HTTPS is an added cost that many small websites just can't afford, even if they're getting cheaper, and especially if there is no strong incentive to do so (personal blogs, etc). I know there are still legit reasons to do it, even for a personal blog, but it'll take a lot of convincing to make it happen. It also takes some work to get right.

If HTTPS can be adopted into a CPanel app model - push a button and get it setup immediately - then I think we'd see more widespread adoption.

Migration from HTTP to HTTPS will take a few years. Early adopters might read more benefits, but as the majority make the change, that benefit will DIMINISH exponentially. We will eventually end up right back where we are at the moment.

This is one of those "the more we change, the more it stays the same" kind of things. HTTPS, in and of itself, does not change the workings of the net, only the security.... because it does exactly the same thing we have now.

Designing RWD will be a bigger and more immediate result than migrating HTTPS. And cheaper, too.

If setting up HTTPS was made easy, it would merely add to the ad ridden dreck out there, like one click wordpress installs did, sites on blogger did, drag and drop WYSIWYG tools, facebook, pinterest, twitter et al did etc..

HTTPS is an added cost that many small websites just can't afford

@Dymero are you referring to the cost of the SSL certificate, or the performance cost?

Going all HTTPS can also be a non-starter if a site has to run third-party ads, many of whom don't provide SSL versions of their ad code.

For anyone that doesn't understand the performance cost check out this research paper by Dave Naylor [cs.cmu.edu...]

Making your site more mobile friendly and secure is abusing the SERPs? I'd say for the bigger sites that it's making the argument that it actually helps. The mobile friendly argument is much easier to make than the HTTPS one, as I can't find any evidence of a site seeing a boost by switching to HTTPS.

An interesting trend... the following site shows the percentage of sites using HTTPS by default:
[trends.builtwith.com...]

5.7% of the top 10,000 sites
5% of the top 100,000 sites
3% of the top 1 million sites
<0.1% of the entire internet

So it's not like there's a huge bandwagon going on. Still, there may be some useful reasons to go all HTTPS even if you don't expect a rankings boost.

I actually came across the above stats from this moz article discussing making the move to HTTPS:
[moz.com...]

When it was published in Sep 2014 the top 10,000 sites using all HTTPS was 4.2%, so it grew to 5.7% in the past 9 months.

Google made it easier for smart white hats to abuse serps

How exactly are the SERPS being abused ? https boost - later withdrawn by google so thats a myth. Mobile Friendly boost, maybe for mobile phone users only. But how has this been abused? I don't get the point of this thread !

It is not every day you get "white hat" and "abuse" in the same sentence. It confuses me.

How exactly do white hat SEO practitioners abuse the system?

It's like saying the overly good guys who constantly study for exams are abusing teachers to get high grades. That aside, I don't see significant rankings boost by switching to HTTPS - most of our clients' sites are still on top despite having an HTTP domain. As for mobile compatibility, it helps users. Period.

I don’t use https yet as I only have a content site; however, I think there are allot of myths posted here. Here is my view:

* https can be very cheap £15/$15
* https resources can be cached
* https is only slower (just 10% typically) on the first page view and can be sent faster by the proxi via TCP connection...

An HTTPS connection will often just be forwarded as a simple TCP connection through the proxy because HTTPS traffic cannot be intercepted.

Source: [blog.httpwatch.com...] (Top 7 Myths about HTTPS)

This forum is good source of information but I feel posters are often too quick to generalise or use sources as facts without first looking at more than one or two sources.

@johan

When can you get started on my site? I will pay you double your quoted price.

If I'm just a content website, then what use is HTTPS to my users if they aren't inputting data?

I'm not sure if I agree with the argument that every website should be under HTTPS. In any case, I've seen more of a negative rank change when a site has moved over to HTTPS. I get the argument that long-term it might give a boost, but I've yet to see evidence of that.

How much time, effort and money should one commit chasing Google's latest "thing" or preference? No, I'm not off subject..

For several years now Google has been operating in a success bubble. I don't see evidence that the movers and shakers at Google have their finger on webmasters pulse. Serp changes come and go - many of us chase the latest trend.

I don't know about the rest of you but for over a decade I spent most my time publishing tools, articles and everything else I could think of that would help my visitors be successful. Today, I spend most of my website time tweaking to the latest Google preference. Description tags, page layout, moving AdSense ads around, adopting https, mobile readiness, more links, removing links, disavowing links, title tags, and so on for minimal if not any gain.

How can one seriously and accurately test a website change if Google’s algo changes five times during the test?

How long has it been since there was a Google presence on WebmasterWorld? How long has it been since the typical webmaster could send serp feedback?

White hat webmasters should not have to jump this frequently or high this often to make Google happy...

Conclusion: Why put in the time and effort to change one's website when the benefits are unknown or never appear?

I don't know about the rest of you but for over a decade I spent most my time publishing tools, articles and everything else I could think of that would help my visitors be successful. Today, I spend most of my website time tweaking to the latest Google preference. Description tags, page layout, moving AdSense ads around, adopting https, mobile readiness, more links, removing links, disavowing links, title tags, and so on for minimal if not any gain.

When we as webmasters look at Google's serps, most of us wear blinders. The only thing we see is our site is not number one. Look at the serps objectively. Google's search results are loaded with paid spam (ads), links to Google's other properties, the occasional Wikipedia link, Amazon link, etc. Just how much room does that leave for anyone to appear at the top organically? None. Most of what webmasters are doing now is an exercise in futility - because Google leaves no room to be seen unless you pay. Which brings me to my next point... If we must pay to be seen, why should we feed the mouth that bites our hands? There are plenty of other paid placement opportunities elsewhere that are not only as effective as paid ads in Google, but are 1/4 of the cost.

Conclusion: Why put in the time and effort to change one's website when the benefits are unknown or never appear?

The answer is to benifit the users. Https does not benifit users so it is on the bottom of my list.

For anyone that doesn't understand the performance cost check out this research paper by Dave Naylor [cs.cmu.edu...]

This so called report is filled with nonsense, HTTPS does not cache... I did not waste another minute reading.

It's very interesting this, the only fact I know is that this Google mobile friendly DEAD LINE! was, well nothing but a sick joke. I see many many "desktop" sites above mobile sites from mobile devices, nothing has changed.

This DEAD LINE has cost the good people who provide the "internet" and I don't inc Google in that statement, many many millions of £ across the world. For what?

Let's keep thinking how we can improve.

Over the past year i've been reminding people about the knowledge graph, and pointing out that we should be preparing our sites to be ready when the knowledge graph opportunity comes around.
This means there's work to do!

What about improving structured data markup, and see schema.org. Not only will it benefit your site in Google, it'll help with Bing and Yahoo.
This means there's work to do!

Unless, you are an ecommerce or banking site, https at the moment is a vanity thing. That doesn't mean you shouldn't do it. Obviously, a webmaster/publisher should factor it into the development program for the site. It's not appropriate for all sites, and it's not required, but if you can make use of it, do so. Think of it as how it might help you win new traffic, and add credibility to your site. The actual ranking boost is unlikely to make a difference on its own. All the individual ranking boosts add up.
This means there's work to do!

When I look at Google SERPs I see an awful lot of promoted content, that's true, but I also see a lot of content that is ranking because it's doing better job than others, but it's not necessarily a better site. This morning i was searching for a long tail, and Google's usually pretty good at that. However, what i found was on page 2, not page 1. The sites on page one were doing a better job than the site on page 2.
This means there's work to do!

It's not all about Google, it's about traffic and conversions. Traffic can come from many places, paid or organic, and conversions are about making the site better for the user.

Mobile is another story entirely, and if you're the type of business that is likely to benefit from mobile user traffic, or do you need, or could your site benefit from an app?

We haven't even mentioned quality content, link development, ppc, e-mail marketing, offline marketing, etc., to drive traffic.

Everything mentioned here might be termed as white hat, although i've never liked that phrase.

This so called report is filled with nonsense, HTTPS does not cache... I did not waste another minute reading.

@FishingDad Are you sure about this?

Johan007 posted a link about HTTPS myths ( [blog.httpwatch.com...] ) that says:

Myth #7 – HTTPS Never Caches

People often claim that HTTPS content is never cached by the browser; perhaps because that seems like a sensible idea in terms of security. In reality, HTTPS caching is controllable with response headers just like HTTP.

The following delves into it further:
[stackoverflow.com...]

As of 2010, all modern, current-ish browsers cache HTTPS content by default, unless explicitly told not to.

It is not required to set cache-control:public for this to happen.

Let's try to stay on topic. If you are looking to discuss the good, bad & ugly about Knowledge Graph head over to Addressing Google Knowledge Graph [webmasterworld.com]
6:30 pm on Jun 30, 2015 (utc -5)

[edited by: goodroi at 11:52 pm (utc) on Jun 30, 2015]

We switched a major site of ours to HTTPS by using cloudflare at the $20/month level (additional sites for free or at $5 level). Added bonuses included SPDY support, a basic WAF / Security layer and a CDN. Overall, that cost was lower than the what we were spending with CloudFront on a global CDN (about $100 a month).

If your CMS is appropriately designed and you've been coding customisations with relative urls or protocol agnostic urls //host.com/asset.ext most sites that WebmasterWorld members run should be easy to convert.

Areas where we had problems with - embeds (embedly for example), some random third party extensions with hard coded or protocol specific urls.

@goodroi (not sure if these notifies you), Dave's whitepaper is inaccessible. I get a 403 error from HK.

I personally don't think this is "abuse", I just think it is following best practices. And honestly this and the mobile ready thing (which we have been for the last couple of years) have added little to our search traffic.

Our loss with this was that many old mobile browsers do not support SNI (which allows multiple SSL hosts to be located on 1 IP address). No biggie ... these users (5-10%) can find other ways to visit the site.

question for Shri..
re old browsers ..do you know of a list of browsers that do not support SNI ?
I'm thinking of consolidating groups of say 10 sites at a time on dedicated IPS..I have about 200 sites to do , so seperate IPs per site will get a bit "silly" ..also that would invove seperate certs per each site ..SNI would be my preferred way out..
But..I'd like to be able to show maybe an "you need to upgrade your browser" to those whose browsers have trouble with SNI..

or "sniff" them and divert them to another page on a "holding" site on it's own IP that explains why they may need to "upgrade"..

If you are having trouble accessing the link to Dave's whitepaper try googling "The Cost of the “S” in HTTPS" to find a site that has republished it.

The link to The Cost of S... mentioned above, now works..

Leosghost - Not sure what the list is, but we frequently get complaints from people using old Android 2.x phones.

Might be easier to predict what supports it - [caniuse.com...]

@Leosghost here's some SNI info:
[digicert.com...]
[blog.layershift.com...]

Major sticking point seems to be SNI not working for IE on Windows XP.

Thankyou..shri and dannyboy..:)

Major sticking point seems to be SNI not working for IE on Windows XP.

I just noticed this the other day when running an analysis on one of my https sites. My XP box is sitting in a corner these days (unplugged) but there are lots of people still running it. IE has always been a stick in the mud anyway IMO.

Is HTTPS white hat? I suppose if Google says it is. Is it SEO? That remains to be seen.

Implemented SSL on my personal blog site this weekend. It was indeed very simple to do on CPanel (no "push button" as I mentioned, but not very difficult). The biggest pain was going back through years of posts to make sure images were being served securely, but it was to my benefit to do so since there were other media items and links that were broken. There are plugins that can change over the protocol to HTTPS, but I found they made the site noticeably slower.

@dannyboy

Sorry I'm late, but I meant fiscal cost. I'd actually reverse my position now, to some extent. Certificates can be had for $10 from various vendors for single-domain certificates, and even basic wildcards certificates are not bad. It would be a lot more to ask of an EVSSL certificate, though.

@shri

I'm sure you know, but for all: be careful with CloudFlare's flexible solution for SSL, since it only covers user to CloudFlare, and not CloudFlare to your server. If you want full security throughout the entire chain, you still need a certificate on your server. I'm considering using Cloudflare for the CDN feature, but learned that when I researched it.

Addition: I also browsed several high-profile sites this weekend as well, and was dismayed at how many of them are using certificates using outdated cryptography. These are websites of multi-billion dollar companies...some of them in the financial sector to boot.