59% of websites are not secure, is yours one of them?
UPDATE: Google announced on August 29th that October 24th 2017 is the day of reckoning. They’ll start showing not secure warnings to users after that date. More, here. The short answer to the question do I need to make my website HTTPS compliant? is yes. Read on to find out why…
At the beginning of 2017, Google began their quest to improve how their Chrome browser communicates the connection security of websites. More specifically, HTTP pages. Right now, Chrome marks HTTP pages as “Not secure” if they have password or credit card fields.
Later this year, sometime in quarter four – Google states October – Chrome will show the “Not secure” warning in two additional situations: when users enter data on a HTTP page, and on all HTTP pages visited in Incognito mode.
How big of a deal is this?
Do you collect email addresses & credit card information on your website?
The answer to at least one of those questions is probably yes.
Well then, it’s going to affect you. In fact, it’s already affecting you if you’re collecting credit card information or your users need to enter a password to login on your website.
But this only affects Chrome, right?
Right now, that’s correct.
However, Chrome is by far the most popular browser. It accounts for 76.3% of browser usage, and it’s growing steadily each month.
How do I make my site secure?
Over the past month, we’ve checked 57 Agora websites to see if they’re HTTPS compliant.
Of all the sites we looked at, 26% had no SSL cert installed. And 33% had an SSL cert installed but it wasn’t configured correctly; both the https:// and https:// version of the site were visible. Having two versions of the site visible causes duplicate content issues, and has a negative effect on their rankings and search engine visibility. 41% of Agora sites had an SSL cert installed, and these sites passed a quick and easy test to see if it was installed correctly. HTTPS is clearly an area where Agora websites can improve.
Open a page on your website. If your site shows https:// in the URL bar, look at A. If your site shows https:// in the URL bar, skip to B.
A: Does your site show as https:// in the URL bar?
If it does, then remove the s from https:// and press enter.
Does the URL redirect back to the secure version?
Or does the URL show you a https:// version of your website?
If it shows the http version, you have https installed but it isn’t configured correctly and is causing you duplicate content issues.
B: Does your site show https:// in the URL bar?
If it does, then add an s https://, to make it https:// and press enter.
Does the URL redirect back to the http version or do you get an error?
If it does either, that’s OK. It means you don’t have an SSL cert set up. You should put it on your web developer’s radar to get one installed.
If it shows the https:// version of your website, it means that your SSL cert isn’t configured correctly.
If your site is showing a https:// and a https:// version, consider fixing it. It’s causing duplicate content issues and is affecting your search engine visibility.
If your website passes the quick and easy test above, you now need to delve a little deeper, and make sure your site’s SSL cert is fully implemented correctly. To do this, you’ll need to use two tools: Screaming Frog’s SEO Spider, and SEMrush. Both are paid tools. Screaming Frog is relatively inexpensive while SEMrush has a free trial which you can use to perform these checks, you don’t have a SEMrush account already.
Check if all your pages are redirecting correctly
It’s important to make sure all pages are redirecting correctly.
To do this, a good tool to use is Screaming Frog’s SEO Spider. You can get more information, and purchase it, here.
In Screaming Frog, run a site crawl. Once it’s finished, go to the protocol tab and filter by HTTP.
In the search box, enter your website name. In our case it’s readyfireaim. Also, filter by status code. Filtering by your website name means that you’ll exclude external links.
Are some of your HTTP pages showing a 200-status code? If so, these pages aren’t redirecting to their HTTPS version. Get your web developer to take a look.
Auditing Your HTTPS implementation
Once you know all pages are redirecting as they should, you should run an audit on your HTTPS implementation. Here at AIM, we use SEMrush to help us do this.
Here’s a snapshot from an audit that we ran latestly.
With our help, the client was able to eradicate virtually all mixed content issues, and all issues with links on HTTPS pages leading to HTTP pages.
Mixed content? Links on HTTPS pages leading to HTTP pages? What the hell are they?
The three most common issues we see when auditing HTTPS implementation are as follows:
- Mixed content
- Links on HTTPS pages leading to HTTP pages.
- Subdomains not supporting HSTS
If your website contains any elements that are not secured with HTTPS, this may lead to security issues. Moreover, browsers will warn users about loading unsecure content, and this may negatively affect user experience and reduce their confidence in your website.
As mentioned earlier in this article, browsers will warn all pages that collect user data (email addresses) from October about loading unsecure content. Eradicating mixed content after your install and configuring your SSL cert correctly is vital.
Links on HTTPS pages leading to HTTP pages
If any link on the site points to the old HTTP version of the website, search engines can become confused as to which version of the page they should rank.
The end result is neither version ranks as highly as it should, and your search engine visibility decreases.
Subdomains not supporting HSTS
HTTP Strict Transport Security (HSTS) informs web browsers that they can communicate with servers only through HTTPS connections. So, to ensure that you don’t serve unsecured content to your audience, we recommend that you implement HSTS support.
This response header tells user agents (e.g. the Googlebot crawler) to only access HTTPS pages even when directed to a HTTP page. This eliminates redirects, speeds up response time, and provides extra security.
The Final Word on HTTPS
The bottom line is this: if you’re serving content over an insecure connection you need to be planning how you’re going to go HTTPS by default, now.
Confirmed last month at SMX Advanced, Google also offers a minor SEO boost to sites with HTTPS installed. This backs up with Gary Illyes of Google said back in April.
Just last month, Moz and SEMrush published data showing over 50% of all pages in the top 3 results in Google are HTTPS compliant pages. That’s up from 30% in mid-2016.
Here at AIM, we also highly recommend installing an SSL cert before Google rolls out their new changes in October. If you do install one, make sure to check it’s implemented correctly. Also, instead of just going HTTPS, consider going HTTP/2. HTTP/2 future proofs your website. It adds a secure connection as well as making your website super-quick.
If you need some help, have any questions on HTTPS, or would like AIM to audit your HTTPS implementation, please reach out.
Until next time,
SEO Specialist, AIM
P.S. If you’re concerned about your site’s secure connection, you’re not the only one. Join our discussion on the AMM Facebook group.
Secrets of the Digital Masters
Get Secrets of the Digital Masters Now!