The Risks of Switching an Entire Site to HTTPS Only

HTTPS, the secure version of internet traffic, is growing in usage around the world. There are a lot of benefits to using it, but also some drawbacks. Should you switch your site? Should you switch only parts of your site? Let’s consider the options.

HTTPS Utilization Options

There are three ways you might use HTTPS on your site.

1. Not at all. You don’t have a single page on your site using HTTPS, and you like it perfectly fine the way it is, thank you very much.
2. Partial. You understand that HTTPS is valuable in some circumstances, but you feel no need to make your entire site secure.
3. Total. HTTPS is valuable, and it’s the wave of the future. Might as well adopt it now, so you’re ready when it becomes mandatory.

All three of these are perfectly valid for different situations. All of those outlooks are valid and there’s nothing wrong with adopting any of them, so long as you understand your site and the requirements it has.

In what situations might you not care about HTTPS at all? Well, if you’re just running a simple blog, you really don’t need to care about HTTPS. The only place a user might log on is via the comments section, and you can use a plugin like Facebook Comments or Disqus so they handle their own logins and security. Other than that, there’s no reason you need your web traffic to be encrypted. Only the absolute most privacy conscious folks will care, and they might be using a plugin of their own to encrypt traffic from their end.

However, if your site has anything that might require a login – like a web forum, a members only portal, or a shopping cart system – you’re going to need SSL, which means HTTPS. Shopping carts are especially important to secure, since they handle payment information as well as login information, and the fastest way to lose trust in your storefront is to not secure payment information. It’s really quite easy to snoop on unencrypted web traffic – you can get free tools to do it online, and they aren’t even illegal – so your users will almost certainly avoid your site like the plague.

Of course, if you’re using a shopping cart system that runs on a third party infrastructure, it probably has its own security. Plus, accepting payments through something like Paypal requires an outside window to Paypal itself, which is secure. You don’t technically need SSL of your own, though it’s still generally a good idea to layer up over the shopping area just to make people feel more secure.

As for total site SSL, there’s not necessarily any real incentive beyond wanting to make your entire site secure. I mean, there is a little, since Google made HTTPS a ranking factor back near the end of 2014, but it’s still a pretty minor ranking factor. There are likely a whole lot more important optimizations you can make that will have better effects.

Why Upgrade to SSL?

Making your whole site HTTPS has a few benefits. Let’s look at each of them in detail, shall we?

#1: As mentioned above, SSL across your whole site is a search ranking factor now. It’s a good idea to do everything you can to optimize your site for the best rankings possible, and if you’re in close competition with your nearest competitors, it might be the difference between trailing behind or coming out ahead. On the other hand, it might still make a difference in a negative way… but more on that later, in the cons section.

#2: The lock symbol in the URL bar is a sign of trust for many web users, particularly those who aren’t really experienced and just know what they’re taught. This includes a lot of the older generation of people, who are particularly prone to phishing attacks and other trust-based attacks. They’re often taught that the lock means a site is secure, even if they don’t understand the technical reasons behind it. Just having the lock can increase trust in your site.

#3: HTTPS helps prevent man in the middle attacks, which means your site is more secure against phishing attempts. The way SSL works, visitors to your site see the certificate and send a query to the certificate authority, verifying whether or not the certificate is valid. If it’s not, the site won’t load. Of course, SSL errors can happen, and they can hurt your site if they do, but the prevention is a great thing to have.

#4: You will probably get more referral data. HTTPS sites do not pass referral data to HTTP sites, because they would need to decrypt the data, and that defeats the purpose of SSL. Once you upgrade to HTTPS, all of the referral data you were losing will successfully pass to you, and you’ll be able to see in greater detail where your traffic is coming from.

Why to Avoid a Total Site HTTPS Upgrade

All is not sun and roses in the land of HTTPS. There are a lot of perfectly valid reasons why you might not want to upgrade your site. Frankly, the cons outweigh the pros, but more on that in the conclusions section.

#1: As far as search ranking factors go, it’s very minor. The only reason Google announced it is because they’re in favor of total web encryption for the sake of open information and less censorship, not to mention the security benefits. They could easily have made it a search ranking factor and never mentioned it, and chances are most sites wouldn’t have even noticed.

#2: The change in URL can dramatically hurt your search ranking, particularly if done improperly. You need a full-site URL redirection scheme put in place. The way Google works, the URL is the indicator of the page. If the URL changes, even by one character, it’s considered a new page. Redirects help tell Google the old page has moved, but it doesn’t pass 100% of the value of the old page over. There’s always a little loss. If you don’t implement those redirects, you can take a huge hit in SEO, and it won’t come back easily. Once you do work back your old value you can reap the rewards, but it might be a year or more off.

#3: You have to buy an SSL certificate, and those are not necessarily cheap. There are three levels of validation. Domain is the basic level and certifies your domain, and is the cheapest. However, it doesn’t show your company name in the certificate, so some people will be skeptical. Company validation is more expensive but does show your company name. Extended validation is even more expensive, and shows your company name in the address bar, so it’s the best for casual security. However, SSL costs can be high. The cheapest can be only $5 a month, but the more expensive levels can reach $250 a month or more. It’s an additional monthly fee that not every business can handle with their tight budgets.

#4: You have to install the SSL certificate properly, which not all web hosts will do. Messing it up can be a pretty bad thing, too. If you’re not a technical person and your web host doesn’t handle SSL for you, it can be a tricky process to get it working, and in the mean time your site might have issues.

#5: You may need to go through your entire site changing internal links and links to images, JavaScript files, and more. If you weren’t using relative links you’ll have to either rely on a permanent redirect, or you’ll have to change the URLs on your site. For larger, established sites using absolute links, this can be an insanely time consuming job. There’s no easy way to do it.

#6: You will need to update your site in Google’s Webmaster Tools, since the URL is changed so it’s treated as an entirely new site. Google is getting better about supporting the migration, so it’s not as bad as it used to be, but you still have to remember to do this and validate your new sitemap with HTTPS URLs instead of HTTP URLs. Thankfully, at least, Google Analytics will still maintain data consistency so you don’t have to worry about that changing on you.

#7: You will start to pass less referral data. As I mentioned up above, you’ll receive data from HTTPS sites and HTTP sites alike. However, as an HTTPS site, you will not pass your referral data to HTTP sites. This generally won’t be a problem that concerns you, though, so at least it’s not a huge issue. Don’t let this be your game-breaking decision.

#8: You may take a minor hit in site speed. SSL requires a handshake with an external authority to validate the certificate. Just like using a CDN, any time your site has to make a call to another server rather than its own servers, it adds latency. Most SSL providers have very fast servers, but that doesn’t stop the problem of a bad connection between the user and the destination. It’s entirely possible that your site will take a speed hit when you implement SSL. Since site speed is a search ranking factor – and a more important one than security – it might be better off for you to not invest in it. On the other hand, you may be able to find other ways to make up for the speed hit, and investing in those will balance out the issue.

#9: If you have APIs that old apps hook into, they may not be able to handle the SSL handshake. This is a particular issue with a lot of old legacy apps that don’t know how to handle encrypted traffic. Most of these apps are no longer supported, or if the are, the business still doesn’t want to upgrade because their own internal apps themselves are not supported and won’t be updated. Change is hard among the business community.

General Conclusions

The benefits of HTTPS generally will not outweigh the drawbacks as they stand today. The benefits you get – minor security and SEO boosts, essentially – can be very minimal compared to the potential loss in search ranking.

That said, if you’re going to upgrade, you have to pick the right time to do it. If your business is very seasonal, like you sell Christmas ornaments or something, you want to wait until something like February to do your conversion, so you have time to build back up before your surge next year.

However, if you’re already doing a website redesign that involves changing your URL scheme – for example, if you’ve changed URLs entirely, or if you’re changing from one style of permalink in WordPress to another – you’re already going to take the SEO hit. You might as well make the change to HTTPS at the same time.

Oh, and one other thing. If you’re suffering from a Google search penalty, it’s going to follow you regardless of what you do. Switching URLs – from one domain to another, or just from HTTP to HTTPS – doesn’t matter. Sure, your new URL will look like a new site, but it still has the same content, and Google is smart enough to put 1+1 together to make 2.

At the end of the day, there’s not a lot of reason to invest fully in HTTPS unless you’re already doing something that will trigger the consequences of a URL migration. If you are, HTTPS provides a benefit on top of the other benefits you’re already hoping for. However, the exception to this is if you’re running something that requires a user passing in their personal information. Usernames and passwords should be secured, and if you’re handling any kind of payment information at all, you absolutely need the best SSL you can buy. There’s absolutely no excuse for mismanaging user data, and not only can a breach hurt your customers, it can destroy your business.