HTTPS necessity

HTTPS is a required protocol for Search Engines Optimization (SEO)

Google Search Console has 3 meaningful tabs, in which website searching performance is detected:

PAGE EXPERIENCE states, that websites must have HTTPS-enabled

A page must be served over HTTPS to be eligible for Good page experience status in Google Search. The Page Experience report doesn't have URL-level HTTPS data for your site, only the overall HTTP/HTTPS ratio for your site. If your site has too high a ratio of HTTP URLs, you will see warning banner on your site, and the HTTPS section will show Failing.

Why HTTPS is important, and how to implement it on your site?

The important thing to remember is that if a URL in Google Search results is HTTPS, then it will be considered as passing the HTTPS criterion.

Secure your site with HTTPS

HTTPS (Hypertext Transfer Protocol Secure) is an internet communication protocol that protects the integrity and confidentiality of data between the user's computer and the site. Users expect a secure and private online experience when using a website. We encourage you to adopt HTTPS in order to protect your users' connections to your website, regardless of the content on the site.

Data sent using HTTPS is secured via Transport Layer Security protocol (TLS), which provides three key layers of protection:

Encryption: Encrypting the exchanged data to keep it secure from eavesdroppers. That means that while the user is browsing a website, nobody can "listen" to their conversations, track their activities across multiple pages, or steal their information.

Data integrity: Data cannot be modified or corrupted during transfer, intentionally or otherwise, without being detected.

Authentication: Proves that your users communicate with the intended website. It protects against man-in-the-middle attacks and builds user trust, which translates into other business benefits.

Best practices when implementing HTTPS

Use robust security certificates

You must obtain a security certificate as a part of enabling HTTPS for your site. The certificate is issued by a certificate authority (CA), which takes steps to verify that your web address actually belongs to your organization, thus protecting your customers from man-in-the-middle attacks. When setting up your certificate, ensure a high level of security by choosing a 2048-bit key. If you already have a certificate with a weaker key (1024-bit), upgrade it to 2048 bits. When choosing your site certificate, keep in mind the following:

Get your certificate from a reliable CA that offers technical support.
Decide the kind of certificate you need:
- Single certificate for single secure origin (www.example.com).
- Multi-domain certificate for multiple well-known secure origins (for example, www.example.com, cdn.example.com, example.co.uk).
- Wildcard certificate for a secure origin with many dynamic subdomains (for example, a.example.com, b.example.com).

Use permanent server-side redirects

Redirect your users and search engines to the HTTPS page or resource with permanent server-side redirects.

Verify that your HTTPS pages can be crawled and indexed by Google

Use the URL Inspection tool to test whether Googlebot can access your pages.
Don't block your HTTPS pages by robots.txt files.
Don't include noindex tags in your HTTPS pages.

Support HSTS

We recommend that HTTPS sites support HSTS (HTTP Strict Transport Security). HSTS tells the browser to request HTTPS pages automatically, even if the user enters http in the browser location bar. It also tells Google to serve secure URLs in the search results. All this minimizes the risk of serving unsecured content to your users.

To support HSTS, use a web server that supports it and enable the functionality.

Although it's more secure, HSTS adds complexity to your rollback strategy. We recommend enabling HSTS this way:

Roll out your HTTPS pages without HSTS first.
Start sending HSTS headers with a short max-age. Monitor your traffic both from users and other clients, and also dependents' performance, such as ads.
Slowly increase the HSTS max-age.
If HSTS doesn't affect your users and search engines negatively, you can add your site to the HSTS preload list, which is used by most major browsers. This adds extra security and improved performance.

Avoid these common pitfalls

Throughout the process of making your site secure with TLS, avoid the following mistakes:

Common mistakes and their solutions
Expired certificates	Make sure your certificate is always up to date.
Certificate registered to incorrect website name	Check that you have obtained a certificate for all host names that your site serves. For example, if your certificate only covers `www.example.com`, a visitor who loads your site using just `example.com` (without the `www.` prefix) will be blocked by a certificate name mismatch error.
Missing Server name indication (SNI) support	Make sure your web server supports SNI and that your audience uses supported browsers, generally. While SNI is supported by all modern browsers, you'll need a dedicated IP if you need to support older browsers.
Crawling issues	Don't block your HTTPS site from crawling using `robots.txt`. Learn more
Indexing issues	Allow indexing of your pages by search engines where possible. Don't use the `noindex` tag.
Old protocol versions	Old protocol versions are vulnerable; make sure you have the latest and newest versions of TLS libraries and implement the newest protocol versions.
Mixed security elements	Embed only HTTPS content on HTTPS pages.
Different content on HTTP and HTTPS	Make sure the content on your HTTP site and your HTTPS is the same.
HTTP status code errors on HTTPS	Check that your website returns the correct HTTP status code. For instance `200 OK` for accessible pages, or `404` or `410` for pages that do not exist.

Migrating from HTTP to HTTPS

If you migrate your site from HTTP to HTTPS, Google treats this as a site move with URL changes. This can temporarily affect some of your traffic numbers. Learn more about recommendations for all site moves.

Make sure that you add the new HTTPS property to Search Console. Search Console treats HTTP and HTTPS separately; data isn't shared between properties in Search Console.

For more tips about using HTTPS pages on your site, see the HTTPS migration FAQs.

More resources on implementing TLS

Here are some additional resources on implementing TLS on your site:

How to locate your HTTP pages

Find your HTTP pages

Here are two methods to help get a general idea of which URLs on your site are HTTP vs HTTPS:

Create a Domain property for your site. Then open up the Performance report for Search and add a filter for URLs starting with "http://". This will show you the first 1,000 HTTP URLs on your site that people are finding in Google.
If you can't create a Domain property for some reason, create a URL-prefix property for your HTTP address, open up the Performance report for Search, and see up to 1,000 HTTP URLs on your site that people are finding in Google.

If you think you have an equivalent HTTPS version for an HTTP URL that's appearing in Search, inspect the HTTPS URL in the Google Index to see if it's appearing in Search, and if not, why not.

What is HTTPS?*

HTTPS (Hypertext Transfer Protocol Secure) is a secure version of the HTTP protocol that uses the SSL/TLS protocol for encryption and authentication. HTTPS is specified by RFC 2818 (May 2000) and uses port 443 by default instead of HTTP’s port 80.

The HTTPS protocol makes it possible for website users to transmit sensitive data such as credit card numbers, banking information, and login credentials securely over the internet. For this reason, HTTPS is especially important for securing online activities such as shopping, banking, and remote work. However, HTTPS is quickly becoming the standard protocol for all websites, whether or not they exchange sensitive data with users.

How is HTTPS different from HTTP?

HTTPS adds encryption, authentication, and integrity to the HTTP protocol:

Encryption: Because HTTP was originally designed as a clear text protocol, it is vulnerable to eavesdropping and man in the middle attacks. By including SSL/TLS encryption, HTTPS prevents data sent over the internet from being intercepted and read by a third party. Through public-key cryptography and the SSL/TLS handshake, an encrypted communication session can be securely set up between two parties who have never met in person (e.g. a web server and browser) via the creation of a shared secret key.

Authentication: Unlike HTTP, HTTPS includes robust authentication via the SSL/TLS protocol. A website’s SSL/TLS certificate includes a public key that a web browser can use to confirm that documents sent by the server (such as HTML pages) have been digitally signed by someone in possession of the corresponding private key. If the server’s certificate has been signed by a publicly trusted certificate authority (CA), such as SSL.com, the browser will accept that any identifying information included in the certificate has been validated by a trusted third party.

HTTPS websites can also be configured for mutual authentication, in which a web browser presents a client certificate identifying the user. Mutual authentication is useful for situations such as remote work, where it is desirable to include multi-factor authentication, reducing the risk of phishing or other attacks involving credential theft. For more information on configuring client certificates in web browsers, please read this how-to.

Integrity: Each document (such as a web page, image, or JavaScript file) sent to a browser by an HTTPS web server includes a digital signature that a web browser can use to determine that the document has not been altered by a third party or otherwise corrupted while in transit. The server calculates a cryptographic hash of the document’s contents, included with its digital certificate, which the browser can independently calculate to prove that the document’s integrity is intact.

Taken together, these guarantees of encryption, authentication, and integrity make HTTPS a much safer protocol for browsing and conducting business on the web than HTTP.

What information does HTTPS provide users about website owners?

CAs use three basic validation methods when issuing digital certificates. The validation method used determines the information that will be included in a website’s SSL/TLS certificate:

• Domain Validation (DV) simply confirms that the domain name covered by the certificate is under the control of the entity that requested the certificate.
• Organization / Individual Validation (OV/IV) certificates include the validated name of a business or other organization (OV), or an individual person (IV).
• Extended Validation (EV) certificates represent the highest standard in internet trust, and require the most effort by the CA to validate. EV certificates are only issued to businesses and other registered organizations, not to individuals, and include the validated name of that organization.

For more information on viewing the contents of a website’s digital certificate, please read our article, How can I check if a website is run by a legitimate business?

Why use HTTPS?

There are multiple good reasons to use HTTPS on your website, and to insist on HTTPS when browsing, shopping, and working on the web as a user:

Integrity and Authentication: Through encryption and authentication, HTTPS protects the integrity of communication between a website and a user’s browsers. Your users will know that the data sent from your web server has not been intercepted and/or altered by a third party in transit. And, if you’ve made the extra investment in EV or OV certificates, they will also be able to tell that the information really came from your business or organization.

Privacy: Of course no one wants intruders scooping up their credit card numbers and passwords while they shop or bank online, and HTTPS is great for preventing that. But would you really want everything else you see and do on the web to be an open book for anyone who feels like snooping (including governments, employers, or someone building a profile to de-anonymize your online activities)? HTTPS plays an important role here too.

User Experience: Recent changes to browser UI have resulted in HTTP sites being flagged as insecure. Do you want your customers’ browsers to tell them that your website is “Not Secure” or show them a crossed-out lock when they visit it? Of course not!

Compatibility: Current browser changes are pushing HTTP ever closer to incompatibility. Mozilla Firefox recently announced an optional HTTPS-only mode, while Google Chrome is steadily moving to block mixed content (HTTP resources linked to HTTPS pages). When viewed together with browser warnings of “insecurity” for HTTP websites, it’s easy to see that the writing is on the wall for HTTP. In 2020, all current major browsers and mobile devices support HTTPS, so you won’t lose users by switching from HTTP.

SEO: Search engines (including Google) use HTTPS as a ranking signal when generating search results. Therefore, website owners can get an easy SEO boost just by configuring their web servers to use HTTPS rather than HTTP.

In short, there are no longer any good reasons for public websites to continue to support HTTP. Even the United States government is on board!

How does HTTPS work?

HTTPS adds encryption to the HTTP protocol by wrapping HTTP inside the SSL/TLS protocol (which is why SSL is called a tunneling protocol), so that all messages are encrypted in both directions between two networked computers (e.g. a client and web server). Although an eavesdropper can still potentially access IP addresses, port numbers, domain names, the amount of information exchanged, and the duration of a session, all of the actual data exchanged are securely encrypted by SSL/TLS, including:

• Request URL (which web page was requested by the client)
• Website content
• Query parameters
• Headers
• Cookies

HTTPS also uses the SSL/TLS protocol for authentication. SSL/TLS uses digital documents known as X.509 certificates to bind cryptographic key pairs to the identities of entities such as websites, individuals, and companies. Each key pair includes a private key, which is kept secure, and a public key, which can be widely distributed. Anyone with the public key can use it to:

• Send a message that only the possessor of the private key can decrypt.
• Confirm that a message has been digitally signed by its corresponding private key.

If the certificate presented by an HTTPS website has been signed by a publicly trusted certificate authority (CA), such as SSL.com, users can be assured that the identity of the website has been validated by a trusted and rigorously-audited third party.

What happens if my website doesn’t use HTTPS?

In 2020, websites that do not use HTTPS or serve mixed content (serving resources like images via HTTP from HTTPS pages) are subject to browser security warnings and errors. Furthermore, these websites unnecessarily compromise their users’ privacy and security, and are not preferred by search engine algorithms. Therefore, HTTP and mixed-content websites can expect more browser warnings and errors, lower user trust and poorer SEO than if they had enabled HTTPS.

How do I know if a website uses HTTPS?

An HTTPS URL begins with https:// instead of http://. Modern web browsers also indicate that a user is visiting a secure HTTPS website by displaying a closed padlock symbol to the left of the URL:

In modern browsers like Chrome, Firefox, and Safari, users can click the lock to see if an HTTPS website’s digital certificate includes identifying information about its owner.

How do I enable HTTPS on my website?To protect a public-facing website with HTTPS, it is necessary to install an SSL/TLS certificate signed by a publicly trusted certificate authority (CA) on your web server. SSL.com’s knowledgebase includes many helpful guides and how-tos for configuring a wide variety of web server platforms to support HTTPS.

* - original source: https://www.ssl.com/faqs/what-is-https/

Tags:

https, seo, google search console

Websites' Development with Drupal