HTTPS migration – your two-month countdown

If you’re still wondering whether to move your site to HTTPS, Google just made the decision easy for you.

This October (2017) the noose on non-secure HTTP sites tightens, as the tech giant inches ever closer to its goal of making the web fully secure. If you value the trust of your customers, and want to retain your site’s current traffic and conversion rate, it’s an update you need to be ready for.

The beginning of Q4 not only coincides with the peak trading season but will also see Chrome flag any HTTP page as ‘Not Secure’ when a user can input data.

So that’s not just payment information, passwords and other sensitive data as is the case now, but any input field at all, including site search and sign up forms. And it’s extending to all types of websites – not just ecommerce.

Which means even if you don’t have an ecommerce site, HTTPS just got serious.

Example of how URLs will look after HTTPs update.

The journey to a fully secure web

The move is the latest in a timeline of changes made by Google since 2011 when it first encrypted its search.

June 2014 saw the launch of ‘HTTPS Everywhere’, with HTTPS announced as a ranking signal in its algorithm just two months later.

The full timeline of changes can be read here on our blog from October.

Google’s vision that “all communication, everywhere, should be secure by default” includes everything we do on the web – playlists, news, messaging and more – not just financial information.

As the company states in this video, a single web visit may not be that interesting, but a combination reveals a lot about the user. Making it easier to build up a bigger picture of who you are, what you do, where you live, work, and how you play.

And it’s not just Google too – Firefox and Bing have implemented changes to security protocol across the web to ‘encourage’ site owners to adopt HTTPS as standard.

So why does it matter?

Google is the biggest browser in the world, finally surpassing Internet Explorer last May to knock Microsoft off its long-held throne.

So if the browser used by nearly half of the UK* says ‘jump’ – you kind of have to ask how high. Especially if it’s encouraging you to jump at the beginning of the busiest trading season for many businesses.

December 2016 saw online sales (excluding automotive fuel) increase year-on-year by 21.3%. The lead up to Christmas is demanding enough without having to factor in a full HTTPS migration for your site.

Because that’s effectively what it is – a full site migration – and unfortunately not as simple as just flicking a switch.

This new update is the biggest push that any tech giant has used in the move to HTTPS, so if you want to stay competitive, you need to start the process now.

OK, I get it. How do I switch my site to HTTPS?

Moving your site to HTTPS can be a confusing and complex process if you don’t have the skills and technical knowledge to do so.

The time required also varies depending on the size of your site. A four-page photography portfolio website could be migrated in a day, for example. But a site the size of a national newspaper could take the best part of a year, as The Guardian have very handily documented.

In their frank and open case study, the newspaper highlighted the issues faced and how it overcame them.

Rather than tackle the migration as a whole, the team opted to ‘defeat in detail’, working on a section-by-section basis, identifying, tracking and fixing problems as they went before moving onto the next section.

It took a long time due to a variety of revenue, editorial and third party embedding issues – in places where they were ready, other apps and integrations on the site were not (such as ad platforms, and social media embeds), so workarounds had to be put in place.

Read the full case study here.

The point is that any site migration needs to be handled with care and caution, and on a granular level. There are many steps for your technical teams to go through, and each will throw up questions, challenges and problems of their own.

Whether it’s already on your radar or yet to be prioritised, it’s a crucial and necessary piece of work to avoid any revenue impact for Q4. It’s a bit overboard to cram each single thing to consider in this single post, but here’s a condensed snippet of the major elements to our workflow when performing HTTPS migrations:

HTTPS migration checklist

  1. Prepare all pages and resources to be served securely.
  2. Crawl and backup entire website.
  3. Identify all internal and external links and feeds that need updating and update all internal links to HTTPS.
  4. Identify all third party tools that need updating (Google Analytics, AdWords, Optimizely, etc.)
  5. Identify all social profiles, resources and strong traffic backlinks that need updating.
  6. Decide on whether to purchase a Domain Validation (DV) or Extended Validation certificate. (DV is the standard certificate, whereas EV can provide stronger trust signals for your customers, highlighting its status in green in the URL bar).
  7. Set up site-wide HTTP to HTTPS 301 redirects.
  8. Decide if HSTS should be used and if so configure HSTS header.
  9. Create staging environment to test the above actions before setting live.

And once you’ve set the site live, the work doesn’t stop there. Continual crawling, monitoring and fixes will need to take place before configuring Google Search Console and migrating the disavow file.

The decision on whether to go with a DV or EV certificate, or if to set up HSTS should be thought out properly and implemented with care to avoid issues.

You only get one chance to set up the HSTS header so it’s important to get it right the first time or you could end up blocking users from viewing your site.

What could go wrong?

Oh just about everything. As with any site migration, getting any of the multiple interconnecting steps even slightly wrong could result in complete loss of traffic or physically blocking users from your site.

Which no one wants, especially as you enter Q4.

Specific problems to watch out for:

    • Disavow would fail to migrate – which could incur a Penguin penalty.
    • 301 redirects could contain errors and broken links – which could result in loss of traffic.
    • Certificates could be configured or uploaded wrong – which could completely block access to the site.
    • Security capabilities of server – which again could completely block access to the site.
    • Bad press from industry influencers naming and shaming brands that are non-secure.

Where to go from here?

Security is often not seen as a problem until it becomes one. With the countdown to get HTTPS ready in full flow, it pays to be prepared – so get in touch if we can help with any aspect of your migration.

A good result would be nothing happening. Everything would move over smoothly, your site traffic and conversions would remain untouched, and the only thing pointing to the work taken place would be your shiny new ‘Secure’ badge of honour in the URL box.

We like good results. We even like taking on the occasional tech-headache – so you don’t have to.

Need help? Contact the Fresh Egg team to talk through your specific requirements.

*Google Chrome shares 43.58% of UK browsers, according to