What is HTTPS and why it is important for SEO and web security
HTTPS stands for Hypertext Transfer Protocol Secure, which refers to a secure version of the HTTP protocol used to send data between a web browser and a website. HTTPS can effectively encrypt data to increase its security when transmitted in an Internet environment. This is especially important when sensitive data is being transmitted, such as logging into a bank account, sending sensitive personal information, or accessing a payment gateway.
Today, web security via HTTPS should be standard, although this is still not the case in many cases. Users should avoid, for example, shopping at e-shops that do not offer HTTPS security to their customers. At TRITON IT, we offer our clients websupport, which makes minor adjustments to managed websites and answers clients' questions on a daily basis. One of the most common ones is just setting up HTTPS - how to set it up and what to look out for. That is why this article was written.
How does HTTPS work?
HTTPS uses an encryption protocol to encrypt network communications. This encryption, or cryptographic protocol, is called Transport Layer Security (TLS), formerly known as Secure Sockets Layer (SSL). The TLS protocol secures communications using what is known as an asymmetric public key infrastructure. This type of security uses two different keys to encrypt communications on the Internet between two parties:
- The private key is controlled by the owner of the website and is kept secret. This key resides on the web server and is used to decrypt information encrypted with the public key.
- Thepublic key is available to anyone who wishes to communicate with the server in a secure manner. Information that is encrypted with the public key can only be decrypted with the private key, ensuring that no one other than the intended recipient can access the information sent.
Why is HTTPS important?
What happens if a website does not use HTTPS? By using HTTPS, the website owner prevents information from being transmitted in a way that is easily visible to anyone listening in on the network. When information is sent over plain HTTP, the information is broken into packets of data that can be easily "eavesdropped" on using freely available software. This makes communication over an insecure channel such as public Wi-Fi very vulnerable to interception. In fact, all communications that take place over HTTP are in plain text, making them very accessible to anyone with the right tools and vulnerable to attacks.
As of early 2024, there were nearly 300 million SSL certificates registered on the entire Internet.
With HTTPS, traffic is encrypted so that even if packets are eavesdropped or otherwise intercepted, they will look like meaningless characters and are unusable without a private key that only the website owner knows.
How can I tell if a website is using HTTPS?
In all web browsers in common use today, such as Google Chrome, Safari or Edge, websites that do not use HTTPS are marked in a prominent way so that the user already knows that secure browsing has been compromised when they accidentally access such a website.
A site using HTTPS is most often marked with a lock icon next to the URL of the site at the top of the browser. Conversely, if the site uses an older, insecure version of HTTP, the user is warned with a warning triangle or "Not Secure".
How does HTTPS affect SEO?
HTTPS is not only important for security and user privacy, but also for search engine optimization (SEO). Google and other search engines prefer and favor authentic, secure and trustworthy websites, and have thus included the presence of HTTPS in the list of so-called SEO signals. In practice, this means that websites that use HTTPS are indexed faster and appear in higher positions in search results. In addition, switching to HTTPS also positively affects the loading speed of a website, which is another crucial SEO factor.
As part of his bachelor thesis, David Trojan investigated the influence of SEO factors, including HTTPS, on the position of websites in Google search. For this he used data from WebMedea. He found that the security of a website via HTTPS is one of the most important SEO parameters, along with other factors such as site speed, the presence of keywords in the meta title tag, meta description tag or H1 headings, and Google gives them a lot of weight. The theoretical part of the thesis is in the form of an SEO manual accessible on WebMedea. The mentioned practical part and its results can be found in the conclusion.
How to get a TLS/SSL certificate and switch to HTTPS protocol?
Switching to HTTPS requires steps such as obtaining a TLS/SSL certificate, installing it, setting up redirects and updating internal links. These steps are recommended if you want to increase the security and SEO of your website.
As of 2024, up to 18% of websites are still not using HTTPS for encrypted communication.
Normally, all security certificate management is handled by the hosting provider. At TRITON IT, we take great pride in the security of our clients' websites, so the presence of HTTPS on our managed websites is standard.
The first step in switching to secure HTTPS is to choose a certificate authority that issues TLS/SSL certificates. Since 2016, free certificates from the Let's Encrypt certificate authority have been offered on the market. These certificates are quite sufficient for ordinary websites or e-shops and provide the necessary security of communication.
When is a free certificate not enough?
In some cases, however, a standard free certificate is not enough. Large websites often have their own security systems that may consider the Let's Encrypt certificate authority untrustworthy, in which case you need to use one of the paid certificates. These, unlike free certificates, offer a so-called guarantee. In practice, this means that the certification agency that issued the paid certificate guarantees its security and will pay you a pre-agreed amount of money in the event of a breach of encrypted communication and data leakage.
Up to 90% of all existing valid SSL certificates have been issued through just six certificate authorities.
A specific example is the cooperation with our client Loomis. They approached us when they needed to significantly improve the service of their website with regard to response times as well as the competence to make modifications that would allow the Loomis website to pass the Bitsight web security rating. And it is meeting this stringent security standard that requires a paid SSL certificate that meets the exacting requirements. By switching to a new type of this certificate, along with other security changes to the Loomis site, we were able to elevate the client's website from a B rating to the highest level of A.
After adding a certificate to your website, it is important to keep an eye on its validity, which is normally set at 1 year for paid certificates and 90 days for free certificates. After this period, you need to renew the certificate. At TRITON IT, regular certificate management and renewal is part of the website management service we offer to our clients.
If the certificate is first inserted on the website, it is necessary to set a new URL, i.e. change its introduction from http:// to https://. Subsequently, it is important to change all links pointing to your website to https:// as well. This step can be facilitated by one of the plugins that we at TRITON IT use extensively in the WordPress interface, which allows us to perform efficient redirects and avoid the familiar 404 errors on your site.