@IanCP There seems to be a notion that the word "http" needs to be replaced with "https" in the internal linking structure.
Not true! https should rarely appear in your files.

Assume you need to use absolute links (relative are better if on the same domain), try to use // instead of https://
This way it will work on both protocols and you can change gradually.

Example, let's say you had a resource to an external static image like this:

<img src="http://staticfiles.example.com/myImage.jpg" >

change that to

<img src="//staticfiles.example.com/myImage.jpg" >

(It may be off topic but the advice your hosting company gave is a little risky, sorry... don't do auto-replace on that scale)

My site is hard-coded that every internal links are using http:// absolute links to link to every internal html files since this is what I read that they recommend many years ago from SEO specialists (to avoid duplicate content penalty also). What I'm doing now is changing all http:// to https:// absolute URL for internal links. So I find the above quote confusing about the use of simply relative // path. Or have things changed recently? Kindly enlighten thanks.

killua... I agree with IanCP.

SEO tactics change because the web changes. Yes, using absolute links is one tactic to combat forged sites since the perp will need to remove all those absolute paths, but that is not difficult nowadays; a text editor can do that with one press of a button.

Using relative paths makes so many things easier; this being one of them. If you had used relative paths sitewide there would be that much less work to do preparing your pages to be HTTPS.

So my advice is, while you are doing your preparatory editing, consider changing these absolute paths to relative.

^Thanks for the advice. What about the issue of duplicate content? If I use relative links for internal html pages, Google may not know if they are linking to http:// or https:// or www or non-www. Or is this problem solved already today by major search engines?

If you properly use a 301 then Google will see only one set of pages... the HTTPS version.

Also, there's a setting in GSC to choose between non-www and www.

Google will know if they can only access the pages under one protocol. That is the purpose of having the canonical rewrite rules in your .htaccess file - as discussed with examples a few posts back. If you can only access https, there is no problem to use relative URLs for either internal or external links. AdSense has been using // protocol without http or https for their asynchronous script for quite some time.

If you never used canonical rewrites to have only one form for your site to be accessed, then you would want to use absolute URLs. Even though technically the pages could be accessed with or without www.

I see. Yes, I do use 301 via .htaccess. I use redirect-checker.org to test redirects. Since Google will respect the 301, then using // protocol is indeed a better option.

@IanCP, yes, I understand where you're coming from and I agree that we all have to move eventually.

Question to everyone - I see references to SSL protocol but is anyone (or anyone's host) using TLS? I think if HTTP/2 is used, TLS is required?

Without using tools other than your browser, you can check whether your redirects are working correctly. Just paste a few variations in the address bar and see if it resolves as expected.
http://example.com
http://www.example.com
http://www.example.com/folder/file.name

If your site structure uses directories, be sure to check them as well, the root .htaccess may or may not be rewriting those requests, depending on environment factors such as other .htaccess files in use.

With the added use of a browser extension tool or two you can verify the server responses to your request to be certain they are 301 (permanent) redirects.

Passed all those tests

Another matter to be considered as well is submitting a whole "new" sitemap.xml file to Google. I had to go through site verification again for the https site, etc, etc.

No need for a new sitemap.xml, just edit the current one to reflect HTTPS paths and resubmit.

> If I use relative links for internal html pages, Google may not know if they are linking to http:// or https:// or www or non-www. Or is this problem solved already today by major search engines?

relative links use the same protocol and same host as the referrer page where they are located.

so if your site is using https (i.e. if all http requests are redirected 301 to their https counterparts), then all the 5relative links will be considered to be https.

and if your site is properly configured to use only the www. form (or only the non-www form), then those links will be considered to link to the same host name as the referrer page.

there is absolutely no issue with duplicated content when using relative links, if your site is properly configured, with 301 redirects to the canonical hostname and to your preferred protocol.

By the way, when doing the https migration, at what point do I have to add the HTTPS version of the site in Google Webmaster Tools? Is it before I do the site-wide 301 redirect or is it after?

@ killua - this was posted earlier:

- Generic Steps to Switch from HTTP to HTTPS -


• Read all info at your host concerning certificates & switching to HTTPS and when applicable, follow those instructions.

• Install security certificate.

• Have you host enable HTTPS (if needed.) This will enable access from both HTTP & HTTPS.

• Go through site, page by page & make sure all file paths are relative (no protocol.) Test by accessing site using HTTPS and look for any browser alerts.

• Install 301 code in .htaccess file

RewriteEngine On
RewriteCond %{HTTPS} !=on
RewriteRule ^ https://%{HTTP_HOST}%{REQUEST_URI} [L,R=301]

Note: your server may require a different code

• Go through site again, page by page, and test. Any remote absolute links will need to be HTTPS including those found in scripts & pluggins. If you publish Adsence or other advertising, links in these scripts need to be HTTPS also (or just remove the protocol altogether.)

• Update sitemap.xml (if applicable) and submit to appropriate agencies (Google, Bing, Yandex, etc)

• In Google Search Council create a new site using HTTPS. It will take a few days to start populating information. This is normal & traffic to old site (HTTP) will drop off accordingly.

• Bing Webmaster Tools should update on its own once it crawls new pages & sitemap.xml should speed up this process.

Sorry - that didn't work, and it also didn't pass muster. So I had to resubmit a completely revised one, including site verification again..

Which is why I so often say "don't ever assume anything". Works just fine now with all the boxes ticked in the Google Search Console.

[google.com ]

IanCP - Yes, you need to update (revise) the sitemap.xml with the new paths (HTTPS) - that what update/edit means.

And BTW - the link you posted does not point to your account. It defaults to everyone's account when accessed.

Congress just killed your right to online privacy [thenextweb.com]:

The vote today was one in favor of rolling back Obama administration guidelines designed to protect consumers from ISPs that sought to collect, and sell personal data from customers. This information included, but isn’t necessarily limited to internet browsing history and search data. This would, presumably, be used by third-party corporate interests to track internet users and inject relevant ads.

Can't track what you can't see.

Google's Chrome browser continues adding step in alerting users when a website is not secure:

Chrome now marks HTTP pages as “Not secure” if they have password or credit card fields. Beginning in October 2017, Chrome will show the “Not secure” warning in two additional situations: when users enter data on an HTTP page, and on all HTTP pages visited in Incognito mode... Eventually, we plan to show the “Not secure” warning for all HTTP pages

[security.googleblog.com...]

Firefox seems to be much more aggressive in this regard: They display the warnings on the password field. For us, signup dropped 30% from Firefox when they came out with this feature.

But again, that does not mean that you have to move the entire site.
We moved 30 days ago and saw no change at all.

But again, that does not mean that you have to move the entire site

Not yet...

Eventually, we plan to show the “Not secure” warning for all HTTP pages

Half of Page-1 Google Results Are Now HTTPS [moz.com] -- no correlation, just steady adoption.

Switching to HTTPS is also the opportunity to use the HTTP/2 protocole, which is neat.

Now, here's where you do need to replace http with https:

RewriteCond %{HTTP_REFERER} !^http://www\.example\.com/
... long-string-of-other-conditions-here ...
RewriteRule \.(jpe?g|gif|png)$ /pictures/hotlink.png [L]

Ask how I know. Heh. My test site doesn't have an anti-hotlinking rule, so I didn't think of this until I put a certificate on my personal site, which houses things like piwik that require a login. Goodness, how colorful it looked with all those NO HOTLINKS logos in all different sizes and shapes!

Another observation about HTTPS. Depending on your server set-up, it may be necessary to modify Header fields (Header set bla bla..) and/or Add attributes (AddHandler, AddOutputFilterByType, etc)

Example: 2 hosts that I use have compression (GZIP) on text/html by default. However, after switching to HTTPS it was necessary to list text/html in the attributes to be compressed:

AddOutputFilterByType DEFLATE text/html text/css text/plain image/png image/gif text/javascript application/javascript application/x-httpd-fastphp

So, after switching to HTTPS, be sure to check that everything that you intended to add to the Header is still being done.

Another shove towards https for everyone: from June 1st, 2Checkout insisting on TLS 1.1 or 1.2

[2checkout.com ]

Another shove towards https for everyone: from June 1st, 2Checkout insisting on TLS 1.1 or 1.2

A good thing, certainly, but it's not really a "shove towards https," seeing as SSL 3.0 and TLS 1.0 would also be HTTPS, just not as secure :-)

It's been a learning curve learning about SSL. I have tried enabling SSL at my shared webhosting server. The best I can get in a test by SSL Labs is a B. Is that because of the quality of the certificate provider or the setup of the equipment that hosts my site? Any suggestions on how to get an A, A+ ranking would be appreciated

@surnames, the SSL Labs report tells you everything you need to know about why you achieve "only" B" and not A or A+. So check the report, usually things which are not good or not good enough are written in red.

This can be anything downgrading your rate. Like the key length (which I doubt nowadays) , the cipher suite, Forward secrecy, Strict Transport Security header not being configured.

Now, also all depend how your certificate was delivered, if it's by a trusted Certificate Authority. It's possible there is a mistake in the chain too , but since you are not doing it yourself, there is few chances the chains is wrongly built.

etc...

I am too planning to get ssl done for my site (snip) but not sure how much time will it take to re-crawl, do we need to do all the URL as 301 redirects, will it affect current SEO of the site and most importantly how much of process its going to take for the developer. Also if HTTPs is secure the user interest, it should be free with the stringent process. Free so that it encourages all the webmasters and stringent process so that guilty webmasters get caught and penalized.

[edited by: phranque at 11:58 am (utc) on Aug 30, 2017]
[edit reason] No urls, please. See TOS [webmasterworld.com] [/edit]

Just wanted to jump back in this conversation and see if I'm correctly up to date.

I have read/been told that everything should be ssl by September 30 by one source, another by end of October and another by end of December.

Can anyone verify which is correct? Are any correct?

Thanks,
FarmBoy

^I guess that has something to do with Chrome putting the "Not Secure" message on all types of forms when they release their latest version this October.

It's been three months since I've migrated to HTTPS and it looks successful so far. My google webmaster tools is currently showing 489 URLs submitted and 483 URLs indexed. Its kinda slow to fully index all URLs. Maybe I need to really wait several months more.