In 2014 Google began a campaign calling on all sites to implement HTTPS and make the world wide web more secure.
At first it was just a recommendation. Then they started giving preferential treatment in the search results to sites that use HTTPS. And now it’s becoming clearer and clearer that the move is inevitable, no matter what kind of site you have.
In the past few weeks a lot of my subscribers have asked me what to do about this… and I decided to dedicate a blog post to this topic.
So, if you’ve been wondering what HTTPS means, how it affects you as an affiliate and website owner, and what you should do about it, read on. Because I’m going to explain everything. And when you’re done, if anything is not clear, feel free to ask me in the comments below.
I’ll start at the very beginning:
How websites, browsers and hosts work
If you are a site owner, you probably know this part already, but it’s always good to review the fundamentals:
You have a website. A site with text and images and and code and who knows what else.
All of the data for every single one of those elements of your site is stored at your web host on a computer. That computer is called a “server” because it serves information to your visitors.
When someone visits your site, their browser (Chrome, Firefox, Explorer, etc.) sends a request to the server, asking for your site’s data. The server, in response to the browser’s request, sends your site’s data back. The browser then takes all the data it received from the server and displays it to the visitor as a nice-looking web page.
For example, just a few seconds ago, my server sent a whole bunch of text, images, and code to your browser so you can read this blog post.
Sometimes data will flow the other way—from the visitor’s browser to the server. That will happen when someone enters her username and password, or when she fills in her email address on an opt-in form.
This data transfer between a browser and a server occurs according to a set of rules called HTTP (which stands for HyperText Transfer Protocol).
You with me so far? Good. Because this is where things can start to get messy. 🙁
The big privacy problem on the web today
Unfortunately, when transferred through an unsecure wifi connection, all this data moving back and forth, from server to browser, can be accessed by third parties.
Those third parties – whom we call “hackers,” “spies,” “cyber-thieves”…or maybe we’ll just go with “criminals”… can use special software on their own computers to “eavesdrop” on the conversations between the server and the browser.
The obvious problem here is that with a regular HTTP connection, this third party (or “spy”) can get their hands on confidential information such as passwords and credit card information.
That’s why you should never ever submit confidential information over a non-secure wifi network. It’s also why you should always check for the “secure” sign on your browser every time you submit confidential information.
Hopefully you know this already and take the necessary precautions, but there’s a less obvious issue here that most people are not aware of; the spy can gather a lot of information about a person who is browsing websites online, even if they do not submit ANY sensitive information.
Yes, this information can even come through your affiliate site.
Think about it:
When you are browsing the web, any research you do, and any site you look at – just by the fact that you are indeed looking at them – will reveal something about you, your plans, or your interests.
Do you really want a hacker to know that you are thinking about traveling this summer? (Oh, so your house will be empty then!)
Do you want him to know about your health concerns? (Hey, your hemorrhoids are your business 🙂 )
Do you want a stranger to see that you are researching long-term investments? (Hmmm. There must be valuable assets somewhere!)
No, you don’t.
And that’s one of the big privacy issues with the internet today.
Another issue with unsecure data transfers is that, with a regular HTTP data transfer, a third party can tamper with the information getting passed between the server and the browser, as follows:
All they need to do, and this is possible with regular HTTP data transfer, is reroute the information passed between the browser and the server and pretend to be someone else.
They can change the information that your server is sending to the browser.
They can even start displaying forms to your visitors asking for email usernames and passwords, bank information, credit cards, and more.
And once they do that, your visitors could be fooled into sending the hacker their confidential information.
Here is an article describing how a hacker in Amsterdam receives information about visitors at a local coffee shop.
The solution? Secure that privacy with HTTPS data transfer.
Making web browsing secure again
The HTTPS data transfer protocol ensures that all the information getting transferred between the browser and the server is encrypted, or garbeled, and therefore secure.
That “S” in HTTPS stands for Secure.
It also ensures the information you send to your visitors does not get tampered with.
And, in order to accomplish that as a site owner, you need an SSL certificate.
An SSL certificate is a piece of software that has three main functions:
1. Authentication: It serves as an online ID card, proving that your server is indeed who it claims to be.
2. Data Integrity: It ensures your visitors that the information from your server has not been tampered with.
3. Encryption: It encrypts data, making it impossible for hackers to understand the conversation between your host’s server and your visitor’s browser.
If more websites use SSL certificates, more private information will remain private. And privacy is a good thing.
What’s in it for you as a site owner?
When you switch to HTTPS you are helping increase privacy online.
In addition, you also receive the following benefits:
Small SEO boost: HTTPS on a website is now a ranking signal, so adding it to your site MAY increase your search engine rankings a bit.
The padlock symbol: That symbol in your browser may have a reassuring effect on your visitors, which could increase their trust in you, leading to more affiliate sales and repeat visitors.
More referral data: When a site with HTTPS refers a visitor to a site with HTTP, the referral data is lost. What that means is that in Google Analytics, the visitor will be shown as a “direct visit” instead of someone being referred from another site. If your site uses HTTPS that will not happen, and you will get better Google Analytics stats.
Eventually Google will mark HTTP sites as non-secure: This is not going to happen in the near future but, eventually, Google will mark all websites that use HTTP as non-secure both in their browser (Chrome) and in the search results. And that red-flagging will scare potential visitors away.
The risks involved
The first concern most affiliates have is the time and money involved in making the switch.
The good news is that some SSL certificates are now free, so there is no cost involved in getting the software.
On the other hand whenever you make a big change to your site, technical issues may arise and you’ll have to fix them. Especially if you have a large and complicated site. So, if your site has a lot of custom code, have a programmer make the switch for you.
However, if you have a simple WordPress site, especially if it’s relatively new and small, you should be ok doing it on your own, and hopefully the transition will go smoothly for you. I have made the change on several of my WordPress sites and have not encountered any difficulties.
A more serious issue is the risk of a temporary ranking drop.
You may experience a temporary ranking drop after the switch, as Google de-indexes your HTTP pages and starts indexing your HTTPS pages.
This doesn’t happen to everyone, and it’s impossible to predict how long it will take to recover. The important thing is to take care not to make such a change to your site at a busy time (for example before the holidays).
I personally have not experienced a ranking drop after switching my sites (yay!)
And last, you will lose your social signals.
Facebook, for example, will consider your HTTPS site to be separate from your HTTP site, so any likes, shares, and comments you had on the HTTP site will not show on your HTTPS site.
(I’ve heard that Facebook does eventually figure out that the two sites are the same, and then you will get the social signals back. If you have personal experience with this, please share it in the comments section.)
So what should you do?
I recommend that you make the switch to HTTPS.
But don’t panic. It’s not urgent.
And it’s important that you do it properly and at the right time.
Keep in mind the following:
If your site is relatively new and small, and you have plans to grow it, then switch to HTTPS sooner rather than later, because the risks as much lower at this point.
If your site is large and gets lots of traffic, then you can still make the switch in the near future, but keep an eye on your site speed and traffic during the transition period to make sure the switch is going smoothly. And know that you may experience a temporary ranking drop.
If your site is complex and has a lot of custom code, then consult with a programmer. It might end up being wise to wait a bit until moving to HTTPS becomes even easier.
How to add HTTPS to your sites
The easiest option is to use a free SSL certificate called “Let’s Encrypt.”
Contact your web host and ask them if they support “Let’s Encrypt” and, if so, request that they install it for you on your site. My host did it for me for free. Within 10 minutes my whole site was fully switched to HTTPS.
The next best option is to use CloudFlare. Here are step by step instructions on how to switch to HTTPS using CloudFlare. If you are a Constant Profits Club member, check out the new video that provides an over-the-shoulder walkthrough. It’s available in the members area.
Want to know more?
Here’s a 45 minute video from Google that explains more about HTTPS and SSL. It’s quite good if you’re interested in the subject and want to know more.
So what’s the bottom line?
While it’s not urgent to do so immediately, you should switch your site to HTTPS using a free SSL certificate. Do proceed with caution, especially if your site has custom code, gets a lot of traffic, or earns a significant income.
oh, so I should worry about an obscure hacker who, out of boredom checks if I have hemorrhoids, but I should not be worried about global scale crooks (google) who spy on everyone, every second, and knows more about everyone than their parents.
Cute!
True. You can safely assume that Google, Facebook, and the government know everything about you 🙁
Sarah,
When going to https, do you lose all links built to the http site?
Also will https and http versions of your site show up in the index causing duplicate content?.
Thanks
Good questions.
Google sees your HTTP and HTTPS sites as 2 separate sites, so you have to make sure to automatically redirect all your HTTP pages to the HTTPS version. Your host can do this for you. Or – if you use Cloudflare (see the link in the article above) – you can do it through them.
That way you keep the links you built and avoid any duplicate content issues.
Great article Sara.
Can we use a redirect plugin to have the http redirected to https?
Thanks
great post, but this site marketing with Sara com is not secure!
Haha, Gidon. Good point!
This site is where I develop a lot of my custom software, so – since it has a lot of complex code – I’m not ready to switch it just yet.
Thanks Sarah
I just got a domain name for my future blog/website it’s called rudiethefoodie and is not up and running yet
I have a few questions
1. can sensitive information in my yahoo inbox be intercepted without currently having https? I use goodle chrome and have a lot of sensitive email info related to my business’stored there
2. related to my first question can hackers intercept sensitive info on my desktop or flash drive or just info on the internet
3. can security essentials act as a security buffer as https does preventing hackers from viewing sensitive information on the internet?
4. can comodo or cc cleaner help foil these hackers trying to peer into my personal business by blocking and capturing them and putting them in a secured vault to be deleted from my computer?
Thanks for your great information Sarah. Can i pass it on when i get my blog/website rudiethefoodie up and running?
Rudy ferrara
HTTPS protects information that your site sends to your visitors.
It has nothing to do with your gmail or yahoo inbox, and nothing to do with your computer or flash drive.
In general, if you are worried about security I recommend not using sites that require passwords on public wifi networks. Also make sure you have a good anti-virus program installed on your computer. Other than that – I don’t know much more, since I’m not a security expert.
I started switching a few sites over last month using cloudflare but ran into some problems. One of the main problems is some affiliate links are not using SSL (ebay in particular) so your pages don’t show as secure as a result. That really defeats the purpose of making your site secure if it doesn’t verify anyway.
I had to have an ebay script I was using re-developed because it had stopped working when I switched to SSL only to find out that the pages didn’t verify anyway once it was working again because ebay doesn’t use SSL on their affiliate links. 🙁
I’ve also lost significant rankings on another site after the switch over while google tries to make sense of the change.
Any tips on what to do right after you change a site to https in order to avoid a drop off in rankings? (I have the cloudflare redirect in place already)
I’ll also have to look into Let’s Encrypt since as far as I could see the cloudflare method doesn’t work with html sites and I have a few clients with very large html sites that I am leery about switching over.
Thanks for sharing your experience, Chris.
Unfortunately it’s common to see a temporary ranking drop when you switch over to HTTPS. Make sure you have your redirects set up properly and that you use HTTPS when getting new backlinks. Also keep an eye on how Google re-indexes your site (in Webmaster Tools / Search Console) and your site speed – just to make sure nothing went wrong.
And finally, read this article.
Good luck. I hope your site recovers soon!
Sara, thank you for this post and your clear explanation of what we need to know.
Sara,
if my hosting company supports “Let’s encrypt” and they install it, will that take care of all of the necessary redirecting?
or do I need to also tell them to redirect all http pages to the https pages?
have you personally noticed any drop in rankings after switching to https?
Thanks
Hey Paul, they should take care of all the necessary redirecting, but check to make sure they did it properly. Take a look at the new lesson on this topic in the CPC members area because it covers this and more.
Unfortunately a temporary drop in ranking is common, and it’s impossible to say whether it will happen to you and if so – how long it will take to recover. See Chris’s comment above you.
So far my own sites have been ok. In fact they are doing better than before! But I haven’t yet made the transition for the larger more complex sites.
great stuff(as usual) sara….
but as far as my tiny brain can figure out…the cloudflare fix is only for WP sites.
if so – do you have a solution for html sites?
and, hey,..isn’t complex code just what russian hackers love?
For HTML sites you can use Let’s Encrypt (free) or a paid SSL solution. Your hosting provider should be able to help with this.
Few clarifications:
1. Http is open on the web period. You don’t need to be doing this via wifi.
2. Don’t be fooled into thinking https is secure. You have to assume everything you do on the web can be known. (Eg the wonderful creep-bags at the NSA). HTTPS is more secure, yes.
Thanks RS!
My webhost guided me through the https change over. My articles on my site never lost ranking. Glad I changed over.
Thanks for sharing your experience!
Hi Sara,
Your post was very enlightening to me.
I do not know much about all this computer
stuff. Can I assume that the HTTPS thing
does not apply to e-mails, although some
may carry sensitive info. and can also be
easily hacked?
C.P.
I’m not sure exactly what you are asking here. So I will tell you that:
– Email providers such as gmail do use HTTPS
– You still shouldn’t send sensitive info by email
– This article is about what you need to do for your site, so it’s not directly relevant to email
Hopefully that answers your question, but let me know if you need further clarification.
I develope locally then move to a public site. How will development be affected or will it?
Hi Sarah,
Great timing, I just switched to https the day before I rec’d your email, my hosting company made the switch and re-direct, you mentioned that more info is avail in CPC area, I just checked and don’t see anything, is it in one of the modules or forum?
I want to make sure the re-direct was done correctly, thanks!
You’ll find it in module 4 – the last 2 lessons.
Hi Sara
Many thanks for sharing this and I had researched about it.
I am confused over some issue. I do understand the impact on SEO.
However, as a product owner and affiliate marketer using Clickbank and ClickMagick.
How necessary is it for my sales pages to be https beside the impact on Google Ranking. Most of my pages and not searchable in the first place.
Also, will it affect the tracking of traffic, after all, https and http is 2 different sites eventually. So I should start tracking traffic to https website?
Greatly appreciate it if you can reply. Thank you.
Very helpful article! Thanks for sharing the information
Hi Sara,
Thanks for sharing useful info. Anyways, I don’t think that it’s necessary to use https for affiliate website because we don’t sell product we only review or advertise the product. We’re only the broker not the seller. That’s my opinion. 😉
Hey Sara! Great article.
I recently started a Shopify Site to sell my own art paintings and prints.
But because diversification is important too.
I’m looking into a WordPress site for indirect traffic and a separate venture.
So, I’m looking at affiliate products to market.
As an affiliate, I need a landing page to get opt-in emails.
So, from your info about a hacker/criminal intent/ can get those emails. And even worse set my prospect up to be the hackers client instead of connecting to the investment firm I am sending them to?
In my case, I’m wanting to bring subscribers to a stock investment newsletter.
A snoopy hacker might get my email list and potentially pretend to be me sending out emails to my list, and who knows what kind of trouble that could be for me and my list of people.
Wow…. I get it… SSL is the smart way to start a real business.
Thanks Sara! BKL
Awesome and Very Informative Article. Thank you so much, It Helps me a lot!