Encrypting the internet has been the topic of much discussion. You have people telling you about the need to encrypt to protect our way of life, as well as, those who talk about the untold marketing benefits promised to us by the Google gods. You also have the people who don't know what's going on, but who have started to see more locks in the address bar of their web browser or have seen that fully qualified URLs for many sites now read HTTPS and not HTTP.
So, What Is HTTPS and How Does It Work?
If you've ever been on the internet, you know HTTP. You probably see it every time you try to make a hyperlink. HTTP means, "Hypertext Transfer Protocol." It's how data is communicated on the internet.
HTTPS is simply (or not so simply) Hypertext Transfer Protocol Secure. This means that you're not transferring plain text files by using Secure Sockets Layer (SSL), a cryptographic system that encrypts data with two keys. The server's public key (that encrypts) and a private key (that decrypts). Note: This might be a good time to try that rapid eye blinking thing I mentioned earlier.
In order to prove the website identity, you must have the server's public key, since you can't store all the keys to every website in your browser. Instead, there are Certificate Authorities--a list of CA's, which came installed with you browser and operating system with the stored public keys to verify certified secure servers.
Your browser sends the server an encrypted message, using the public key from the CA and the server's private key is used to decrypt the message. If the server is able to tell you what the message originally was, the server has verified its identity to you without having to share the private key. Sinceyou have a pre-approved list of Certificate Authorities on your browser, this keeps you safe. Whew! Safety is a good thing.
If HTTPS Is So Great, Why Haven't We Always Used It?
SSL used to slow page load times by 3-4 seconds per page, meaning that HTTPS everywhere wasn't just a bad user experience--it was dial up. It was enough to make you long for the time when information was sent via carrier pigeons. Also, not long ago, Google wasn't able to crawl sites that used the HTTPS protocol, meaning your site couldn't be indexed. This led to only pages that collected private data, like credit cards, being secured.
Why SSL Encrypt Now?
Now SSL adds only a fraction of a second to page load times and encryption doesn't just keep you and your data safe in commerce; it's also about your conversations. You hear about mass data collection, which the NSA can neither confirm or deny... Oh they deny that, they never deny things...
Google recommends using HTTPS everywhere, because encryption helps to keep your data and your users secure. Also, when you only encrypt the things that must be secure, it's like holding a giant sign that says, "Hey! The sensitive and valuable data is over here!" As any good spy movie will tell you, that's the sort of thing you want to avoid.
If that isn't enough, there is a marketing and analytics benefit for site owners, too. In August 2014, Google announced that SSL encryption would be a ranking factor in search. But with 200+ ranking factors, it's unlikely that simply moving to HTTPS will give you magical ranking benefits.
Making the HTTPS jump should be about more than just ranking. Encryption is just how the internet is going. I personally don't think going HTTPS will help you so much as failing to secure the internet and your users' data is going to hurt you--not just in search, but overall.
Search rankings and security aside... Not encrypting is already hurting your analytics. Many websites (mine included priory to moving https) have seen an increase in "(direct) / (none)" traffic, because of this. Even though I used Google Analytics as an example, it's important to note that this is not a Google problem.
There is no way that 29.8% of my website traffic was direct or bookmark traffic. This is happening because, when traffic flows from a secure site to a non secure site, all that lovely referral data is lost. Referrals from both "normal" HTTP sites and HTTPS sites to an encrypted HTTPS site will send referral information, but the secure protocol drops any referral data when transferring to a non encrypted website.
So adding an SSL cert give will you back your referral data. It will also give you back your full Bing keyword data, because Bing keyword data was lost after that search engine moved to HTTPS. But, because Google is basally a willful and all knowing child, flipping the SSL switch won't give you back the "not provided" keyword data at least from Google.
The willful, all knowing child explained. The loss of Keyword data on Google was from Google choosing to take it away. Look at Google Webmaster tools to get back some (not all) of your keyword data. You can get some of it because Google still has it. They have all of it. They share it with advertisers; they just aren't sharing with you.
How Referral Search Engine Referral Data Works
When you go from one link to another, (for example: masonpelt.com to siliconangle.com) the browser gives the site you're going to a bit of info called, "the referer," that has the URL of the previous page you were on. For SEPS (search result page's), that url will hold a query string such as www.google.com/search?q=mason20%pelt.
Since the entire URL has information, referer includes ?q=mason20%pelt. Analytics packages can sort that information by keeping a list of search engines and parsing the information after the q variable. This allows me to see that someone came from Google by searching, "Mason Pelt."
All Google is doing is forcing you to redirect through another url. That way, you get referrer data saying the traffic came from Google, but none of the lovely referring keyword data.
On the bright side, many SEOs, like my friend, Joe Youngblood, do think 2015 will be the year Google gives keyword data back to encrypted websites. Maybe that's another reason to encrypt. Or, maybe it's just the hopes and dreams of search engine marketers.
Why You Still Have Some Referral Data From HTTPS Sites
In the above screenshot, you can clearly see Facebook is responsible for nearly 50% of web traffic and Facebook clearly uses SSL. Most social networks use HTTPS, at this time. The good new is the Google trick of redirecting urls to remove keyword data. The forcing of redirect URLs can also be used to send you from an HTTPS site to an HTTP site, thus leaving the referral data intact.
When you click a link on Twitter, you can clearly watch the URL redirect from https://twitter.com to http://t.co/. Similar is true of Facebook, YouTube and most other social networks. Most simply hide it better than Twitter.
So, why are these networks choosing to send out referral data? Most of these networks work hard not to share any of their user data that makes their advertising platforms better, or at least different, than the next guy's. My theory is that the competitive marketing for online advertising is why these platforms are going out of their way to give us referral data.
If advertising platforms didn't give us some data, I would wish them good luck on getting all but the least savvy media buyers to invest in marketing on that platform. Good luck selling the ROI of your platform on the social web, when you already have a hard time getting people to track you correctly. (See my rant here) Good luck keeping advertisers, or even business users, if you have to explain and get them to set up SSL in order to see if anyone clicked your links.
But smaller sites have no reason to go to the time effort and server burden of forcing redirects just to give your website an analytics footnote saying three people clicked a link and went to your website.
In my mind, anything that can add clarity to data without substantially hurting your site's speed or your search rankings is worth doing. Also, as I say to myself every time I leave a grocery store with a canvas bag, "I'm saving the planet."
There Are Some Things To Consider Before Adding Encryption - It's Not As Simple As Flipping a Switch.
You are technically making your website an entirely new domain in the eyes of Google. You will have to be ready and able to set up 301 redirects for every page and piece of content. I personally would recommend trying to get your most important backlinks updated from http: to https:
Since you're on a "different domain," you may lose some social proof. If you have a social share counter like the one on this site, you will lose all of your social shares, Many of the most common social sites (Facebook, Google Plus and Linkedin) use APIs and will eventually update your share numbers, but this could take weeks or months. Since Twitter and Pinterest don't use APIs of share counters, you will either lose those or be forced to make a small code change to display your actual social shares. Moz.com has an SEO checklist to consider before switching to HTTPS.
You risk other compatibility problems besides social and CDN. Some older web apps may not support encryption. Additionally, a misconfiguration or an older browser like Internet Explorer 7 not recognizing your chosen SSL provider could mean that your visitors are shown a message like this.
You will also want to consider speed, even though SSL won't slow your site like it did in the past. It is, at the very least, an extra step to loading a page. As explained above, the browser pings the server to verify identity before content starts to load. This will affect speed, under most circumstances. While the effects are much less detrimental than they were 5 years ago, if a fraction of a second is added to an already slow page load, it can hurt both user experience and search rankings.
The increase in page load time is negligible on optimized sites, without the code bloat that plagues many Wordpress themes, and if the site is on fast distributed servers. Basically, if everything runs as it should, there won't be a huge problem.
There is also an open networking protocol called SPDY, which was primarily developed by Google with goal of reducing page load latency for SSL traffic. Renowned marketing expert, Joost de Valk, explains in this article that it actually made his site faster (at least on modern browsers). But I wouldn't upgrade with the expectation of a performance increase.
If your site server and website code are ready and you set up 301 redirects correctly, there are many benefits to switching to SSL.
You Can Now Encrypt for Free
Encryption isn't just a priority for Google; it's good for the internet. That's why StartSSL offers free basic certificates for individuals. To make it better, the Electronic Frontier Foundation uses StartSSL. That's an endorsement that should let you sleep well at night.
That said, I cannot talk about free SSL certificates without mentioning Heartblead, a bug found in the popular Open SSL cryptographic software library. This bug will allow anyone to read the memory of the servers protected by the vulnerable versions of Open SSL. It compromises the secret keys used to identify the service providers and to encrypt the traffic.
According to the StartSSL website and every security expert I've spoken with, StartSSL was never affected by the headblade bug. That said, all software is subject to flaws. Bash Bug is an example of that. It's part of the world that we live in. All this to to say, SSL encryption is worth it. You get more complete data from analytics and better security for your website and it can be done for free. For a step by step guide to setting up StartSSL I'm referring you to the very detailed blog post by Mike Mill.