to identify and fix any internal broken links, and make any necessary alterations to the web architecture and structure now before making the migration.

6. New HTTPS Web Setting w/ Updated Internal Links

Where this Takes Place: Staging / Test Environment

Steps to Take:  Set the new web version to make the changes. Next, test & update the links on a staging environment. Point to the URLs (pages & resources such as images, js, pdfs, etc. too) with HTTPS and evaluate performance.

7. New HTTPS Web canonicalization

Where this Takes Place: Staging / Test Environment

Steps to Take: Update your canonical tags to include absolute URLs using https on the staging environment. From your staging environment, verify that the existing rewrites & redirect behavior (non-www vs. www; slash vs. non-slash, etc.) are implemented in the https Web version in the same way they used to work on the former http setup.

8. Redirects Preparation

Where this Takes Place: Server

Steps to Take:  Prepare and test the rewrite rules used to 301 redirect the identified existing URLs (pages, images, js, etc) on the http domain to the new https version.

9. New XML Sitemap Generation

Where this Takes Place: XML Sitemap Generator

Steps to Take:  This step will involve you generating a new XML Sitemap with those https URLs to be uploaded in the HTTPs Google Search Console Profile once the site is moved.

10. txt preparation

Where this Takes Place: in your Robots.txt file

Steps to Take:  For this step you’ll need to prepare your site’s robots.txt file to be uploaded on the new HTTPS version of your domain, replicating the existing directives for HTTP as you go along, pointing to HTTPS URLs when and where necessary.

11. Campaign Updates Preparation

Where this Takes Place: Campaign/Marketing platform

Steps to Take: A critical step for most businesses will be making sure all of their marketing and advertorial links are updated to reflect the new HTTPS protocol. Failure to do so may result in lost earnings, wasted ad spend, or improper tracking and attribution for affiliates and campaigns.

12. Disavow Configuration

Where this Takes Place: Google Search Console

Steps to Take:  If there were any link disavow requests previously submitted under the HTTP version of your site, these may need to be resubmitted again for your new HTTPS version in it’s own Google Search Console profile.

13. Geolocation Configuration

Where this Takes Place: Google Search Console

Steps to Take:  If you’re migrating a gTLD that is being geo-targeted through the Google Search Console (as well as its sub-domains or subdirectories), make sure to geo-target them again with the new HTTPS domain version.’

14. URLs Parameters Configuration

Where this Takes Place: Google Search Console

Steps to Take:  If your URLs parameters were handled through Google Search Console for the HTTP version of you site, this configuration should be replicated in the new profile for the HTTPs version of your site.

15. CDN Configuration Preparation

Where this Takes Place: CDN Provider

Steps to Take:  If your site utilizes a CDN be sure to validate your new HTTPS URL version of the site and follow any protocols they have in place for migration to SSL.

16. Ads & 3rd-Party Extension Preparation

Where this Takes Place: Ad, affiliate and extension/plugin platforms

Steps to Take:  This step will involve you taking inventory of any other third party services and software utilized by your site. This includes but is not limited to ad networks (ad code), third party plugins and extensions and SaaS service providers.

Validate with them any steps necessary to ensure a seamless transition to SSL.

17. Web Analytics Configuration Preparation

Make sure that any existing web analytics configurations will also monitor the traffic of the HTTPS version of your domain.

Benefits of Switching to SSL – Why All the Fuss Anyway?

SEO benefits

Going from HTTP to HTTPS can greatly improve your organic ranking position. In 2014, Google announced that having an SSL certificate on your website is a ranking factor that influences search results.

Try to migrate from HTTP to HTTPS during low-traffic hours to ensure that your site is re-indexed as soon as possible. Your site may see an initial drop, but over time you’ll regain your old position and continue to move up past it.

Other SEO work such as sitemaps and alt text optimization can help Google re-index your site faster.

Conversion benefits

Every single year, customers get more paranoid when visiting websites. Constant media coverage of incidents like Heartbleed and Cloudbleed coupled with the WannaCry ransomware attacks of 2017 has left internet users more pessimistic than ever when landing on an unfamiliar site.

With cybercrime at its peak, consumers look for one thing when browsing the web — security. Having an SSL certificate on your site can be a psychological queue showing your customers that they’re safe on your site.

That little green lock can go a long way when it comes to earning consumer trust. A 2016 study showed that SSL certificate prices range from $0 (free certificates supplied by LetsEncrypt) to $20.

Twenty dollars? That’s it? You likely spend more than that on in-game purchases. That small investment can have a big impact though. Having an SSL on your site makes your business look legitimate and trustworthy.

It’s not about how secure your site is, it’s about how secure your customers think your site is.

Any eCommerce website that doesn’t have an SSL certificate but assures customers that their site is secure might as just well cancel their hosting plan right now.

The harsh truth is that no one on this planet with half a brain would buy from a site that screams insecure with a giant red X and broken padlock.

In that sense, websites are like people — no one wants to hang out with someone who’s insecure.

If you’re trying to optimize your website’s conversion rate, it is imperative that you establish trust. Without trust, no purchases will take place. Even drug dealers and illegal firearms traders try to establish trust with their clientele.

Getting an SSL is a cheap way to assure your customers that their data is in safe hands. If consumers feel that your business values security, they’re far more likely to make a purchase.

Downsides of free SSLs and why Premium Matters

Some people like to take free-of-charge domain validation certificates because they are economical and can be issued in a short amount of time. While these types of certificates may be fine for personal websites or blogs, they aren’t always the wisest choice for large websites or online stores. Here are some ways that free SSLs fall short:

Unsuitable for eCommerce Websites

Free certificates only validate the domain registration, not the legitimacy of the website’s owner. If you need to receive sensitive information like credit card numbers and shipping addresses — on a checkout page, for instance — then free certificates will not suffice.

Instead, get a business validation or extended validation SSL certificate. They aren’t free but they’ll increase sales significantly so they practically pay for themselves — and then some.

May Damage Customer Trust

Customers may lose trust in you if they notice that your SSL certificate is of the free variety. If you don’t care enough about their security to invest in a proper SSL, why should they trust you with their financial information?

Any negative impact on consumer trust will directly affect your business’ income.

Limited customer support

Providers of free SSLs offer limited customer service. While this may not seem like a big deal, any issues can take quite a while to resolve. On the other hand, providers of premium SSLs will have 24/7 live chat customer service available to all their users.

So, the question remains…should you switch to HTTPS?

To this you should be answering a resolute YES! Securing your site with a premium SSL can protect your data, increase conversions, and improve your website’s organic ranking position.

Choose a certificate that fits your specific needs and be sure to always secure checkout pages unless you want to be bombarded with frivolous lawsuits.

Do your research and stay secure.