It’s time to solve the HTTP vs HTTPS debate: yes, you should update your whole site to https because Google says so
It’s the age-old question: HTTP vs HTTPS? Until now, it was optional except on credit card pages. But as you’ve probably heard, Google is ramping up its campaign to improve Internet security.
To Google, and to magazine website publishers, this means using HTTPS, also known as Hypertext Transfer Protocol Secure, which uses separate protocols called SSL (Secure Sockets Layer) and TLS (Transport Layer Security) to secure pages that ask for credit card information or passwords. This effort was launched as far back as 2011, and by 2014 the search giant announced that it would actually enforce this by using HTTPS as a “very lightweight” ranking signal – less important than quality content – and noted that this would affect fewer than 1% of global queries.
Download a FREE copy of 7 Ways to Monetize your Portal Audience, and discover how today's top publishers are generating revenue through memberships, events, clubs, sponsorships, and more.
It did add, however, that it was deeming HTTPS a “lightweight” ranking signal only “while we give webmasters time to switch to HTTPS.” Most of the time, publishers already have HTTPS setup for critical credit card pages. However, many don’t have it set up for their password pages, or on any other pages (more on that below).
Google has new “neutral” alerts that it’s displaying on credit card pages, and these alerts will be displayed on a password collection page if HTTPS is not yet implemented. This is what it might look like now:
Eventually, these same pages will display an alert with more impact, possibly alarming to site visitors:
Google does not anticipate that the neutral alerts will overly alarm users of your magazine websites, but there will certainly be some who might be worried. This situation on password pages should be remedied as soon as possible.
Meanwhile, we all know that Google makes continual changes to its algorithms, and rarely gives us specific details. A perfect example of this is the wording in the most recent update on this from Google:
“Beginning in January 2017 (Chrome 56), we’ll mark HTTP pages that collect passwords or credit cards as non-secure, as part of a long-term plan to mark all HTTP sites as non-secure.”
So the question arises as to whether or not Google will eventually display alerts on any pages without HTTPS, as well as increasing its ranking penalty for sites without full HTTPS. Logic and Google’s history indicate that this is the direction it’s heading.
Therefore, Mequoda’s newer clients use HTTPS throughout their entire site – just to be on the safe side with Google’s evolving ranking algorithms, and because HTTPS protects interference with all your content, not just credit card and password information.
Additionally, setting up specific pages with HTTPS is just as much work as switching an entire site over. Our concern is that if you opt for a partial HTTP/HTTPS interim solution, and Chrome begins displaying its red “insecure” alerts on other pages, such as your Daily pages, you could easily run into user pushback.
We do know that HTTPS slows down your page loading time a little, depending on how it’s implemented, but we’ve established protocols for minimizing this problem.
Our current recommendation, therefore, is that if you don’t have full HTTPS security now, you should make the switch to using HTTPS throughout your site, not just on credit card and password pages.