The astute observer will notice that HTTP and HTTPS are basically the same thing with one crucial difference:
Yep, HTTPS has an added ‘s’ which means that it's more secure. Obviously though, there’s a little more to it than this.
Which is why in this guide, I’ll break down:
So let’s dive in…
Sidenote: If you’re interested in SEO, maybe for work or building your own site / side hustle, then be sure to check out my SEO Bootcamp course.
Learn SEO best practices from scratch, and get simple, actionable steps to implement to efficiently rank your website (or your clients’) on the first page of Google and start driving organic traffic to your website!
Check it out here or watch the first videos for free.
I cover a lot of ‘technical SEO’ topics in there, including HTTPS, site architecture, Core Web Vitals and more.
With that out of the way, let’s dive into this guide!
HTTP stands for ‘HyperText Transfer Protocol’, and is the language browsers and servers use to communicate with one another.
Most of the information that is sent over the Internet, such as website content and API calls, uses the HTTP protocol.
There are two main kinds of HTTP messages:
HTTP requests are generated by a user's browser as the user interacts with web properties.
For example
If a user clicks on a hyperlink on a website, the browser will then send a series of "HTTP GET" requests for the content that appears via that hyperlink.
These HTTP requests all go to either an origin server or a proxy caching server, and that server will then generate a HTTP response, and send what was requested. (So that the new link loads up).
The main problem with a standard HTTP connection is security.
So let me explain:
An HTTP request is just a series of lines of text that follow the HTTP protocol. This section of text is generated by the user's browser, and then gets sent across the Internet.
The problem is that this HTTP code is in plaintext, which means that anyone monitoring the connection can read it.
Not great right?
This is especially an issue when users submit sensitive data via a website or a web application, such as a password, a credit card number, or any other data entered into a form.
Incidentally, when a user submits a form, the browser translates this into an HTTP POST request instead of an HTTP GET request.
Anyways, back to the issue with HTTP.
No one wants their credit card details being intercepted and missued, so what can we do about it?
Well, that’s where HTTPS comes in to save the day…
As we mentioned up top, the S in HTTPS stands HyperText Transfer Protocol Secure.
It is a little more complex than simply adding an S to the URL string though! HTTPS achieves this security because it uses either TLS or SSL to encrypt HTTP requests and responses, so that they can’t be read in plain text.
For example
Here you can see the difference between 2 identical websites with the exact same HTTP request.
The key difference is the information on site 1 goes through standard HTTP, while the exact same information on site 2 goes through HTTPS.
With HTTP, a hacker could easily read the plain text code and steal your users information. But with HTTPS, that exact same data has been encoded instead, and so can’t be read.
So how does TLS and SSL encrypt HTTP requests and responses to make them secure?
Transport Layer Security (TLS), the successor of the now-deprecated Secure Sockets Layer (SSL), uses a technology called public-key encryption, and it works like this.
There are two keys - a public key and a private key.
The public key is shared with the client devices via the server's SSL certificate, when a session request is made.
When a client opens a connection with a server, the two devices use the public and private keys to agree on new keys, called session keys, to then encrypt further communications between them.
The client device generates a session key and encrypts it with the server's public key. This is then sent back to the server.
The server then decrypts the session key using the private key, also held by the server.
Finally, all further HTTP requests and responses are then encrypted with these session keys.
This means that anyone who intercepts communications now, can only see a random string of characters, and not the plaintext.
As a result, HTTPS is far more secure than HTTP.
Because of the security issues present with HTTP, each web browser has been pushing for a more secure user experience.
Then, in 2018, Google Chrome released their ‘site insecure’ warning, which alerts when a visitor visits a site that's not on HTTPS.
Not long after, all the other major web browsers followed and implemented something similar.
This push for HTTPS is great for user safety, but also hugely increases the bounce rate on your site.
As you can imagine, this warning can put a few people off! The visitor feels unsafe or as if the page doesn't work, and leaves, meaning lost traffic and sales, and then affected your core web vitals.
It goes further though, with some payment provider options not even working without an HTTPS connection in place...
tl;dr: If you want to stop losing traffic, get a secure connection.
Because of this focus on security, Google has also started to give preference to sites that meet their security standards. In fact, HTTPS has been a confirmed Google ranking factor since 2014.
If you know much about Google and SEO, it's incredibly rare for them to outright state what their specific ranking factors are, so you know it must be important.
Google even stated that their HTTPS ranking boost may serve as a tie-breaker if the quality signals for two different search results are equal in everything else.
This means that if your website is equal to your competitor’s website in terms of speed, title tags, and content freshness, but your competitor’s website is HTTPS and yours isn’t, Google will most likely rank theirs ahead of yours.
HTTPS is the de facto solution required for new and current websites if they want to be secure. However, it’s estimated that anywhere between 5-10% of total sites online are still not running on HTTPS.
That's approximately somewhere between 56-112 million websites that are at risk of user information being stolen, spied on, or worse.
That's crazy!
If you’re planning on building a new site, or want to improve a current one, then you need to convert it to HTTPS and add either SSL or TLS encryption to it.
The process is fairly simple, but if you’re not 100% sure, I show you all this and more in my SEO bootcamp. Better still, I walk you through it step-by-step, while also helping you audit and fix any other issues, before helping you scale, rank, and build backlinks.
It’s your one stop spot for all you need to know, for doing in-house SEO. Watch the first videos here for free.
And as an added bonus, you have access to me, students, and other full-time SEO’s via our private Discord channel on ZTM. Ask questions, get answers, and scale your traffic!