In 2014 Google began a campaign calling on all sites to implement HTTPS and make the world wide web more secure.
At first it was just a recommendation. Then they started giving preferential treatment in the search results to sites that use HTTPS. And now it’s becoming clearer and clearer that the move is inevitable, no matter what kind of site you have.
In the past few weeks a lot of my subscribers have asked me what to do about this… and I decided to dedicate a blog post to this topic.
So, if you’ve been wondering what HTTPS means, how it affects you as an affiliate and website owner, and what you should do about it, read on. Because I’m going to explain everything. And when you’re done, if anything is not clear, feel free to ask me in the comments below.
I’ll start at the very beginning:
How websites, browsers and hosts work
If you are a site owner, you probably know this part already, but it’s always good to review the fundamentals:
You have a website. A site with text and images and and code and who knows what else.
All of the data for every single one of those elements of your site is stored at your web host on a computer. That computer is called a “server” because it serves information to your visitors.
When someone visits your site, their browser (Chrome, Firefox, Explorer, etc.) sends a request to the server, asking for your site’s data. The server, in response to the browser’s request, sends your site’s data back. The browser then takes all the data it received from the server and displays it to the visitor as a nice-looking web page.
For example, just a few seconds ago, my server sent a whole bunch of text, images, and code to your browser so you can read this blog post.
Sometimes data will flow the other way—from the visitor’s browser to the server. That will happen when someone enters her username and password, or when she fills in her email address on an opt-in form.
This data transfer between a browser and a server occurs according to a set of rules called HTTP (which stands for HyperText Transfer Protocol).
You with me so far? Good. Because this is where things can start to get messy. 🙁
The big privacy problem on the web today
Unfortunately, when transferred through an unsecure wifi connection, all this data moving back and forth, from server to browser, can be accessed by third parties.
Those third parties – whom we call “hackers,” “spies,” “cyber-thieves”…or maybe we’ll just go with “criminals”… can use special software on their own computers to “eavesdrop” on the conversations between the server and the browser.
The obvious problem here is that with a regular HTTP connection, this third party (or “spy”) can get their hands on confidential information such as passwords and credit card information.
That’s why you should never ever submit confidential information over a non-secure wifi network. It’s also why you should always check for the “secure” sign on your browser every time you submit confidential information.
Hopefully you know this already and take the necessary precautions, but there’s a less obvious issue here that most people are not aware of; the spy can gather a lot of information about a person who is browsing websites online, even if they do not submit ANY sensitive information.
Yes, this information can even come through your affiliate site.
Think about it:
When you are browsing the web, any research you do, and any site you look at – just by the fact that you are indeed looking at them – will reveal something about you, your plans, or your interests.
Do you really want a hacker to know that you are thinking about traveling this summer? (Oh, so your house will be empty then!)
Do you want him to know about your health concerns? (Hey, your hemorrhoids are your business 🙂 )
Do you want a stranger to see that you are researching long-term investments? (Hmmm. There must be valuable assets somewhere!)
No, you don’t.
And that’s one of the big privacy issues with the internet today.
Another issue with unsecure data transfers is that, with a regular HTTP data transfer, a third party can tamper with the information getting passed between the server and the browser, as follows:
All they need to do, and this is possible with regular HTTP data transfer, is reroute the information passed between the browser and the server and pretend to be someone else.
They can change the information that your server is sending to the browser.
They can even start displaying forms to your visitors asking for email usernames and passwords, bank information, credit cards, and more.
And once they do that, your visitors could be fooled into sending the hacker their confidential information.
Here is an article describing how a hacker in Amsterdam receives information about visitors at a local coffee shop.
The solution? Secure that privacy with HTTPS data transfer.
Making web browsing secure again
The HTTPS data transfer protocol ensures that all the information getting transferred between the browser and the server is encrypted, or garbeled, and therefore secure.
That “S” in HTTPS stands for Secure.
It also ensures the information you send to your visitors does not get tampered with.
And, in order to accomplish that as a site owner, you need an SSL certificate.
An SSL certificate is a piece of software that has three main functions:
1. Authentication: It serves as an online ID card, proving that your server is indeed who it claims to be.
2. Data Integrity: It ensures your visitors that the information from your server has not been tampered with.
3. Encryption: It encrypts data, making it impossible for hackers to understand the conversation between your host’s server and your visitor’s browser.
If more websites use SSL certificates, more private information will remain private. And privacy is a good thing.
What’s in it for you as a site owner?
When you switch to HTTPS you are helping increase privacy online.
In addition, you also receive the following benefits:
Small SEO boost: HTTPS on a website is now a ranking signal, so adding it to your site MAY increase your search engine rankings a bit.
The padlock symbol: That symbol in your browser may have a reassuring effect on your visitors, which could increase their trust in you, leading to more affiliate sales and repeat visitors.
More referral data: When a site with HTTPS refers a visitor to a site with HTTP, the referral data is lost. What that means is that in Google Analytics, the visitor will be shown as a “direct visit” instead of someone being referred from another site. If your site uses HTTPS that will not happen, and you will get better Google Analytics stats.
Eventually Google will mark HTTP sites as non-secure: This is not going to happen in the near future but, eventually, Google will mark all websites that use HTTP as non-secure both in their browser (Chrome) and in the search results. And that red-flagging will scare potential visitors away.
The risks involved
The first concern most affiliates have is the time and money involved in making the switch.
The good news is that some SSL certificates are now free, so there is no cost involved in getting the software.
On the other hand whenever you make a big change to your site, technical issues may arise and you’ll have to fix them. Especially if you have a large and complicated site. So, if your site has a lot of custom code, have a programmer make the switch for you.
However, if you have a simple WordPress site, especially if it’s relatively new and small, you should be ok doing it on your own, and hopefully the transition will go smoothly for you. I have made the change on several of my WordPress sites and have not encountered any difficulties.
A more serious issue is the risk of a temporary ranking drop.
You may experience a temporary ranking drop after the switch, as Google de-indexes your HTTP pages and starts indexing your HTTPS pages.
This doesn’t happen to everyone, and it’s impossible to predict how long it will take to recover. The important thing is to take care not to make such a change to your site at a busy time (for example before the holidays).
I personally have not experienced a ranking drop after switching my sites (yay!)
And last, you will lose your social signals.
Facebook, for example, will consider your HTTPS site to be separate from your HTTP site, so any likes, shares, and comments you had on the HTTP site will not show on your HTTPS site.
(I’ve heard that Facebook does eventually figure out that the two sites are the same, and then you will get the social signals back. If you have personal experience with this, please share it in the comments section.)
So what should you do?
I recommend that you make the switch to HTTPS.
But don’t panic. It’s not urgent.
And it’s important that you do it properly and at the right time.
Keep in mind the following:
If your site is relatively new and small, and you have plans to grow it, then switch to HTTPS sooner rather than later, because the risks as much lower at this point.
If your site is large and gets lots of traffic, then you can still make the switch in the near future, but keep an eye on your site speed and traffic during the transition period to make sure the switch is going smoothly. And know that you may experience a temporary ranking drop.
If your site is complex and has a lot of custom code, then consult with a programmer. It might end up being wise to wait a bit until moving to HTTPS becomes even easier.
How to add HTTPS to your sites
The easiest option is to use a free SSL certificate called “Let’s Encrypt.”
Contact your web host and ask them if they support “Let’s Encrypt” and, if so, request that they install it for you on your site. My host did it for me for free. Within 10 minutes my whole site was fully switched to HTTPS.
The next best option is to use CloudFlare. Here are step by step instructions on how to switch to HTTPS using CloudFlare. If you are a Constant Profits Club member, check out the new video that provides an over-the-shoulder walkthrough. It’s available in the members area.
Want to know more?
Here’s a 45 minute video from Google that explains more about HTTPS and SSL. It’s quite good if you’re interested in the subject and want to know more.
So what’s the bottom line?
While it’s not urgent to do so immediately, you should switch your site to HTTPS using a free SSL certificate. Do proceed with caution, especially if your site has custom code, gets a lot of traffic, or earns a significant income.