If you have a website property verified in Google Search Console, and the website is not HTTPS-secured, you’ve likely seen some form of the following message in your dashboard recently:
After months of talk and speculation, Google has finally started to move forward with its plan to secure the web by enforcing HTTPS. Although HTTPS had previously only been a concern for e-commerce sites or sites with login functionality, this latest update affects significantly more sites. The vast majority of websites have a contact page (or something similar) that contains a contact or subscription form. Those forms almost always contain text input fields like the ones Google warns about in the message above. The “NOT SECURE” warning has already been appearing on insecure sites that collect payment information or passwords. It looks like this in a user’s URL bar:
Now that this warning will be displaying for a much larger percentage of the web, webmasters can’t put off an HTTPS implementation any longer. Unfortunately, Google’s advice to webmasters for solving this problem is about as vague and unhelpful as you might imagine:
Thanks, Google.
Implementing HTTPS is not a simple process. The Washington Post published a blog post outlining their 10-month HTTPS migration back in 2015, and numerous sites (including Moz) have reported experiencing major traffic fluctuations following their migrations. The time and resources required to migrate to HTTPS are no minor investment; we’re talking about a substantial website overhaul. In spite of these obstacles, Google has shown little sympathy for the plight of webmasters:
@rchtjn Well, turning the website off saves money too.
— John ☆.o(≧▽≦)o.☆ (@JohnMu) December 18, 2015
Google’s singular focus in this area is to provide a better user experience to web visitors by improving Internet security. On its surface, there’s nothing wrong with this movement. However, Google’s blatant disregard for the complexities this creates for webmasters leaves a less-than-pleasant taste in my mouth, despite their good intentions.
Luckily, there's a bit of a silver lining to these HTTPS concerns. Over the last few years, we’ve worked with a number of different clients to implement HTTPS on their sites using a variety of different methods. Each experience was unique and presented its own set of challenges and obstacles. In a previous post, I wrote about the steps to take before, during, and after a migration based on our experience. In this post, my focus is instead on highlighting the pros and cons of various HTTPS services, including non-traditional implementations.
Here are the three methods we've worked with for our clients:
- Traditional HTTPS implementation
- Let’s Encrypt
- Cloudflare
Method 1: Traditional HTTPS implementation
A traditional HTTPS implementation starts with purchasing an SSL certificate from a trusted provider, like Digicert or Comodo (hint: if a site selling SSL certificates is not HTTPS-secured, don’t buy from them!). (*NOTE: Google just announced this week they will no longer trust certificates issued by Symantec, which includes the brands Thawte, VeriSign, Equifax, GeoTrust, and RapidSSL.) After that, you’ll need to verify the certificate with the Certificate Authority you purchased it from through a Certificate Signing Request (CSR); this just proves that you do manage the site you claim to be managing. At this point, your SSL certificate will be validated, but you’ll still have to implement it across your site. Namecheap has a great article about installing SSL certificates depending on your server type. Once that SSL certificate has been installed, your site will be secured, and you can take additional steps to enable HSTS or forced HTTPS rewrites at this point.
Pros
- Complete security. With a fully validated SSL certificate installed on your root server, there is no possibility of having a compromised connection between your server and site, or between your site and the site visitor.
- Customizable. One of the features of a full SSL implementation is that you can purchase an Extended Validation (EV) SSL certificate. This not only provides your green padlock in the browser bar, but also includes your company name to provide further assurance to visitors that your site is safe and secure.
- Easier to implement across multiple subdomains. If you have multiple subdomains, what you'll likely need for your HTTPS implementation is either a separate SSL certificate for each subdomain or a wildcard certificate for all variations of your domain. A traditional SSL service is often the easiest way to set up a wildcard certificate if you need to secure several variations.
Cons
- Expensive. Though basic SSL certificates may be available for as little as $150, depending on the complexity of your site, these costs can quickly increase to several thousand dollars if you need more advanced security features, a better CDN network, etc. This also doesn’t include the cost of having developers implement the SSL certificate, which can be extensive as well.
- Time to implement. As mentioned above, it took the Washington Post 10 months to complete their HTTPS migration. Other companies have reported similar timeframes, especially for larger, more complex websites. It’s very hard to know in advance what kinds of issues you’ll have to resolve with your site configuration, what kinds of mixed content you may run into, etc., so plan lots of extra time to address these issues if you go with a standard implementation.
Method 2: Let’s Encrypt
Let’s Encrypt is a free nonprofit service provided by the Internet Security Research Group to promote web security by providing free SSL certificates. Implementing Let’s Encrypt is very similar to a traditional HTTPS implementation: You still need to validate the Certificate Authority, install the SSL certificate on your server, then enable HSTS or Forced HTTPS rewrites. However, implementing Let’s Encrypt is often much simpler through the help of services like Certbot, which will provide the implementation code needed for your particular software and server configuration.
Pros
- Free. The cost is zero, zippo, nada. No fine print or hidden details.
- Ease of implementation. Let’s Encrypt SSL is often much simpler to implement on your site than a traditional HTTPS implementation. Although not quite as simple as Cloudflare (see below), this ease of implementation can solve a lot of technical hurdles for people looking to install an SSL certificate.
- Complete security. Like with a traditional HTTPS implementation, the entire connection between site visitor and site server is secure, leaving no possibility of a compromised connection.
Cons
- Compatibility issues. Let’s Encrypt is known to be incompatible with a few different platforms, though the ones it is incompatible with are not likely to be a major source of traffic to your site (Blackberry, Nintendo 3DS, etc.).
- 90-day certificates. While traditional SSL certificates are often valid for a year or more, Let’s Encrypt certificates are only valid for 90 days, and they recommend renewing every 60 days. Forgetting to renew your certificate with this necessary frequency could put your site in a compromising situation.
- Limited customization. Let’s Encrypt will only offer Domain Validation certificates, meaning that you can’t purchase a certificate to get that EV green bar SSL certificate. Also, Let’s Encrypt does not currently offer wildcard certificates to secure all of your subdomains, though they’ve announced this will be rolling out in January 2018.
Method 3: Cloudflare
This is one of my favorite HTTPS implementations, simply because of how easy it is to enable. Cloudflare offers a Flexible SSL service, which removes almost all of the hassle of implementing an SSL certificate directly on your site. Instead, Cloudflare will host a cached version of your site on their servers and secure the connection to the site visitors through their own SSL protection. You can see what this looks like in the picture below:
In doing so, Cloudflare makes this process about as simple as you can ask for. All you have to do is update your DNS records to point to Cloudflare’s nameservers. Boom, done. And as with Let’s Encrypt, the process is entirely free.
Pros
- Free. The cost is zero, zippo, nada. No fine print or hidden details. Cloudflare does offer more advanced features if you upgrade to one of their paid plans, but the base SSL service comes completely free.
- Easiest implementation. As I mentioned above, all that’s required for implementing Cloudflare’s SSL service is creating an account and updating your DNS records. There’s no update to the server configuration and no time spent trying to resolve additional configuration issues. Additionally, implementing HSTS and forced HTTPS rewrites can be done directly through the Cloudflare dashboard, so there’s really almost no work involved on your end.
- PageSpeed optimizations. In addition to SSL security, Cloudflare’s HTTPS implementation also provides several additional services that can preserve PageSpeed scores and page load times. While a traditional HTTPS implementation (or Let’s Encrypt) can often have negative consequences for your site’s page load times, Cloudflare offers the ability to auto-minify JS, CSS, and HTML; Accelerated Mobile Pages (AMP); and a Rocket loader for faster JS load times. All of these features (along with Cloudflare serving a cached version of your site to visitors) will help prevent any increase in page load times on your site.
Cons
- Incomplete encryption. As you can see in the picture above, Cloudflare encrypts the connection between the visitor and the cached version of your site on Cloudflare, but it doesn’t encrypt the connection between your site and your server. While this means that site visitors can feel secure while visiting your site, there is still the chance that your server connection will be compromised. While you can upgrade to a full SSL implementation that does enable this setup, that is not part of the free service.
- Security concerns. Cloudflare was infamously hacked earlier this year, exposing lots of sensitive user information. While it appears they have resolved and tightened security since then, it’s still important to be aware of this development.
- Lack of customization. Like with Let’s Encrypt, Cloudflare’s free SSL service doesn’t provide any kind of EV green bar SSL for your site. While you can upgrade to full SSL which does provide this functionality, the service is no longer free at that point.
Which type of HTTPS implementation is best?
It really depends on your site. Smaller sites who just need enough security that Google won’t punish the site in Chrome can likely use Cloudflare. The same goes for agencies providing HTTPS recommendations to clients where you don’t have development control of the site. On the other hand, major e-commerce or publication sites are going to want a fully customized HTTPS implementation through traditional means (or via Let’s Encrypt’s wildcard certificate, when that happens next year). Ultimately, you’ll have to decide which implementation makes the most sense for your situation.
Be sure to check out the corresponding MozPod episode for more about this topic!
Implementing HTTPS: Options to Consider
with JR Ridley on the MozPod podcast
I made this change when the bells rang that Google was going to force everyone to have it on their website.
My website is really small and with something basic it was 100% functional. I tried method 2 which is free of charge, but there were a lot of errors on the server because I didn't implement it properly. Then I decided to go to my hosting service and ask for the SSL certificate they offer. For 150€ they did it to me and the best of all is permanent as long as it lasts in their company. Unfortunately, I was not aware of the Cloudflare SSL option.
The problem with SSL is that social network rankings are disappearing and it took a while for Google not to identify duplicate content (1 month).
Hi Enrique! That's a great point, doing this through a hosting service is almost always one of the more efficient ways to do it. WPEngine, one that we use a lot, will implement Let's Encrypt SSL directly through their hosting environment, which is a great way to go about that.
Can you give some more details about the social network rankings you were talking about? I'm curious what you were seeing there and how it affected your site performance.
Of course, of course,
On my website I use a social button plugin for Wordpress, called SumoME. If a page had 100 shared items on facebook and 20 on twitter, when SSL encryption was performed, all social networking bookmarks were automatically reset to 0.
The hosting company told me that it was normal for this to happen, although there are web experts who know how to transfer this data so that the social bookmarks do not restart.
Another negative element that I observed is that each time an article from my blog was shared on twitter, if this bookmark was added to SumoME's shared elements. Since the change, the modification of this plugins to make the counter work, no longer works, having to be satisfied that it does not add.
As for the duplicate content of the Serach Console, I suppose it was normal for me to identify two different entries. One with https protocol and one with http. In the end this error was corrected with a new sitemaps and placing an option that allows Wordpress that is only always accessed as https.
That's really frustrating to hear about the social counters, though I can't say I'm surprised. And with Search Console, one thing that we've found helps with that is to create a new Property Set that includes both the HTTP and the HTTPS version of the site. That way, while Google still processes the migration, you can consolidate data from both sites into a single dashboard. It's really helpful when you're trying to track Search Analytics.
Hello Enrique,
The problem with Google's duplicate issue is that, you need to have a 301 redirect HTTP to HTTPS using .htaccess file, or else Google might penalize you for duplicate contents. A redirect will tell Google to redirect the older urls to newer urls and thus poses not duplicate content issues. You have a pretty small site with just 100 items, just imagine the issue with 100000 items posing 100% duplicate contents, your site will be penalized, hence use 301 redirects while migrating from HTTP to HTTPS.
About you links from social networks, a proper 301 redirect from HTTP to HTTPS will solve the issue, as Google will redirect the link from HTTP to HTTPS without affecting your overall ranking, but you need to change your profile web links from HTTP to HTTPS manually.
Use Search Console to verify your new HTTPS site and you can monitor the overall migration process of urls as well as your backlinks.
Hey JR, interested to note that your profile records you as being a soccer referee. Way to go man!
My first time at Moz. I guess some of this is more on the webmaster side but you've missed a few salient points.
• Migrating a site can be dead easy for most of the common CMS platforms (see Migrating the site down below).
• Differing SSL certificate options
Apart from expensive EV certs (you've covered those) there are plenty of trusted GA companies out there providing very inexpensive (ie. $9.95/yr) yearly certs which are perfectly fine. The only exception is those who want a wildcard SSL to save the time needed to get individual certs for subdomains. But if you're new to this then CF or LetsEncrypt is the way to go for almost everyone.
• Cloudflare wasn't *hacked* - it was a bug. Big difference.
Dubbed the Cloudbleed bug, it affected only a few proxy servers & less than 150 of their customers. And the content was garbled and only in the header meta & wasn't viably useful but just embarrassing for Cloudflare.
I use Cloudflare free plans for my SMB clients, for the added benefits of web-proxy, caching, & security layer - that makes it a no-brainer. Plus their html/js/css minification & compression is useful for the average person who is not doing on-site above-the-fold optimisation and custom speed optimisation. They even offer SSL obfuscation (converts http to https automatically) for those who don't want to spend the time mucking around with pesky hidden https:// links
• LetsEncypt
Most modern hosters provide auto LetsEncrypt setup AND auto renewal. If you don't want to move your DNS to Cloudflare (or don't understand what Cloudflare does) then automated LetsEncrypt is the obvious answer. But you'll need to take care of the other things onsite/on server (ie. caching and compression at least)
• Benefits
- establishes user trust
- you *do* gain a small benefit from Google esp. by 2018 (read their own press about this)
- safeguards user data from prying eyes between them and the server, or payment gateway
- you can use HTTPS/2 capable servers (faster/better)
- you'll uncover unnoticed issues or old code/plugins on your site, and remove errors that cause slow page loading.
- (see below) updating old code means that you can move to newer versions of PHP (faster/better/more secure)
What it *Doesn't* mean: that your site is secure from hacking. SSL only covers transmission of data between browser and server. Learn how to secure your site.
• Win XP
Free Cloudflare SSL uses SNI - *only* Windows XP is not SNI capable. StatCounter.com shows 83% of desktop users are Windows and of that 4.48% are using XP so that's a bit over 2% of all desktop users. If you factor in that over 55% of global internet traffic is now mobile devices then that is less than 1 percent. A site like W3schools which publishes user browsing stats has XP at a total of 0.7% - pretty much on the mark. And really, who is still using Windows XP for web browsing? Unless you've got a specific market share in 3rd world countries or lower socioeconomic seniors, I'd say it is pretty safe to ignore Win XP.
• Migrating: Backup your DB & files first. Convert all https:// links to simply // , or https:// if you must*, is the "proper" way to setup your site (using a find/replace tool or plugin).
*Using https:// in the links is unnecessary if you setup your site to force it to https:// for the front page (your other links will follow suit). This in turn removes the possibility of duplicate content in SERPS.
The other dead EASY option is to use Cloudflare or a plugin/extension for your chosen CMS (such Wordpress, Joomla, Drupal, Prestashop, Magento etc.) to obfuscate the http links to https as it serves all content. Nothing else to do.
But a proper migration to SSL can be a blessing, because it can highlight poor structure, poorly written code or plugins, and inadequate content management processes. A well designed site generally is a snap to change over.
There are quality online guides out there for your chosen CMS. So for most well-coded small business sites operating on common open source CMS migrating to SSL really shouldn't be that much of an issue.
And... If there are 404 errors then you've done something wrong.
• Ecommerce standards or PCI-DSS - the most basic 128-bit SSL certificate is perfectly fine for ecommerce (LetsEncrypt, Cloudflare, $9.95 yrly certs) - don't let people tell you otherwise.
• Timeline: If you haven't migrated yet, then you're at least a year behind the eight ball. Get it done!
This is fantastic, thanks for sharing all this! Super interesting to hear your thoughts coming from the webmaster side as opposed to more of the SEO side.
> basic SSL certificates may be available for as little as $150
You can get basic certs for as little as $15-20...
90 days certs should be in the pro column as they are more secure, and if you have correctly set up Lets Encrypt they will automatically self renew.
Another con to add to the Cloudflare list is that people who have not upgraded their systems from Windows XP (possibly Windows Vista too, not sure on this) and still use Google Chrome are unable to access any websites which are using the free Cloudflare accounts for their SSL certificates.
Instead they are given the "This site can't provide a secure connection" error page. This is because Google Chrome no longer supports Windows XP, which means older Chrome browsers will not allow websites with certain types of SSL certificates to be accessed.
This however doesn't apply to the paid Cloudflare accounts as they provide a different SSL certificate version which seems to work fine.
Great point Adam! Thanks for bringing that up! Do you know what percentage of users that still affects at this point?
Thank you so much for offering such an insightful post. I have been mulling over the best solution for weeks. I'm closer to making a decision now. Cheers
Glad to hear it helped! Let me know how it all goes for you, I'd love to hear which option you decide on.
With this post I'll try to change into HTTPs. One of my main doubts is the plugin compatibilty with HTTPs...
Any good plugin writer will correctly handle this within their code. If not you have to question whether the plugin is written well, secure and up with with modern code and proper coding practices
Agreed with all the Pros and Cons of HTTPS Services has been explained in the post. But there is also a drawback of it which I'm facing since long. Earlier my site was not having https but since I did this we got lots of redirect chain issue and one 404 critical error. I have solved almost but still, 404 one hasn't been solved. I think without having a better info about it we can't get more benefits.
Yep, this is a problem we've seen across all sorts of HTTPS migrations. Redirect chain issues, 404 errors, and mixed content issues have been extremely tough to resolve regardless of which method you use. Glad to hear you got that all (almost) sorted out!
Great article. I love how straight forward you were in the solutions without bombarding the reader with an enormous amount of options. You evaluated Traditional HTTPS / Let's encrypt / Cloudflare for cost, complexity and functionality.
You also wrote - " numerous sites (including Moz) have reported experiencing major traffic fluctuations following their migrations." I was wondering if any of these three options for mitigation affects the fluctuation in traffic differently. I could imagine Cloudflare with its compatibility issues being particularly problematic but that is just a WAG.
Thanks! It's tough to say which migration options may affect the traffic fluctuations the most. In Google's eyes, they don't particularly care which method you use as long as the site gets HTTPS-secured, so I expect they would treat the site pretty similarly regardless of which method you use. If your site experiences a major increase in page load times or negative user experiences, that might aggravate the problem, but that's the only part I could see that would be a major difference between the implementations.
The mentions of Cloudflare in this article aren't entirely correct. Firstly, it's not quite true that Cloudflare holds a cached version of your site. I won't go in to the details of that but I think the really important bit that's not quite right is where it talks about free Cloudflare accounts not offering 'full' encryption.
In actual fact, Cloudflare offers both 'flexible' and 'full' SSL with their free accounts. With full SSL the connection between Cloudflare and your own web server is encrypted with a self signed certificate meaning the entire connection is both encrypted and free.
The point I was making with that is that if you're looking for the completely free option, it's the Flexible SSL implementation. A full implementation will cost money, even if it's just to generate the certificate. Admittedly, that cost may be negligible, but it's more than free.
That's not true. Full SSL is available on thecompletely free plan and allows you to use a self signed certificate between Cloudflare and your own server. This makes the entire connection encrypted. Generating a self signed certificate is free. You can do it with most hosting that uses CPanel or similar, for free. Therefore the entire connection is encrypted, and for free.
I have use CloudFlare SSL but I want ask a question. Is there any difference with paid ssl and free ssl? Thank you
Great post JR! alot of my clients are smaller businesses or locally-based, and for the few that don't have an SSL yet, we we're looking into Cloudfare, thanks for breaking the pros and cons down! Definitely a timely post with the October "Not Secured" update coming.
This is a very timely article thanks for putting all the options out there. I think in terms of cost it also depends if you are working in-house or have clients that can absorb the billing. For example I have some people hosted on GoDaddy and there SSL although it does cost is basically a one click solution. Lets Encrypt sounds like the go to, but with that said it does take a bit of technical know how so in this forum it makes sense but for a small business owner attempting to do it may be a little difficult.
Thanks for this contribution to the community.
Thanks Tim! Same, I mentioned in another comment as well we try to implement through a hosting environment whenever possible. WP Engine, for example, offers to implement Let's Encrypt for free as part of their hosting service. The degree of control you have over the site can be a big factor in which option to go with.
Very good post JR!
Sooner or later the time would come when Google says ... Stop it! all over the world https. And now what will happen to those who continue without implanting it? Will they be penalized?
Will it improve the positioning of those who already did it and risk losing traffic? Would it be a good prize for those who risk their day Mr.Google?
Thank you! And great question! At this point, it doesn't appear that Google is using HTTPS as a ranking signal quite yet, so it shouldn't affect your keyword rankings. It would not surprise me for Google to make it a ranking factor sometime in the next year to year-and-a-half though, especially as they continue to roll out more and more incentives for webmasters to make the switch.
It depends on how willing you are to play chicken with Google. I'd look into making the migration sooner rather than later.
Though id mention that flexible, full and strict ssl are all available on the free plan at CF and i believe all three will get you a green padlock.
flexible ssl is as you describe and not full end to end encryption, so not advisable if you are taking credit card details or other sensitive details.
full ssl is where you have full end to end encryption, but you can use a self signed cert on your server.
full strict ssl is end to end but the ssl on your server must be from a trusted CA. Letsencrypt is a trusted CA.
All my client sites use Letsencrypt with full strict ssl and are on CF free plans. its a great (not to mention free) combo.
hi !
i am new to this whole http and https thing - i recently added ssl to my website https://digitalinstitute.in
i paid for it , now i am not sure how helping is it - because i am trying to do directory submissions and most of them refuse to take my listing.
any help is highly appreciated
p.s-i am new to digital marketing world.
Hello JR,
I have also installed Letsencrypt SSL on my blog two months ago and its works great. Since it is free and have provided by every web hosts with their hosting plans. So, I think it is a good option to get started and later we move to Standard or traditional SSL. Cloudflare is definitely a great option. Letsencrypt with cloudflare will give ease of making your site secure. Thanks for this useful post.
Enjoy your day :)
Vishwajeet
I used the Let's Encrypt method with Cerbot auto-renewal and I have the EV Green Bar SSL without the company name on my site. It worked well for me on a relatively small site with no advanced customization. I found Cerbot easy to work with as a non-engineer running command line scripts — and with the auto-renewal process set-up, I haven't run into any issues with certificate expiration.
According to me Cloudflare is best option to integrate SSL on your website, very easy and very fast setup, liked it's pro plan with Web Application Firewall and very secure, but there are many reason to think before you go for Cloudflare, let me explain in detail.
Page Load Times : Cached contents provide excellent loading speed with almost 80% to 90% faster than your previous load times, but only with cached contents. My server in US can now be loaded in just 3 seconds in Australia and almost 1.2 seconds in US. The down side is that the speed comes only with cached contents and uncached contents takes even longer time to load than without Cloudflare, as the request has to travel Cloudflare to reach you server in some country and SSL handshake happen twice on Clouflare and on your server, hence takes double the time to fulfill request, uncached images takes longer time to load and you could find a very bad server response time in Google Page Insight, well thats frustrating. My previous response time was 0.45s and after Cloudflare it jumped to 1.5s. So until and unless your contents are cached in Cloudflare, your server will experience a even long server response time and overall page load times.
Just thinking what could be the possible effect on my Search Engine Ranking? Does Google counts server response time as a ranking factor or the overall page load time with cache contents?
I am seeing Letsencrypt scripts on a few CPANEL hosting platforms now. Either added by default, or at the click of a button. Very cool to have that as your default starting place, rather than HTTP to start with. Sometimes it's not an obvious service, so be sure to ask your Webmaster if they provide it.
My favorite is the Let's Encrypt and it's the one I always use in all my projects.
I like Cloudflare the most. I think it's the easiest way how to set up HTTPS for smaller sites. For bigger sites, budget usually doesn't play any role, thus the traditional encryption makes the most sense.
Martin, if talking only from a SSL point of view you would probably be correct. Any site gets immediate access to SSL, HTTP/2 + SPDY, HTML/JS/CSS minify, automatic http rewrites for Free. Best Practice for SSL is your own trusted CA verified certificate but anyone who combines both your own CA cert with Cloudflare (or similar services) will get the most benefits. And because congestion increases logarithmically as traffic to a site increases, the bigger sites are actually the biggest winners with Cloudflare because of their extensive arsenal of features designed to minimise effort at the server, remove bottlenecks & speed delivery to the end user (caching, CDN, web-proxy, HTTP/2 + SPDY, Argo, Page Rules, Railgun) as well as security and Scrape Shield, and the necessary one: Load Balancing.
Nice JR, really timely post as I'm about to launch a pair of websites. I was going to choose the free version of Let's Encrypt, however in the final paragraph you say Cloudflare it's preferrable. It's just because it's easier to implement, or am I missing something?
Thank you again!
Hey Angel! I prefer Cloudflare just because it's easier to implement. With that being said, if you feel comfortable configuring your server for Let's Encrypt, that method is still just as free and it's more secure than Cloudflare. Nothing wrong with that method, just a slightly more complicated configuration.
Best of luck!
Cloudflare less secure than LetsEncrypt? Not really. That is only true when the host server does not already have it's own SSL certificate that Cloudflare can talk to (and I don't know of any host nowadays who doesn't). And if not, either use their free SSL setup option (LetsEncrypt or whatever they offer) or create your own signed certificate for free If the server can be reached via a https connection then you will be able to activate Cloudflare's Full SSL setting - meaning that the entire path from user's browser to Cloudflare and then Cloudflare to the server is secure.
Any decent hosting companies is going to have a VA-certified (trusted) SSL certificate option , and probably provide Cloudflare integration as well (ie. mod_cloudflare or similar).
Note: when using Cloudflare SSL on a free account the certificate will still show as a Cloudflare cert to the end user (though only 1 in 1000 customers would ever click on the green padlock and look at the ownership of the SSL cert). Only paid Cloudflare accounts get to use their own certificate via Cloudflare.
Angel, the *ideal* free setup is to use a host that provides auto SSL setup and renewal (or setup your own server with it), and THEN use Cloudflare. Doing it this way will ensure you get all the benefits of your OWN named certificate for mail and secure FTP so your customers don't have to confirm security exceptions for the server's certificate, or for CPanel access using your own subdomain (ie. cpanel.example.com).
And, whether shared hosting or own server, if you switch the DNS to Cloudflare after SSL setup you get additional benefits from Cloudflare that you can't get through a shared hosting company's Cloudlfare setup.
Let's Encrypt (renamed certbot) has made it even easier to install with comprehensive instructions and some tools: https://certbot.eff.org/all-instructions/
Despite of all these security guidelines by Google; Blogger(Google Blogging CMS) still not provide any support for SSL implementation on custom domain. What you think on that?
Yeah, it is ironic that one of their own properties is not fully compliant with their push to move the web to SSL. There are probably legacy issues to overcome before they can provide SSL on the subdomains.
Similarly ironic is that remotely linking to Google Analytics, as is the standard setup, will stop a site from achieving a perfect score with Google Pagespeed - not that a perfect score would necessarily give any ranking lift over a close to perfect score, but it is still ironic that their own stats tool seem to be working against their commitment to the fastest internet possible. (The obvious workaround is to host the script locally and cron a script to check for updates regularly, however this in itself is against Google guidelines.)
I guess AMP was their idea of a solution to all this - if Google hosts it then they can control the delivery and avoid all such issues. It will be interesting to see what they are looking to do with the Blogger platform.
I think Google is talking the talk without walking the walk, which is extremely unfortunate.
I am using Geo trust and for the first time comodo. Your opinion about comodo ?
I don't have a lot of experience with Comodo. I would normally recommend GeoTrust, but someone brought to my attention just this morning that Google is no longer accepting Symantec CAs, which include GeoTrust. https://security.googleblog.com/2017/09/chromes-pl...
We've just migrated our websites from HTTP to HTTPS with Let's Encrypt certifcates, with Ngninx proxy in front of apache. Easy and free it's perfect to setup. But it's a pain when you have to maintain access to API in HTTP and some other resources in HTTP and HTTPS...
Cloudflare has a good free option but I would rather buy a full SSL.
I don't blame you at all, Cloudflare's SSL definitely doesn't instill as much confidence as Let's Encrypt or a traditional SSL. If the extra security is more important for your use than the ease of implementation, then absolutely go with one of the other options.
Thanks for the feedback!
Keep in mind that choosing an SSL certificate option (traditional, Cloudflare, LE) is just the first step. You'll also need to update all your site URLs, inform Google Analytics and Search Console of the change, ensure redirects from the old HTTP URLs to the new HTTPs ones, etc. I have an overview of the most common SEO and security steps to take as well as common problems implementing HTTPS here: https://fletcherdigital.com/wordpress-https-setup/
Yep! I've written about that process before in other posts, it's a long and exhaustive process. This post was just about the different SSL options, but there is definitely more to do than just choosing an SSL provider.
The Let's Encrypt 90-day certificates limitation can easily be fixed by a renewal script launched via crontab.
Agreed, that's definitely not a difficult hurdle to resolve. However, it is a consideration for people to remember.
Good article, thank you. Most bloggers will try to use Cloudflare's Flexible SSL options especially those which are using WordPress. But I think Google have to look at his own services before push webmasters to use HTTPS. What Google will do about Blogger platform? Yes, traditional domains are already using HTTPS but custom domains are having some problems. Even with Cloudflare's Flexible SSL implementation not easy as WordPress. I think Google should offer his own HTTPS solution through their own platfrom.
Agreed 100%. Google needs to conform to their own standards through Blogger if they're going to put this much pressure on all other webmasters to comply. They have to walk the walk if they're going to talk the talk.
Hi JR
Without doubt the traditional method still seems to me the safest, although it is true that it entails a lot of effort.
About Cloudflare, which I do not know, I could try it on some small project, because I repeat that for me, what is the premium is that the work is correct and safe
Hey Luis! Agreed completely, the traditional method is far and away the safest. Cloudflare works well for sites that really only need to satisfy the HTTPS requirement for Google but don't need the full security measures in place. We've typically used it for some of our smaller clients, our bigger clients to tend to follow the traditional method.
Excellent post thanks so much! We're in the process of implementing SSL across all our customers websites. What a nightmare?! Appreciate the informative post.
Glad to help! Best of luck with your migrations, I'd love to hear how that all goes!
My site has Let’s Encrypt, I implemented it before launching it so I had no issues at all with redirections or anything, it was so easy to install, just took me a few minutes, and my hosting provider renews it automatically every 90 days so I don't have to worry about it.
We love implementing SSL through a hosting provider whenever possible, it makes the process so much easier. WP Engine offers Let's Encrypt as part of their hosting platform, so we use that a lot. Definitely a good solution if your hosting provider offers it.
Thanks - timely article. I have been using cloudflare on all sites for 2 years now, and over the past year have been migrating some less critical sites to HTTPS. I have no real internal driver at this point to move my main site to HTTPS, so have put this off until I see more report-outs of real-world experience on SERP impact etc. and/or google starts penalizing HTTP significantly. Hope to see many more great HTTPS articles in the coming months :)
Your article is quite helpful, thanks, but doesn't talk about how we should prepare for a migration, so we don't lose actual SEO. With all changes that Google are talking about to give lower rank to non ssl websites, we are thinking of calling all our clients to help them migrate to SSL, but I am not sure how I should prepare before implementing SSL to their websites. Do you prepare the same for all thoses services?
I've decided to write my own indepth article on this because of the many errors and misconceptions there are posted around. In the meantime, to help out, the nutshell version:
1) Best Practice: force website to a single hostname (ie. either example.com or www.example.com) and to https. This avoids duplicate content links in SERPs and means that once you've done this and Google SERPs have updated, all traffic will be represented in only one site link in Search Console going forward.
2) Google Search Console (Webmasters): setup both domain and www. versions of your site for both http and https in Google Search Console. That will result in 4 separate links.
If you haven't already, using the Settings ensure use Site Settings to tell Google which is the preferred hostname (ie. root domain or www.) to index everything under.
If your site is setup correctly to serve only https pages then you will end up all your traffic being fed through only one of the Google Search Console links that you have setup. If not, then there are still issues that you should address.
(note: a http to https migration does NOT involve a Change of Address)
further FAQ can be found: at https://plus.google.com/+JohnMueller/posts/PY1xCWb...
Do a similar process for Bing.
3) Setting up SSL cert has been discussed at length on other comments.
Basically either use Cloudflare, or your host's free SSL setup using a CA cert like Certbot/letsEncrypt or Comodo or whatever. (Note: Cloudflare includes automatic http rewrites
Or use both: setup SSL cert on your server first and then migrate DNS to Cloudflare and get the extra security and speed benefits of their system using Full Strict SSL (for Free).
4) Migrate website links from http to https
a. Cloudflare with Full SSL and automatic http rewrites activated.
b. Otherwise use a automatic http rewrite extension or plugin on your site (ie. for WP that's Really Simple SSL or SSL Insecure Content Fixer or WP Force SSl - they'll all do the trick)
c. or physically change links use a search and replace tool or plugin, that also handles serialised data (ie. for WP that is https://wordpress.org/plugins/search-and-replace/ by Inpsyde GmbH - there are two with the exact same name so get the correct one )
d. or you can use a DB tool like phpMyAdmin to do your link search and replace.
With methods c.& d. you may find some links are not changed as some platforms / visual builders hard code menus and theme links - either change them manually in the content/theme using your CMS or use a text editor on theme files (depends on platform).
5) We go through and update our client's social links and backlinks to https as well since Google views http and https differently. And follow each social platform's guidelines on how to migrate your social share counts to the new https link. (discussed elsewhere in this posts and comments)
Hello Garth, Thank you for this insightful comment.
On your point #2, I was not able to complete the process and I found this not in Google Help Center.
Note: The tool does not currently support the following kinds of site moves: subdomain name changes, protocol changes (from HTTP to HTTPS), or path-only changes.
Have you ever made the change this way for an HTTPS migration?
I will make sure to use this technique vwhile migration subdomain to a root domain blog.example.com to example.com/blog.
Thank you
Hi Jean-Christophe, sorry it was poorly written and ambiguous. I have edited it. As you correctly point out, Google does not see http to https as a Change of address. It is only necessary when moving your site to a new domain or hostname, but as it is a separate issue it is unnecessary to bring up in this topic.
The key for a straight migration from http to https is to ensure Google knows which hostname (Site Setting) you wish to be indexed and to monitor each of the 4 links in the Search Console until the traffic is going though the correct https link.
Thank you Garth, this is what I thought. Doesn't seems too complicated. I was worrying about whether it could impact my traffic.
I think to use self hosted SSL with the combination of CloudFlare, it will be combination of both,
self generated SSL very easy with share hosting also.
Bit late to the discussion but EV certificates are simply not worth the money, they aren't guaranteed to display in browsers and unlikely to be noticed if they go missing, in some cases they could actually confuse users where the certificate name is different to the displayed business name.
https://www.troyhunt.com/on-the-perceived-value-ev...
Hello there Enrique! That is an incredible point, doing this through a facilitating administration is quite often one of the more proficient approaches to do it. WPEngine, one that we utilize a ton, will actualize Let's Encrypt SSL specifically through their facilitating condition, which is an extraordinary approach to that.
Would you be able to give some more insights about the interpersonal organization rankings you were discussing? I'm interested what you were seeing there and how it influenced your site execution.
Great article. I tried to use Cloudflre last year for the speed upgrades, but it would not allow anyone to make purchases in my x-cart store. People got an error message. Cloud flare said it was Authorize.net and Authorize.net said it was Cloudflare. In the end, it prevented sales completely and had me in a mess till I got switched back, so if you use it, better double check that. Cloud flare suggested omitting the Store/ as a part of the service via the control panel since I had an ssl on the site, but that didn't do it either. I have no idea what the issue was, but it's something to watch out for
Hello JR Ridley
My site is tiny and with something essential it was 100% utilitarian. I attempted strategy 2 which is for nothing out of pocket, however there were a ton of blunders on the server since I didn't execute it appropriately. At that point I chose to go to my facilitating administration and request the SSL endorsement they offer. For 150€ they did it to me and the best of all is changeless as long as it keeps going in their organization. Tragically, I didn't know about the Cloudflare SSL choice.
The issue with SSL is that informal community rankings are vanishing and it took a while for Google not to distinguish copy content.
Thanks JR, very informative post. As web designers we're up against it to help our clients out with this transition, so its a nasty one to get on top of. I agree with you that Google has the right intentions, but they've not quite gone about it the right way, or given enough of a timeframe to do so. Added to that, if this is an event they are triggering they should be able to ensure your ranking don't change because of the migration, as long as your implementation is sound.
As with all of these things, it'll just be another thing that we all get over, much like unlocking our phones with our faces, still annoying nonetheless :)
Hi JR Ridley,
Thanks for sharing useful information. I also used one free SSL certificate service provider which is also good(SSLforFree). The pros and cons you shared for free SSL certificate is really good.
But I just want to know that is this necessary to implement HTTPS for website?
Thanks...!
Salam n Hola
Great article JR.
I would like to add a number of things though ..
Many webhosting providers now provide SSL certificates for free via cPanel's AutoSSL feature. cPanel's AutoSSL can be configured with cPanel + Comodo SSL certificate (yes, cPanel provides free SSL too) or Let's Encrypt.
The certificates are now installed automagically for all the domains and subdomains you've got in your webhosting account (within 24 hours). You don't need to do anything at all. It gets auto renewed as well.
Installing Let's Encrypt SSL is now definitely easier than installing Cloudflare's Flexi SSL.. you don't need to do anything to have it installed... (of course, only for those on webhosts that enabled cPanel's AutoSSL feature)
:D :D :D
~Hadee Roslan~
Hello there,
This is an incredible post. Actually, the SSL provided by Cloudflare is good. We have written the blog about on the same topic - https://www.webtraffic.agency/2017/09/http-vs-https-seo/
Can we implement HTTPS without any cost ? If I have simple blogging website without login page. I am running a blog website without HTTPS can you please suggest me for this if I have to buy SSL layer as according to google norms. Please suggest me the possible way
Yes! For your situation, I would recommend Cloudlfare's SSL service: https://www.cloudflare.com/ssl/ It's free and will satisfy the HTTPS requirement on your end without taking up a ton of your time.
Hi, most hosting providers include Let's Encrypt SSL for free. It's easiest way to add SSL to your web.