1. Home
  2. Forums Index
  3. WebmasterWorld / Webmaster General 9:14 am May 21, 2026

Forum Moderators: phranque

Message Too Old, No Replies

What will happen if I don't switch to HTTPS?

possible downside of non-secure pages

         

keyplyr

12:23 am on Feb 18, 2017 (gmt 0)

WebmasterWorld Senior Member 10+ Year Member Top Contributors Of The Month



Many site owners are still deciding if or when they will follow the new SSL standard of using a security certificate and switching to HTTPS.


Possible downside of not switching to HTTPS*

• Visitors may start to decline. As discussions about secure web sites become more popular, visitors may avoid non-secure web sites.

• Browsers are still transitioning but the warnings will get more explicit for ALL pages, not just Credit Card or forms. These warnings may further scare off visitors.

• Google has made statements that secure sites will gain advantage in mobile & desktop SERP. HTTPS is already being displayed for secure sites. Bing & other Search Engines will surely follow.

• Eventually, non-secure websites may be considered unsafe to users and purged from SERP altogether.

• Browser support for HTTP/2 protocol is only for HTTPS websites. This protocol greatly speeds up page loads. If your site is not secure, you will not benefit.

*Possible scenarios, no one knows for sure.

farmboy

11:44 pm on Feb 22, 2017 (gmt 0)

WebmasterWorld Senior Member 10+ Year Member Top Contributors Of The Month



More and more hosts are making it easier to freely install & use certs for their hosting customers.


If it is allowed here, would someone mention the names of a few of these hosts making it easy to freely install? Any of the larger and/or better known hosts?

I wonder if this will lead to all (or most) making it free and easy?


FarmBoy

keyplyr

11:50 pm on Feb 22, 2017 (gmt 0)

WebmasterWorld Senior Member 10+ Year Member Top Contributors Of The Month



guggi2000 - don't ague what is unrelated. SSL (HTTPS) is not many things.

HTTPS is a protocol, a language the browser uses to speak to the server. This language is encrypted so 3rd parties cannot capture info during this transaction. HTTPS is not a cure all for all the internet's security woes.

A Wiki article is part of the web. The web has moved to be more secure by implementing all pages be HTTPS.

tangor

12:35 am on Feb 23, 2017 (gmt 0)

WebmasterWorld Senior Member 10+ Year Member Top Contributors Of The Month



That is not a fact based statement, more along the line of a conspiracy delusion. There is no evidence supporting anything like that scenario.


Google started as bait and switch and continues to this day (not a delusion) and nothing has changed. What I said was that things given away for FREE to get folks to do it INVARIABLY become mandatory and monetary values are added and that is HISTORICAL, not hysterical.

Think Bell Telephone as an early "tech" version....

HTTPS has a purpose to encrypt, it has no benefit re: transport or delivery of content. If AMP can suck folks in, I suppose the G run on HTTPS will soon follow.

keyplyr

2:22 am on Feb 23, 2017 (gmt 0)

WebmasterWorld Senior Member 10+ Year Member Top Contributors Of The Month



Google is not giving away certs for free, Mozilla's Lets Encrypt [letsencrypt.org] is... you know, the ones who give us Firefox (for free.)

Google is championing the web's move to HTTPS but it is not selling security certificates that I'm aware of. HTTPS has nothing to do with Google projects like AMP, Structured Data or Rich Cards.

You can entertain all the conspiracy theories you like. The simple fact is, the standard for the web is now HTTPS. HTTP/2 is supported by all major browsers to display web pages more quickly. HTTP/2 is only supported on sites that use HTTPS.

tangor

6:37 am on Feb 23, 2017 (gmt 0)

WebmasterWorld Senior Member 10+ Year Member Top Contributors Of The Month



Still missing the point, but let's move on....

HTTPS is not a requirement .... yet. That's all the OP asked. :)

(The way to get folks to take up something new is to prime the pump by giving it away for free.)

graeme_p

6:37 am on Feb 23, 2017 (gmt 0)

WebmasterWorld Senior Member 10+ Year Member Top Contributors Of The Month



A lot of shared hosts support Let's Encrypt

That said, I think it will take a long time to switch.

The underlying problem is the mechanism used by certificates. Something more like ssh where everyone always issues there own keys - or the option of doing either - would be far preferable.

keyplyr

7:59 am on Feb 23, 2017 (gmt 0)

WebmasterWorld Senior Member 10+ Year Member Top Contributors Of The Month



HTTPS is not a requirement .... yet. That's all the OP asked. :)
I didn't ask that, but IMO I see no indication that HTTPS will be "required" and by who? However, eventually browsers may drop support for nonsecure sites. I guess we'll find out.

I think it will take a long time to switch
A large portion of the world's web sites probably won't switch. Many sites are not maintained and have become archaic. This might end up being an affective method of getting rid of the dead wood from indexes.

As far as "something more like ssh" I think it is forseeabble that security certificates will evolve as the protocol advances to support some yet-to-be realized future purpose.

guggi2000

8:42 am on Feb 23, 2017 (gmt 0)

10+ Year Member Top Contributors Of The Month



@keyplyr If there is private data HTTPS is a must. I also understand the marketing point of view: A green lock, better SEO signal, user expectations etc... it is better for a website.

But technically speaking, why is a specific public (and static) page, such as a Wikipedia article more secure under HTTPS?

guggi2000

9:22 am on Feb 23, 2017 (gmt 0)

10+ Year Member Top Contributors Of The Month



2 more questions:

1. WWW vs non-WWW are 2 different sites but GSC gives the option to indicate the preferred one to serve the right version. Why is Google pushing to switch to HTTPS while at the same time claiming that switching to HTTPS is like moving an entire domain, which is not entirely risk-free? Sounds strange that they did not better prepare for this, as they did with WWW and non-WWW

2. Have you heard that if you turn on HTTPS without doing a 301 redirect, Google will eventually pick it up anyway and decide that it would serve the HTTPS version?

keyplyr

9:30 am on Feb 23, 2017 (gmt 0)

WebmasterWorld Senior Member 10+ Year Member Top Contributors Of The Month



@guggi2000
A website can be sensitive even if it's just information. What's sensitive to some may not be sensitive to others, so it's impossible for Google (or anyone else) to tell. It's best to encrypt everything.

Besides sensitive information that a site can collect or not, there is still the risk of a "man in the middle" attack on regular sites like an article on Wikipedia (for example.l

A browser sends a transmission to a server supplying a set of credentials. The server responds likewise. This is how the browser gets the necessary files to construct the web page.

It all travels over the internet in plain-text. It can be read by 3rd parties which can inject malicious code into your page during that transmission (man in the middle attack.) HTTPS encrypts the transmission so this can't happen.

WWW & non-WWW are unrelated to this discussion so I won't get into that.

guggi2000

10:13 am on Feb 23, 2017 (gmt 0)

10+ Year Member Top Contributors Of The Month



@keyplyr We're not talking about the same thing: You're talking about credentials being transmitted and I am talking about static and public content without any credentials.

@keyplyr I did not ask about WWW & non-WWW. I asked why switching to HTTPS is like switching an entire domain.

robzilla

10:24 am on Feb 23, 2017 (gmt 0)

WebmasterWorld Senior Member 10+ Year Member Top Contributors Of The Month



Careful, HTTPS encrypts the content of pages, not the URL itself (or at least not the IP or Host).

Well, which is it? The URL is most definitely encrypted, and so is the host, since both of them are HTTP headers and encryption is set up on the level of the TCP connection (using only the IP addresses) before HTTP even comes into play.

The underlying problem is the mechanism used by certificates. Something more like ssh where everyone always issues there own keys - or the option of doing either - would be far preferable.

It seems to me that if you can vouch for yourself, rather than having a trusted CA vouch for you, the whole idea of trust goes out the window. Which is exactly why self-signed certificates result in a warning; nobody dares to claim it's actually a secure connection. And with a system like SSH, your browser would need to hold a public key for every server on the internet.

[edited by: robzilla at 10:47 am (utc) on Feb 23, 2017]

keyplyr

10:38 am on Feb 23, 2017 (gmt 0)

WebmasterWorld Senior Member 10+ Year Member Top Contributors Of The Month



guggi2000
RE: credentials - the term is applied to several functions. I described the browser connecting to the server and passing to the server basic information like language, IP address, user agent, etc. I was not referring to Credit Card or password credentials.

Please read what I wrote above. It addressed your concerns about why "static and public content" needs to be encrypted.

guggi2000

8:50 pm on Feb 23, 2017 (gmt 0)

10+ Year Member Top Contributors Of The Month



Anyone an idea about my second question:

"Do you know if it's true that if you turn on HTTPS without doing a 301 redirect, Google will eventually pick it up anyway and decide that it would serve the HTTPS version as the preferred one in the SERPs?"

robzilla

9:23 pm on Feb 23, 2017 (gmt 0)

WebmasterWorld Senior Member 10+ Year Member Top Contributors Of The Month



Yes, that's true, and has been for a while, but there are a few exceptions:

Specifically, we’ll start crawling HTTPS equivalents of HTTP pages, even when the former are not linked to from any page. When two URLs from the same domain appear to have the same content but are served over different protocol schemes, we’ll typically choose to index the HTTPS URL if:

- It doesn’t contain insecure dependencies.
- It isn’t blocked from crawling by robots.txt.
- It doesn’t redirect users to or through an insecure HTTP page.
- It doesn’t have a rel="canonical" link to the HTTP page.
- It doesn’t contain a noindex robots meta tag.
- It doesn’t have on-host outlinks to HTTP URLs.
- The sitemaps lists the HTTPS URL, or doesn’t list the HTTP version of the URL.
- The server has a valid TLS certificate.

[security.googleblog.com...]

guggi2000

9:41 pm on Feb 23, 2017 (gmt 0)

10+ Year Member Top Contributors Of The Month



@robzilla

"- The sitemaps lists the HTTPS URL, or doesn’t list the HTTP version of the URL. "

In other words: If there is an updated sitemap for the HTTP site, then they won't index it...

robzilla

9:45 pm on Feb 23, 2017 (gmt 0)

WebmasterWorld Senior Member 10+ Year Member Top Contributors Of The Month



If the sitemap on both HTTP and HTTPS includes only HTTP versions of the URLs, Google won't overrule that. It will consider that (HTTP) to be your preference, much like if your rel canonical tags on HTTPS were to point to HTTP.

guggi2000

9:48 pm on Feb 23, 2017 (gmt 0)

10+ Year Member Top Contributors Of The Month



Has anyone considered not moving to HTTPS because of:

- Potential (temporary) traffic loss, similar to moving a domain. This was reported by several big sites, including Moz about 3 years ago

- Potential Adsense loss as reported by many webmasters, also 1-2 years ago

- Other unknowns, such as Facebook likes being reset for the new https version (yes, we are aware of the workaround)

- Compatibility issues and slight traffic loss (yes, we know it's minimal)

Opinions?

guggi2000

9:53 pm on Feb 23, 2017 (gmt 0)

10+ Year Member Top Contributors Of The Month



@robzilla Thanks. I understood it this way that if the page does not exists in BOTH sitemaps Google will prefer the secured one.

robzilla

10:05 pm on Feb 23, 2017 (gmt 0)

WebmasterWorld Senior Member 10+ Year Member Top Contributors Of The Month



I understood it this way that if the page does not exists in BOTH sitemaps Google will prefer the secured one.

That seems to be true also, yes. Basically, if you want Google to return only HTTP, you need to make this known to them explicitly by listing only the HTTP URL(s) in the sitemap, employing rel canonical, redirecting, or by other means.

The general consensus seems to be that nowadays, if the implementation is correct, moving to HTTPS should not result in a loss of rankings, traffic or revenue.

guggi2000

10:17 pm on Feb 23, 2017 (gmt 0)

10+ Year Member Top Contributors Of The Month



The general consensus seems to be that nowadays, if the implementation is correct, moving to HTTPS should not result in a loss of rankings, traffic or revenue.

True, and I guess there is a very good chance that everything will be fine. However, I am wondering whether there are other people who postpone the move to minimize risks and unknowns.

Thanks

aristotle

10:24 pm on Feb 23, 2017 (gmt 0)

WebmasterWorld Senior Member 10+ Year Member Top Contributors Of The Month



It doesn’t have on-host outlinks to HTTP URLs.

I don't understand what that means.

robzilla

8:17 am on Feb 24, 2017 (gmt 0)

WebmasterWorld Senior Member 10+ Year Member Top Contributors Of The Month



I don't understand what that means.

If the HTTPS version links to the HTTP version, e.g. when you use only absolute URLs pointing to HTTP, Google assumes HTTP has your preference, and won't choose to index the HTTPS versions. If you explicitly link to the HTTPS versions, or you use relative URLs, and the other conditions listed are met, it will crawl, index and rank the HTTPS versions of your pages.

On-host meaning on the same domain. Whether other domains point to HTTP or HTTPS is irrelevant.

guggi2000

9:40 am on Feb 24, 2017 (gmt 0)

10+ Year Member Top Contributors Of The Month



At the moment we serve our HTTPS pages through a subdomain and another webserver. Our main domain does not even listen to the 443 port (HTTPS port) to avoid any potential issues.

IMO, best practice it to switch the entire domain to HTTPS or not to switch at all. Do not have some pages HTTPS and some not. One could work with 301 redirects but that would create a mess too, sooner or later.

guggi2000

9:57 am on Feb 24, 2017 (gmt 0)

10+ Year Member Top Contributors Of The Month



I am checking for all possible pitfalls when moving to HTTPS. One thread I have found on this forum refers to Webmaster Tools, but I am not sure if that is still relevant and what exactly happened to the user called @superclown2

[webmasterworld.com ]

Can anyone elaborate what problems can arise when defining a new site under GSC (Webmaster Tools)?

keyplyr

10:08 am on Feb 24, 2017 (gmt 0)

WebmasterWorld Senior Member 10+ Year Member Top Contributors Of The Month



guggi2000 a discussion from 2014 may not be the best source to get an idea of what occurs today.

Correctly implemented, there should not be any problems with GSC. Using a 301 to redirect all traffic to HTTPS, your old site profile at GSC will die a natural death. Your new HTTPS profile will just take a few days to start displaying everything.

Not that complicated.

robzilla

10:57 am on Feb 24, 2017 (gmt 0)

WebmasterWorld Senior Member 10+ Year Member Top Contributors Of The Month



Correctly implemented...

Quoting for emphasis, because as superclown2 admits in that thread, he made some mistakes.

In the Search Console, your backlink data will also be "preserved" so long as you redirect HTTP to HTTPS. I say "preserved" because they will appear with the added note "Via this intermediate link: http://www.example.com". Whether the links lose any value from the redirect of HTTP to HTTPS is a matter of debate, but I doubt it so long as the content and path are the same.

loupiote

11:52 am on Feb 24, 2017 (gmt 0)

10+ Year Member Top Contributors Of The Month



but there is no turning back. if people start linking to your new HTTPS site, if you ever want to go back to HTTP (and drop your SSL cert, all those HTTPS links would cause a warning (unsafe redirection), so most likely google would not give any "ranking juice" from your HTTPS inbound links. right?

keyplyr

12:03 pm on Feb 24, 2017 (gmt 0)

WebmasterWorld Senior Member 10+ Year Member Top Contributors Of The Month



loupiote - and the web isn't turning back :)

guggi2000

12:29 pm on Feb 24, 2017 (gmt 0)

10+ Year Member Top Contributors Of The Month



@robzilla
Whether the links lose any value from the redirect of HTTP to HTTPS is a matter of debate, but I doubt it


I doubt it too. But the fact that there is a debate and we are not 100% sure makes me suspicious. As I mentioned earlier, in webmaster tools there is 1 checkbox to indicate www vs non-www preference. So easy, so clear. But they did not implement a checkbox for the https... and they had 3 years since the announcement.
This 204 message thread spans 7 pages: 204
 

Join The Conversation

Moderators and Top Contributors

Hot Threads This Week

  1. Home
  2. Forums Index
  3. WebmasterWorld / Webmaster General 9:14 am May 21, 2026