If you use a cdn like Cloudflare there is an option to change all content to https so links images etc could be served over https very easily allowing you time to change over in the code. Should be able to change over relatively painlessly this way.

Is it worth it ? If it causes you less stress then yes but not for any seo benefit at present.

Is it worth me doing things "gradually". For now, redirect links to images, CSS files etc to https so at least they're secure for now and then do the rest when I'm more "prepared" and have more time? Basically, the thought of having to manually change all my internal links (on static pages not managed using a CMS) and fiddling around with the htaccess file (which I messed up before), scares me, frankly :-( Not to mention having to resubmit sitemaps and remember 101 other things to prevent potential disaster in SERPS...fun...

The cdn or Cloudflare option would mean all links would automatically be rewritten to https, that would include css, js, image... well everything, I have switched whole sites in under a hour this way. You can get some great help on here regarding htaccess but for wordpress or magento for instance you would just change the site url to https.

Sitemaps you may need to do a little work on but its not like there that important anyway :)

manually change all my internal links

Plenty of search & replace applications that let you do that quickly and reliably. I would often use Actual Search & Replace on Windows.

Yes it is worth it for your visitors and your business also. Sites that are not SSL will loose ranking at search engines in the near future.

Shouldn't be much "stress" depending on your site schema. Most hosts are well experienced by now and should have help pages showing step-by-step.

All links in the body section of your mark-up are best with relative paths anyway. The only links that would need to be changed are the absolute links in the head or the absolute remote files you may be using.

I installed a cert, 301'd in htacces and changed all links on a 300 page site in less than an hour. There were of course a couple tweaks here and there I had to do later.

Good call robzilla If your on linux you could use something like this:

cd /path/to/your/website
find ./ -type f -exec sed -i 's/http:/https:/g' {} \;

having to manually change all my internal links

My site is mostly static (handwritten html/css), and I found it pretty easy.

How much bother you will find it depends on whether the links are are relative or absolute. If absolute and your usual html editor can't do a global replace, use e.g. Notepad++ (replacing "http://www.mysite" with "https://www.mysite" in main folder and all subfolders should work flawlessly). If relative, they don't need changing in theory, but in practice you might get partially unsecured warnings in your browser, and you can't easily change them all to absolute (which will solve it) in the same way, so that might be more of a pain to do.

Resubmitting sitemaps in GSC or Bing's equivalent is easy, and there are several free sitemap generators available online, so that really isn't much more work than a couple of mouse clicks.

For me, the most difficult part was the .htaccess file, as there are minor syntax differences between generations of Apache, but on my site's (shared Linux) server the pages don't change until rewritten, which gave me an opportunity to test it first. Even there I found only a couple of problems: the first was avoiding loops, and the second was making sure mistyped entries still got rewritten. Neither issue gave me a headache.

My two main bits of advice would be to back it up first (doing it all again can be easier than undoing a global replace that has done something you didn't predict), and make sure you use a history-cleared browser for testing.

To me, it certainly looked much more daunting before I started than it actually turned out to be, so if you decide to go for it - no bad thing, even if it isn't immediately necessary - I hope you will find that too.

More and more https sites wont open on my tablet. I know i can figure out how to fix the issue, although my first attempts have failed, but joe public wont fix it. The gang at mountain view need to climb out of their bubble every now and then to see what the real world is like.

https sites wont open on my tablet

It's either your tablet browser or your network, and probably not the sites if this keeps happening.

Make sure your tablet & browser have the latest updates & check with your ISP for SNI support.

https sites wont open on my tablet

I had a similar problem on desktop (following a Windows update) that took some time to trace back to my firewall/anitvirus application.The application adds its own intermediate cert to browsers, and the update had reset the browser cert in both Firefox and Opera. Removing and then restoring browser permissions cleared it.

The superficial symptom was a site access message (denial) in the browser, so the origin of the problem wasn't initially apparent.

Updating the browser - my first response - didn't work,

As keyplyr says, it won't be the sites if it the problem applies to many of them.

What about Adsense sites? I have heard that if you change to HTTPS, your Adsense revenue will go down because Google will only display ads that are compliant with SSL.

What about Adsense sites? I have heard...

That is old info. Adsense has caught up with all that. I saw no decline .

keyplyr wrote:
Sites that are not SSL will loose ranking at search engines in the near future.

How do you know that?

Even if it's true, I doubt that it will be a big enough factor to have a noticeable effect on a site's traffic. What matters is the site's content, the ease of use, etc, not whether it's SSL.

I doubt that it will be a big enough factor to have a noticeable effect

I'm not so sure. If, for example, a cluster of results all have very similar ranking scores, a very small difference to one of them could mean a much more substantial apparent effect.

I have no idea how Google scores sites, but say the pages on the bottom half of page 1 and top half of page 2 have scores that range between 100.035 and 100.009, and SSL is assigned a (relatively low) value of 0.05. If none of the other sites are SSL, the lowest site could move from #15 to #6, which would have a much more substantial effect than the small weighting implies.

It may be minor alongside link profile, content and other weightings, but that doesn't mean its effect is necessarily negligible.

say the pages on the bottom half of page 1 and top half of page 2 have scores that range between 100.035 and 100.009, and SSL is assigned a (relatively low) value of 0.05. If none of the other sites are SSL, the lowest site could move from #15 to #6, which would have a much more substantial effect than the small weighting implies.

If you're going to pin your hopes on that kind of scenario, you're going to need an awful lot of luck.

In order of current importance the reasons for going with HTTPS are:
1. secure handling of visitor personal and financial data.
Note: for site liability/insurance reasons and for customer confidence.

2. browsers increasingly highlighting 'non-secure' connections.
Note: for visitor confidence.

3. making the site transition from HTTP/1.1 to HTTP/2.
Note: for site connectivity, responsiveness, speed, etc. reasons.

4. Because some third party platform may at some future point provide some undefined benefit.
Note: so Google and similar are currently well down the list of reasons for switching.

If you're going to pin your hopes on that kind of scenario

I'm not pinning my hopes on anything. All I am saying is we should not assume a proposed change will have no effect.

Make sure your tablet & browser have the latest updates

Do you realise just how many millions of perfectly good Android tablets there are that cannot be updated?

I refuse to buy any Android product since it has a built-in obsolescence.

In my office we have 8 such tablets.

the thought of having to manually change all my internal links

But you only need to do it once and then never think about it again. If the whole site uses the same protocol, all your existing http://example.com/ and https://example.com can change to / alone (global change using the text editor of your choice). This will remain valid even if next year someone comes up with a hot new httpx:// protocol.

<tangent>

I refuse to buy any Android product since it has a built-in obsolescence.

You can buy a heck of a lot of Androids for the price of a single iPhone. If you amortize it over the years, you'll still come out ahead.
</tangent>

@aristotle - Google has anounced several times there will be an indicator in the SERP showing a site unsecure if not HTTPS.

What is not clear is when this will happen.

It is getting easier every day to switch to https. If you have your own server a LetEncrypt script will make it fairly painless. On shared hosting, it depends, but I noticed a lot of shared hosts offer LetsEncrypt support now. If yours does not you could prod them to add it.

I cannot imagine any scenario in which you cannot do a global search and replace to change internal links. It is only a problem if you have internal links that include the protocol, and that is easy to search and replace because if you have the protocol you must have the domain name in as well - so replace all http://www.example.com with https://www.example.com and you are done. There are tools that will do search and replace in all files in a directory, and you can do the same in a database column as well.

In a Google Security blog post, Google said that starting January 2017 with Chrome 56, the internet browser will begin to mark HTTP connections that transmit passwords or credit card information as non-secure.

Google is planning to eventually mark all HTTP connections as unsecure ones, with the security indicator for such websites to be marked with a RED TRIANGLE.

(emphasis mine)
[techtimes.com...]

@keyplyr and wilburforce

i appreciate the helpfull advice but my point is that the public is increasingly unable to view https sites. How g labels or ranks sites means squat if the public can not open the sites. The last 2 sites i could not get on did not even take credit cards. They were just info sites.
I doubt that the public are going to abandon their old tablets just because some sites dont work. They just go on to the next site.

@toidi

Yes, it is a problem if a site is inaccessible.

However, there are several things to weigh up. Iamlost's post is very pertinent, and the first point on the list a particular concern if your site handles any client personal data. Mine does, which is why I moved to https. For me, compliance with data protection legislation trumps accessibility for a small (and diminishing) minority of users. The public will abandon their old tablets eventually, if only because they can't access anything (but more likely because the battery will die or they will drop it in the bath): the "some sites" that don't work are likely to become "most sites" in the foreseeable - although not immediate - future.

Also, accessibility is irrelevant if their searches don't find the site in the first place, or if they are put off by a warning that in their eyes brands it as untrustworthy.

public is increasingly unable to view https sites

That's not true toidi.

Sorry you have been having issues, and hopefully you will figure out where the problem is, but HTTPS is here to stay and if you want to stay relevant, you will need to give your site visitors a secure connection.

I can relate. Sometimes change is difficult, but the internet will always be about change.

public is increasingly unable to view https sites

Unless people are buying very old devices (like Android 2.x tablets or old BlackBerry phones), that's probably not true. It's more likely the opposite is true: more and more people are upgrading their devices, and actually getting SNI-support (the lack of which breaks many HTTPS sites on old devices). It will become an increasingly frustrating experience to browse the web on old (and often insecure!) devices, so it's probably due time to replace them.

If you can get your hands on any old device that doesn't support SNI, see how your website looks (on HTTP) on the device browser. Chances are, the browser is also far behind modern standards, and your website may not look good or even be usable. Perhaps that makes it easier to "ditch" those users.

In a Google Security blog post, Google said that starting January 2017 with Chrome 56, the internet browser will begin to mark HTTP connections that transmit passwords or credit card information as non-secure.

I can understand the need for https in those cases.

But my sites are articles on static html pages with no forms of any kind (no registration, login, comments, contact, or anything else.) There are no ads either. People come and (hopefully) read the articles. That's all they can do.

So I don't see any reason why google would be justified in marking my sites as "non-secure"

I would also like to add that a large majority of sites that I visit are still http, including many large well-known organizations. If google pursues this policy, they will be improperly marking millions of sites as "non-secure"

There is often no need for SSL on most sites but the SSL holder gets to see all traffic and interaction on your site so it is easier to force sites to SSL to monitor the conversations than it is to deal with a www, google push to ssl has nothing to do with security and everything to do with ease of monitoring your site and comments.

The critical point is in the quote:

...HTTP connections that transmit passwords or credit card information...

In other words the vast majority of HTTP sites will (in all probability) NOT be marked as 'non-secure'. And those few that are will, it appears, only have specific activity pages so marked not the entire site.

A case can be made that some things such as non-secure webdev fora log-ins are not exactly a high risk activity. On the other hand it is impractical to attempt to make such risk-benefit choices on the fly and I'm not surprised that Google would err on the side of caution. As to credit card or similar data over non-secure... that should have been flagged years ago... and some browsers already do.

The vast majority of sites will likely switch to HTTPS over the next few to five years simply because of (1) the benefits of HTTPS/2 and (2) the fact that certs are now available free.

The real battle in the next while is not between HTTP and HTTPS but between bog standard Secure Sockets Layer (SSL) Certificates and Extended Validation (EV) SSL Certificates.
* standard SSL certs are cheap to free
---the address/URL bar shows a green padlock before the URL
---clicking the log shows text box saying connection is secure and the cert verifying entity.

* extended validation SSL certs are expensive to extremely expensive
---the address/URL bar shows a green padlock AND the corporate name in green before the URL
---clicking the log shows text box saying connection is secure and the cert verifying entity AND who owns the site.

With the advent of free SSL certs extant verifying entities had to find some value added 'security' to recoup the lost cash grab.