July 25, 2017

What You Need to Know About Changing From Http to Https


If you’re going to collect sensitive information or conduct transactions online, you should plan on changing from http to https on your website.

To discover why, let’s start with some definitions:

Http (or Hyper Text Transfer Protocol) is the method by which data is moved around the Web. You can see just how integral http is to the online world by looking at the beginning of any Web address.

On the plus side, http is fast and reliable. On the minus side, it’s as secure as a diamond at a cat burglar’s convention. There are lots of ways to hack your way into data being transferred via http and while that’s not a problem for many online data transfers (e.g. watching a video, viewing a website), it is a problem if you need to protect the data that’s being sent.

Https (or Hyper Text Transfer Protocol Secure) is the answer to the data protection issue. Used on sites that feature eCommerce, banking, and even just a login page, https protects data by encrypting it before sending it either way by using an SSL (Secure Sockets Layer) Certificate.

An SSL certificate contains both public and private encryption keys that are long strings of alphanumeric characters used to encrypt data in a way that’s very hard to crack thus making it ideal for protecting sensitive data.

The Process of Changing From Http to Https

On the surface, changing from http to https is pretty straightforward:

  1. Purchase an SSL certificate,
  2. Install your SSL certificate on your website’s hosting account,
  3. Make sure that any website links are changed from http to https so they are not broken after you flip the https switch, and
  4. Set up 301 redirects from HTTP to HTTPS so that search engines are notified that your site’s addresses have changed and so that anyone who has bookmarked a page on your site is automatically redirected to the https address after you flip the switch.

It’s just that easy. However, thanks to the overwhelming number of options offered by SSL certificate vendors and packages offered by hosting companies, this straightforward process can become very confusing.

The situation is not helped by the fact that moving your site from http to https requires dealing with more tech than most small business folks feel prefer.

That’s why we’re going to dive into the four steps above only as deeply as necessary to make the business decisions that need to be made and to understand the technical details on a basic level.

Why not go deeper on the technical end? For one good reason that will make the entire process of changing from http to https easier:

Your Hosting Company Can Manage Most of the Process for You

If you already have the technical experience required to change your site from http to https, then by all means, manage the entire process end-to-end.

Many small business folks however, do not have experience with the technical side of this process. As you’ll soon see, there’s enough of a learning curve on the business end.

As a small business owner, you do need to be involved in making the business decisions. However, you may be better off having someone who knows what they’re doing — someone you can trust — handle the technology side. One option might be your website hosting company.

Many hosting companies offer packages including an SSL certificate, the installation of the certificate you select and 301 redirect setup. That leaves you with only one technical task, the straightforward job of changing your website’s links to point at https instead of http.

It may cost you a bit more to purchase a package. However, the amount of time you’ll save, and frustration you’ll avoid, by handing over the technical end of the process to your hosting company will more than make up for the expense.

Below is an example of one hosting company’s https + SSL certificate offerings (SiteGround). Here are a couple of things to note:

  1. You should always contact your web hosting company to make sure you understand exactly what’s included. For example, though it’s not listed, a quick online chat with SiteGround confirmed that setting up the 301 redirects was included in all three packages.
  2. As you can see, you can either use an SSL certificate provided by the hosting company or you can use a certificate purchased from a separate vendor. This changes the pricing of each package a bit (as indicated by the “Other Provider’s Price” row). This will make more sense in a bit.

changing from http to https

As explained earlier, even with someone handling the technical side, you still need to make the business decisions and understand, at least on a basic level, what’s involved technically. That’s the topic of the rest of this post.

Ready to get started? Let’s get to it!

Purchase an SSL Certificate

There are two ways to purchase an SSL certificate:

  1. From your hosting company, or
  2. From an SSL certificate vendor.

While it’s easier to just buy the certificate from your hosting company (especially if it’s part of a specially-priced package), sometimes they don’t offer the type of certificate you require.

Yes, there are many types of SSL certificates and you should select one based on your business needs. Below, the different types of SSL certificates are grouped by validation level (important for marketing) and then by the level of coverage. You should select a certificate that meets your goals in both areas as closely as possible.

SSL Certificates by Validation Level

When you move your site to https, that change is reflected in your browser for your website visitors to see. There are three levels of validation, each providing more assurance to your potential customers than the next. That’s why the validation level you select is also a marketing decision.

All three levels cause a closed lock to appear in a browser’s address bar, an indication that the connection with your site is secure. Beyond that, there are differences in both the information displayed when viewing the certificate in a browser and, at the highest level of validation, in the browser’s address bar as well. You can see these differences within the images included in the descriptions of each validation level below.

Time and money are two more factors to consider when selecting your certificate’s validation level: the higher the validation, the more work and the longer it takes to receive your certificate. That’s because each step up offers more validation of the domain’s owner (i.e. your business) than the step before. It also requires more paperwork on your end and more review on the issuer’s end. In addition, the higher the validation level, the more the SSL certificate will cost

IMPORTANT NOTE: the amount of actual data security provided is the same for all three levels of validation — the additional validation is more of a customer trust builder than anything else.

The three levels of SSL certificate validation are:

  1. Domain Validation — The basic level of validation, domain validated SSL certificates will cause a Web browser to display a closed lock image next to the website address demonstrating that the site is secure. As shown below, when you view the details of this type of certificate within a browser, the “Subject Name” section displays the most basic information. It tells a prospective customer that, yes, this domain is secure. But it does not mention which company secured the domain. And that lack of a company name can be a trust issue with potential customers. For example, it can lead to situations where someone can set up a fraudulent domain (e.g. “robowhos.com” instead of “robowhois.com”) and nab sensitive data from those who are taken in by the ruse.

changing from http to https

  1. Organization Validation (a.k.a Company Validation) – When you obtain an SSL certificate with this second level of validation, the issuer is confirming the fact that the company requesting the certificate does indeed own the rights to the domain for which the certificate is being issued. As you can see below, when you view this type of certificate in a browser, the “Subject Name” section displays more details — including the company name. This extra level of detail provides assurance to potential customers that the site is legitimate and safe to do business with.

changing from http to https

  1. Extended Validation — Extended SSL certificates provide the highest level of assurance that a site is legitimate and trustworthy to do business with. As you can see below, not only is there more information in the “Subject Name” section, the company’s name is also shown directly in the browser’s address bar. (In fact, in some browsers, the entire address bar turns green when the site is viewed.) An extended SSL certificate proclaims that the company owns the rights to this domain and meets the rigid review standards necessary to receive this level of validation. Now that’s good marketing!

Extended Validation SSL Certificate

SSL Certificates by Coverage Level

Another way to group SSL certificates is by the level of coverage they support. The three levels of SSL certificate coverage are:

  1. Single Domain SSL Certificates — This type of SSL certificate will cover one domain and one domain only. For example, you can use a single domain SSL certificate to secure mysmallbusiness.com but not support.mysmallbusiness.com.
  2. Wildcard Domain SSL Certificates — This type of SSL certificate will cover one domain and all the subdomains underneath that domain. For example, you can use a wildcard domain SSL certificate to secure mysmallbusiness.com and support.mysmallbusiness.com and any other subdomain.
  3. Multi Domain SSL Certificates — This type of SSL certificates can be used to cover multiple domains. For example, you can use a multi-domain SSL certificate to secure both mysmallbusiness.com and any other domain, say myothersmallbusiness.com.

Installing Your SSL Certificate

Installing your SSL certificate on your website entails generating both public and private encryption keys and entering them in the correct spot on your Web hosting control panel.

If you’re not sure how to do these steps, you have two options:

  1. Allow your hosting provider to do it for you.
  2. Search your hosting provider’s support section for step-by-step instructions. If you can’t find any, just pick up the phone and call their support line.

Search Engine Optimization? Yes, Search Engine Optimization

Back in the summer of 2014, Google announced that it was making a small change in its algorithm to boost sites that use https. The search engine also intimated that the importance of https in search rank might grow slowly over time.

While businesses with https haven’t seen huge search rank increases over at Google, it’s never wise to ignore the search giant. What does this mean as you’re changing from http to https?

Instead of using https on only sensitive parts of your site, you may just want to go ahead and use https for your entire site. This does not affect accessibility or performance in any way and it’s a great way to hedge your bets against future Google algorithm changes.

Changing Your Website’s Links

Changing the text “http” to “https” in all of your links that point to other parts of your own site is likely the one technical task you’ll need to do yourself.

If you haven’t been using relative links (partial links using only part of a page’s entire url like “/2015/03/update-wordpress.html”) you’ll need to review all of your site’s content to find links that point to other parts of your own site. Take advantage of this opportunity to switch to relative links instead of just replacing “http” with “https”.

If you’re using a content management system such as WordPress, make sure to change the permalinks to use https.

Setting Up 301 Redirects

As mentioned above, 301 redirects both alert search engines that your site’s addresses have changed and redirect anyone who has bookmarked a page on your site automatically to the new https address.

It’s likely that your hosting company will make this change for you (don’t forget to ask if it’s part of their package), but if you want to do it on your own, you need to edit the .htaccess file in your root folder by adding:

RewriteEngine On

RewriteCond %{HTTPS} off

RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI} [R=301,L]

Conclusion

If there’s one guarantee about changing from http to https, it’s that you’re going to be confused at some point during the process.

If you can avoid most of the tech work and focus on the business decisions you need to make, you will reap benefits. Those benefits include greater customer trust, super-tight data security and even a slight chance that Google will rank your site more highly.

Secure Site Photo via Shutterstock

10 Comments ▼
Advertise Here

Matt Mansfield


Matt Mansfield Matt Mansfield is the Tech Editor at Small Business Trends where he is responsible for directing and writing many of the site’s product reviews, technology how-to’s and lists of small business resources.

10 Reactions

  1. Great read but you forgot 1 major thing… You need to TELL the search engines about the change. For Google, you need to list all variations of your website and submit a new XML Sitemap with the new URLs.

    Per this article by Search Engine Watch, “More Than 80% of HTTPS URLs Display as HTTP in Google”: http://searchenginewatch.com/sew/news/2398967/more-than-80-of-https-urls-display-as-http-in-google

    It’s not enough to make the change, but you also need to communicate that change with the search engines or it isn’t worth your time and money.

    I usually don’t plug my own articles, but if you’re interested, you can read my write-up on the topic to help your readers: https://shannonksteffen.com/https-for-increased-seo-rankings/

    Again, great read and look forward to the update!

    • Matt Mansfield

      Shannon,

      Thanks for making an excellent point! Aside from changing the .htaccess file, updating your sitemap both locally and over in Google’s Webmaster Tools will help assure that your transition from http to https runs much more smoothly.

      In addition, folks should also update any sitemap plugin or extension settings so newly generated sitemaps reflect the change as well.

      Thanks again!

      -Matt

  2. Thanks for the clear explanation.
    By chance, my site is on SG, so this is really perfect.

  3. I made the change with my hosting company and its become a DISASTER. The site loads on both http and https but there is nothing but gobbledegook on the https url and and the http url loads like a snail. I’m screaming bloody blue murder to get it fixed, but they haven’t been able to.

    Any suggestions, my site is dying here.

  4. Thank you a lot for providing individuals with a very terrific possibility to check tips from here. It really is very beneficial and also stuffed with a good time for me personally and my office colleagues to search your web site at the least three times weekly to read the newest guides you will have. And lastly, I’m usually happy with your wonderful concepts you give.

  5. Great article, it would be great to hear more about the most recent updates in 2017 regarding HTTPS. For example, browsers are now showing ‘not secure’ for sites with HTTP that currently have fields to enter credit card or password. As of October 2017 any contact form on sites will be considered not secure unless the site switches over to HTTPS

  6. My advice for anyone considering moving their website to https.

    Remember this.

    When you move you site, you basically creating a new site so all your existing links, trust and authority will be lost and you’ll have to redirect your links to the https version. So you WILL suffer link juice loss.

    And for this reason, I only recommend doing this change if you don’t have much to lose in terms of SEO link juice or you’re a brand new site.

    The truth: The benefit of https in terms of SEO power is probably not worth your while if you’re an aged authority website with a solid link profile unless you’re able to go change all your links which is normally close to impossible. But yeah, if it’s possible then that is the best option.

  7. Thanks for sharing such informative post! Yes, it is really important to change your website into a secure one since most of the functionalities of websites now would require one to be secured like allowing ads to go in, and for page ranking of course since Google has announced that secured websites would have a little boost in their search engine.

Leave a Reply

Your email address will not be published. Required fields are marked *

*



Looking for templates, checklists or guides? The Small Business Resource Center has them!