I switched our site to all https a few weeks ago. Even though we use an external site to process credit cards, I felt that visitors would feel better with the site being secure.

I modified our htaccess file to redirect http://... to https:// (except for visitors using a few older browsers).

So far, it doesn't appear to have affected our traffic from Google (or any other sources) at all.

[edited by: aakk9999 at 11:45 am (utc) on Mar 21, 2016]
[edit reason] Fixed http link [/edit]

eCommerce or not, both Firefox and Chromium are proposing the deprecation of unencrypted HTTP, which means that any user of your website will see a warning unless you have a TLS certificate. Other browsers may quickly follow.

We'll probably all go this way in a bit, but so far, I'm not seeing any down turn for http --- yet.

Then again, others have thoughts on this as well:

TLS isn't up to the job without better credential protection says RFC
As part of the long process to make the Internet more secure, user credentials need better protection than the transaction layer security (TLS) standard.

A new experimental-level, RFC-7804, proposes applying a 2010 protocol called SCRAM for the purpose.

[theregister.co.uk...]

Is anyone seeing the red 'x' for unencrypted HTTP in Chrome yet? The HTTPS can be used with user log in pages, account management and payment gateway and whatever needs to be 'secured'. The rest of the sections on your site can just reside as HTTP. Or it's better to have the complete site under HTTPS for 'not provided' purpose.

There's this a really great article [seosherpa.com...] that shows there's a organic drop for sites that moved from being HTTP to HTTPS. Make sure you use valid certificates with proper SAN/DNS entries. I've got couple of warnings from Google through Webmaster tools. Invalid certificates and unauthenticated HTTPS seems more bad that an unencrypted HTTP for me.

2 of the hosting companies I deal with now offer free certs that auto-renew and a one-click tool to switch to HTTPS.

Of course there's more to it to get the site *right* with the SEs if there's a legacy of unencryption.

both Firefox and Chromium

We're essentially talking about HTTP/2 here, to give it a name, which all the major browser manufacturers support, but they're supporting it only if it's used over an encrypted connection. HTTP/2 offers many advantages in the efficient use of TCP, like "multiplexing", which will allow many concurrent requests over a single TCP connection, potentially leading to great increases in speed. It will also greatly reduce the number of network round trips.

So it's not a simple side by side comparison between a single HTTP and a single HTTP connection... it's a well conceived system that is backwards compatible, as I understand it, but with proper configurations will greatly reward TLS instead of plain HTTP. I've read reports that in some circumstances HTPP/2 is amazingly fast, but comparisons aren't simple, and there are lots of variables.

TLS isn't up to the job without better credential protection says RFC

They've known about the certificate problem as something that needed fixing since early on in Heartbleed, and steps have been taken to eliminate those problems and to clean up what's been a bunch of shoddy hosts and potential security holes. Google, among others, have suggested alternative approaches, and the article cited even discusses one, but that isn't featured in the alarmist headlines which "sell papers". It's there in the article. I suspect also that free certificates are going to be one way of cleaning up some shoddy practices.

In any event, HTTP/2 is the coming protocol, and it's going to require HTTPS... and I would certainly move in that direction if I had an ecommerce site.

Hi, avid reader, but first post and I signed up due to this thread. I installed ssl on one of my sites last Monday. I saw the rankings tank over the weekend and they are now slowly recovering.

However, some of my main rankings have returned only to disappear again. It is a wordpress site and I was using WP Rocket for caching. However, I have now switched to super cache, as I am not sure WP Rocket was causing problems with google bot crawling the ssl pages

301 redirects in place and all links on the site are either using the https absolute path or the relative path to the pages.

I've moved twelve sites to https in the past three weeks. No downturns, no problems (except I had to beat on one ad network to make all their pixels secure before I could run their ads) and everything's everything. Only one was ecommerce (that one was https for the cart, but I just moved it to https throughout) As long as you dot your i's and cross your t's, you shouldn't have too much trouble. We made a checklist to make sure we didn't forget anything (and of course we did, but we fixed it). My web host had to make some changes to NGINX because of my mad crazy summer traffic, but we tested it and think we'll be okay as long as we're not more than three times last year's traffic (which I can't imagine)

The one thing we lost was our social shares. There's a wordpress plugin that says they can recover them, but I don't know if it works. I decided in 2016 I didn't care. As long as I have the buttons, I don't care about the counts.

Worth it? I dunno. Once we got the hang of it, it was pretty painless. I don't expect to get any ranking boosts (but those sites all rank fine anyway) My developer wanted to do it because he thinks all sites should be secure as well. It pretty much seems to be the way to go in the future, so I figured we might as well knock it out now.

I just implemented SSL on my site. I found out I had SSL 2.0 when I did a security check. I'm getting my server guy to upgrade it to tls 1.2. This is a brand new site so I don't expect any problems. I plan to have stripe links that pop up a payment on many pages so I need SSL on most my site including front page. Stipe said I needed to have SSL on any page that has a payment to avoid man in the middle attacks.

I'm seeing nasty attack site warnings when trying to reach a site from serps if the host has applied https to a website but the webmaster allows non-https pages to be ranked. If you don't sell product or take visitor input there really is little benefit to https, at least not enough to offset the cost and headache.

I mean I could say "every page should be https" to be PC but I think being PC for the sake of being PC is just as bad as not being PC. /shrug.

If you don't sell product or take visitor input there really is little benefit to https

But there *will* be (see Msg#:4795922 & Msg#:4795932)

I've seen one to many examples of big sites switching to HTTPS and loosing traffic by such a big margin that they could not recover for months if at all. Use https only if you have login option or the obvious data collecting pages. Else be ready for some traffic shakeups.

All in all I'`ve seen only two of the websites I have worked on to see any real benefit from switching to HTTPS. Google needs to provide way bigger ranking boost for me to consider moving any big property to be honest.

Anybody reading these warnings about losing traffic that is not an issue if your starting a new site or a site with no links and/or no traffic from Google. They are only referencing sites that are already ranking in Google.

I repeat - I saw NO CHANGE in traffic or ranking. Over twelve sites. It is my belief that G and B both pretty much understand transitioning to https by now.

@netmeg do you do a 301 redirect from http to https sitewide when you do your switch.

I believe it should be a sitewide redirect and there should be a 'change of address' request in GSC which will not work on partial transition. Off-topic - I found duplicate issues with some of the sites in the past that used both HTTP and HTTPS (for secure pages). They used 'relative links' in the coding which created duplicate HTTPS pages of those links on the secure pages. Good that the CMS is configured to use HTTP self-canonical on all pages by default which solved the problem.

@netmeg do you do a 301 redirect from http to https sitewide when you do your switch.

Yep.

@netmeg do you do a 301 redirect from http to https sitewide when you do your switch.

Yep.

The Apache docs [httpd.apache.org...] says:

In the case of the http-to-https redirection, the use of RewriteRule would be appropriate if you don't have access to the main server configuration file, and are obliged to perform this task in a .htaccess file instead.

Actually that's what I put in; sorry - I was breezing through when I answered before.

RewriteEngine On
RewriteCond %{SERVER_PORT} 80
RewriteRule ^(.*)$ https://example.com/$1 [R=301,L]

Another data point, I went to EV SSL over a year ago. No change in rankings.

I generate leads (personal info) on the site, so the full EV was important IMO. Most people don't care, but it's important for branding IMO - having the 'certified real business at this location' can only help, not hurt.

I have one ad network that does not support HTTPS yet. I could go full SSL right about now, if not for this network - dropping their business would mean a 20% reduction in revenue. Google SERPS would have to be so a lot better for full HTTPS sites to compensate for loss of revenues in some cases...

Here's what happens when you 301 a site from HTTP to HTTPS is that Google actually has 2 different sites, they are not the same. If you watch your webmaster tools you will watch the crawl rate and other items on the HTTP site drop like a rock, DO NOT PANIC! Look on your WMT for the HTTPS site and you'll see them increasing.
This may be why some people mistakenly think their HTTPS site hurts them because they don't know that WMT transitions from the HTTP to the HTTPS site and they are totally separate.
Could give cause to crap your pants if you're not aware of this.
I wasn't, threw the pants out.

All of the reports - including search queries - in Webmaster Tools look bad for our site after we switched it to https. But, we can see in Analytics that we are really receiving the same amount of traffic as before.

@incredibill - Thing is 301 provides <100% of the rank juice, hence why some websites with a-lot of traffic see visibility shrink by several percent quarter to quarter. Eventually the visibility can go back to pre-https levels but when it hits your money keywords and you C-suits are booing you with burning torches on your frontyard, things get a bit dicey. You pay once for the entire migration and certificates and then pay a second time with your visibility - not cool and do not recommend it in any way shape or form, unless its needed for obvious data security purposes.

When Oracle switch to https - I might consider changing as well :)

I just contacted everyone I could and asked them to redirect my link to https://

Several years ago when Google first began crawling, or should I say exploring for, https versions of sites, I decided to commit to the none http version of the site. I found that simply inserting "link rel=canonical http ://..." in the https version of the page, cleared up the indexing of sites perfectly. A 301 redirect was not required. So now with some tweaks visitors can visit either version of the site http or https, its their choice. Google has cleanly indexed the http version and there are no duplicate entries in the index for https versions.

That works well for say 1000 page website. But when we talk about 100,000 page website with several custom CMS supporting the entire thing, this otherwise good idea become nigh-impossible to implement without errors and major duplicate content issues.

Hi Guys

We did this back in September on a very high volume site - observations:

1. The site initially tanked - we tracked this down to not uploading the disavow file stored in the http record of Webmaster console to the https record on Webmaster Console.

2. Having corrected that, we were still down because of the Google penalty on 301 redirects. I believe that Google got rid of this penalty in December, recognizing the silliness of demanding that people switch to https, but then penalizing them for using 301 redirects.

3. We took a spanking on our Facebook social signals, with all of the share counters resetting to 0 - this was painful, given that we had many thousands of shares on individual pages, and this gave our pages huge credibility. We've had to rewrite our social buttons to get around this.

All in all, I'm glad we switched, but we took a lot of punishment going through the process. Not funny.