Just one last remark, I did switch my "informational" site, which also has a forum to SSL last spring. I used Nginx as the webserver, Let's encrypt for certificate, and I run my own small dedicated server. This was really smooth, easy and no stress at all. Google / Bing followed the redirections. I had no lost of traffic, or income (adsense). Just last month, during one week, Google was showing the old URLs, but it was certainly a bug, or use of an old database for a moment. There was no increase of the CPU load, the SSL encryption being handled by hardware instructions.

Now about updating the HTML code of page. For my internal links, I always made them start with "/" , so I had nothing to update.

So to me, there is no worry to switch.

I switched one of our informational sites to https. The change was uneventful in terms of rankings and traffic, but it did mess up the site's Google Analytics for a while.

Query: If you change a site to https, will referers from https google then give you the search information (“q=blahblah”) the way they do with http google? This, alone, would almost be worth it.

Is there any change in the behavior of cookies, whether your own or third-party? Seems as if this would be at least as big a security issue as a query string.

If you change a site to https, will referers from https google then give you the search information (“q=blahblah”) the way they do with http google?

Whether Google organic or GCS I see no difference. Google vastly reduced the amount of referral string info several years ago and it remains the same.

Is there any change in the behavior of cookies, whether your own or third-party?

I see no change. Why would it?

If you change a site to https, will referers from https google then give you the search information

No, the passing of the referrer header depends on the referrer's protocol security: if it's HTTPS, then the header is removed, no matter the target. Unless the "referrer" meta tag is set with a value of "origin" (domain only) or "always" (again on the referring side) and the web browser supports it (IE doesn't obviously).

Is there any change in the behavior of cookies, whether your own or third-party?

No change in behavior of the cookies themselves, but they're encrypted (on the wire, at least) along with all other request and response headers.

I'm in the middle of converting a 30,000 page site to HTTPS. It's going well, but taking a huge amount of my time and learning.

I have learned to be skeptical when the latest "Google Driven Change" comes out. Some times it turns out to be a waste of my time. Other times I get a clear return on investment. But I never know which way it will go.

Page speed was one that was nearly a waste. My pages were loading in 1 to 2 seconds and would then take 8+ seconds to load AdSense.

I did not notice any ROI for faster pages. Then I heard John Mueller of Google say they were after getting people to fix the pages that were noticeably slow. ...Really slow. That was not really my site. So I think I wasted some time.

Converting my site to mobile friendly / responsive design was one "Google Driven Change" that is paying off. They were pushing mobile friendly since ~2011. But I was too busy until this year. Wow, what a change. I knew 50% of my traffic was mobile, but I did not realize how much grief I was causing users. After going mobile my bounce rate dropped in half, my page views almost doubled. So good ROI on that change.

On HTTPS, I just don't want anything on my site telling customers a page is not secure. Even if it's an information only page.

About 98% of the site is info only and 2% is ecom pages.

As I watched all of John Mueller's Google Hangout videos, he seemed to be consistently clear about the need for people to switch to HTTPS. For all the reasons mentioned by the tech experts in this thread.

So I am doing it. It's only been a few days since I converted 75% of the site to HTTPS and uploaded new site maps. Traffic looks good. AdSense is slightly up.

I plan to get 90% + of the site onto SSL by Jan 1, 2017. But my smaller sites will have to wait. I just don't have the time.

Mueller says HTTPS is a page by page issue and not a site wide issue. So I can leave some pages for later.

One thing I had to learn was that my SSL cert did not cover my 4 sub domains. So we had to install a "Wild Card SSL cert."

But then, I learned that for the SSL to work, each sub domain had to be on it's own IP. So that was another few days to set that up.

John Mueller says the need for HTTPS will not go away. So I'm doing it. Who knows whether it will pay off.

In all events, beside time (which can be money, I know), there is nothing to loose switching to https. At worse it doesn't help , but it won't hurt anyhow. in a near future, I imagine Google will start showing an icon, about https and non https sites. Like they do for AMP page. Just an indication to get the attention of visitors. It might not be ranking factor, but for the average user, if Google says "this site is secure", "this one is not" just because it uses or not SSL, this can influence their way to navigate.

Now, I don't understand well why so much people have to "convert" their site, and hundred or thousands of pages. I didn't have to do anything , just changing the configuration of my nginx server, to include the SSL options, and redirections,I didn't touch the HTML code of my pages. Or is it because you are all using absolute URLs for inner links/image/js/css ?

Or is it because you are all using absolute URLs for inner links/image/js/css?

In the specific situation described by the OP, involving a hand-coded site, that seems to have been the problem. It's most likely to be an issue, paradoxically, if the site is currently mixed http and https, meaning that internal links well-nigh have to be absolute, including protocol. But even then, any competent text editor--including free ones--should be able to do the whole thing as an unsupervised global replace.

in a near future, I imagine Google will start showing an icon, about https and non https sites. Like they do for AMP page.

On the other hand, they've gotten rid of the "mobile-friendly" label. I think Google knows that sign pollution can be as much of a problem on a SERP as at a traffic intersection (albeit with less deadly results).

On the other hand, they've gotten rid of the "mobile-friendly" label

Because of the mobile index.

The red triangle warning icon is shown in the address bar in Chrome, which is the default browser for all Android phones & tablets as well as desktop users who choose to use it.

[screencast.com...]

I expect the other major browsers will follow with similar.

Does anyone notice that Google is taking it VERY slow in updating its results for your listings once you switch to HTTPS? It is like, weeks later, and most of the pages are still listed as non HTTPS.

Yes, already updated sitemap in GWT........long ago.

May be other factors affecting the slow indexing. Does the site have a large number of pages? Dynamic or static? Can a user actually view the non-HTTPS version of these pages?

Sites I've switched had most pages reindexed within a few days, so it's not necessarily normal to take very long.

My sites are not large by this forum's standards.

I did switch a site about 3 months ago to HTTPS and Google reindexed it fast.

But something seems to have changed since then.

Now only a few pages of my sites are indexed as HTTPS and meanwhile, the main domain is not even indexed as HTTPS...

Crazy slow....

Again, can a user actually view the non-HTTPS version of these pages? Are you using a 301?

Google is taking it VERY slow in updating its results

Depending on the scale of the problem you can do things to chivvy them along (e.g. fetch as Google in the GSC Crawl section allows you to request indexing of individual pages, which is handy for mopping up stragglers, although too laborious for hundreds of pages).

I don't know what can be done about http versions remaining in the index. My site switched to https on 1 November, and all new versions have been in the index for some time, but there are a couple of pages still showing the http version as well (using site:mysite.com). I certainly wouldn't advise submitting a de-indexing request for them.

There is also a discrepancy in what is reported - probably due to a time-lag - between site:mysite.com and GSC. Also, GSC's index was out of service for the first half of November, which certainly affected what was reported then, and possibly still does: I don't know what they updated, but they may still be tweaking it, and possibly whatever was changed has affected the speed or frequency at which the GSC version gets refreshed.

I have not used any redirects. All I did was change to HTTPS in cPanel and correct all the mixed content to ensure every page loaded as HTTPS. My sites are WordPress based..

My sites are WordPress based..

- You did edit the WP Settings file, right? I would definitely check the headers of any site that relies only on CP settings to change to https. If you type/paste in a link/URL to http does it resolve to https - and more importantly, if so, is it a 301 response?

- You did edit the WP Settings file, right? I would definitely check the headers of any site that relies only on CP settings to change to https. If you type/paste in a link/URL to http does it resolve to https - and more importantly, if so, is it a 301 response?

I did change the WP Settings, but only in the General Settings for the URL. I did not force the change via the htaccess file, so the outer URLs can definitely be accessed via both ways.

All internals links need to be updated. Or you would send mixed signals to search engines. If you have any influence on external links coming into your site, changing those to https can help as well.

Redirect is super important to ensure http version does not load to create even more mixed signals and dupe content. Also check cache too if you use your own cache, cloudflare or other CDN that caches raw html, sometimes they can keep stale http versions of your sites to screw things up. Easy to overlook at times.

I do both redirect with Httaccess and change the wordpress settings from the Admin menu -> Settings -> General.

One easy way is to check the source code of any page and look for <link rel="canonical" href="https://......... It should refer to its own https version.

I started moving my sites to HTTPs beginning of december, as a daring test in the midst of my hot season, and they seem to propagate and refresh within about a month or so. As of now 12/18 I do not see any of my http versions indexed at a glance. WordPress as well. Close to done on almost all my sites but I got lazy on the last 10%.

My sites are not big though, only about a couple hundred of pages.

If your redirect does not include a 301 server response and if those URLs can also be accessed at http then I would not expect to see Google indexing the site as https. You should at least include a canonical metatag on any pages that can be accessed both ways and I would still check the headers for pages that do redirect to https to see if it is not a 302 (temporary) redirect which is the Apache server default when 301 is not specified - and which will prevent https indexing.

If your redirect does not include a 301 server response and if those URLs can also be accessed at http then I would not expect to see Google indexing the site as https.

Do you mean that if the site remains accessible both ways, Google will only index it as http? Ouch. Or will they--shudder--index both versions at random, depending on which has the nicer links for any given page? (The obvious analogy is with/without www--but I can't think of a site that doesn't redirect one or the other, so no way to check.)

Sorry if that is confusing. It is not whether the site is accessible both ways but whether the CP redirect is a 301 (permanent) or the 302 (default and temporary).

If it was previously indexed as http and now redirects (302) to https, I would not expect to see it indexed under https. If it is accessible both ways there should be a canonical metatag for those pages. If the https version is to be indexed it needs a 301. Otherwise, "both versions at random, depending on which has the nicer links for any given page" could happen.

That's why I've asked the OP twice whether the pages in question can be accessed both ways (without answer.)

There's plenty of problems posted at various forums because of this. Until lately, it wasn't a significant issue, but with the new indexing restrictions, it's become one.

For a long time sites have reported a temporary drop in traffic after doing the switch to HTTPS. Usually traffic went up again after 1-3 months.

Do you think there is still a risk today? If so, do you still think that it is like moving an entire domain or is Google prepared for this kind of change?

(Assuming the technical redirect is properly implemented)

I changed over to HTTPS for my entire network of sites around november/december 2016. My sites have roughly average about 100 pages, some less and some more. I saw no temporary drop in traffic and the reindexation took place usually over 1~2 weeks. In the beginning 2~3 days only a few pages get reindexed on SERP, and speed picks up near the end.

I did not bother to see if HTTP version is still indexed however. I saw no noticeable traffic change over the transition for my sites. If anything, probably better speed/experience because of better protocol. Which I would like to think is a better user experience over long term.

The biggest stress was trying to cover all the little moving parts - legacy redirects, cache clear, Httaccess, internal linking, internal resources, wordpress settings, interlink among few of my sites, google webmaster sign up, etc. But when all is said and done, I think the stress is worthwhile.

I was among the first of my competitor to switch over to HTTPS, now the top 3~5 in my vertical all serve https. I would like to think that my decision to do it first upped everyone's game.

I saw no temporary drop in traffic

Neither did I, and most of what else you have said also applies to my experience.

So

Do you think there is still a risk today?

Not as long as you follow Google's own guidelines (which are are reasonably clear), and in brief:

1. Prepare - get your .htaccess file and all internal links ready before the switch.
2. Switch, and upload all pages with link or other changes.
3. Test, and correct any visible errors.
4. Submit the new version in GSC.
5. Monitor server logs until you are confident everything is OK.

Thanks. And would you bother to update the Sitemap or just drop it for the new https site?

(We have not touched the sitemap for 10 years. It includes 1000 links, while we have >50000. Indexing was always fine due to good internal linking)

Definitely edit sitemap.xml to show all URLs to be HTTPS and submit it to the new HTTPS version of your site at GSC.

Related thread: "What will happen if I don't move to HTTPS?" [webmasterworld.com]

Yes, update and submit the sitemap, as keyplr advises.

Most of the free stand-alone sitemap generators stop being free before you get anywhere near 50,000 pages, but many relatively inexpensive applications are available if you don't already have something that will do it. Note Google's guidelines ([support.google.com ]), which recommend breaking up your sitemap if it is that large. However, if you haven't updated it for 10 years you really will need to generate a new one, rather than edit http to https in the old one.

I personally used it as an opportunity to clean up my site (e.g. removing or consolidating some older content, and changing some poorly-chosen page names: you might as well redirect to a better name if you have to redirect anyway).

The only downside I can see is the amount of work involved, and that looks a lot less with hindsight than it did before I started. Sooner or later, however, you will have to do it anyway.

@Wilburforce

I am not sure how much a sitemap contributes to SEO if link structure is implemented properly.

On the contrary, I am afraid it will have a negative effect in case we give too little priority to pages that according to internal link algo had more emphasis.

We always believed that if Google can do the crawling and measuring itself, it would be the best.

What do you think?