To HTTPS or not to HTTPS?

Google recently released an article stating that HTTPS would be used as a ranking signal in search. As of right now, Google claims that this ranking signal will be quite small with less than 1% of global queries. In general, Google is pushing for the web to conform to HTTPS only traffic — that is, all communication should be secure by default. Here is their entire seminar on this topic.

Google on HTTPS

It’s 45 minutes long, so feel free to watch or take our word for it.

The security aspects of this movement makes sense. Why shouldn’t the web be more secure if possible? Well, the counter point involves performance implications, which is an SEO and usability concern. Site and page speed performance are also ranking factors and they also directly affect user experience. We wrote an article about site speed importance that goes in to more detail.

How does HTTPS affect performance?

So, what is the big deal with HTTPS performance? Handshakes. The big difference between HTTP and HTTPS connections is that multiple handshakes must take place initially between the client and the server for content loading over HTTPS. Once the initial handshakes are completed, the requests are handled quickly like they would be over HTTP. The diagram below gives a great breakdown of how an HTTPS connection works:

How an HTTPS connection works

How an HTTPS handshake works

HTTPS handshake diagram

When using HTTP, these handshakes are not required, thus the performance is better. HTTP does a single handshake and then uses that connection to transfer many requests. If a site has a lot of HTTPS connections, each one can increase page load times. Added up, these can be significant. So, if we want to use HTTPS, what are our options for improving latency performance?

How to speed up an HTTPS site. AKA reducing handshakes

Essentially, if you can reduce requests, you can reduce the amount of handshakes necessary and speed up site delivery. So many of the tried and true methods of site speed optimization still apply, especially the below.

  • Use HTTP keepalives – this is a server setting that allows the client to reuse SSL sessions, which avoids the need for another handshake
  • Reduce the number of requests by combining css and javascript resources where possible
  • Use CSS sprites to reduce requests and images loaded
  • Use an HTTPS accelerator such as TLS Accelerator
  • Reduce analytics references – switch to Universal Analytics code from Google Analytics to have these load through 1 resource

Should you go HTTPS?

The jury is out on how Google favors HTTPS as a signal. It’s possible that HTTPS is the future and Google is leading the charge thanks to the challenge from GoDuckGo. As of now, don’t go rushing to HTTPS. If you have a site that utilizes a lot of user sessions that captures secure data from your users, it makes a lot of sense to go to HTTPS-only and work on reducing your latency. If HTTPS is a benefit to your visitors, then absolutely get HTTPS now! Obviously a site where security is important, especially when it deals with your credit cards, social security numbers, and other sensitive data, must be secure. However, if you have a site that is primarily content oriented and lead capturing driven, HTTPS may be too much of a performance hit for it to be worthwhile.

A few SEO disadvantages of HTTPS

Going HTTPS will have disadvantages other than site speed such as:

  • Most external links will usually be HTTP because those that link, won’t think (or know) about typing HTTPS when mentioning your site. HTTP and HTTPS are considered separate domains in Google’s eyes so a sloppy move can mean lots of lost authority.
  • Making the switch can be hazardous when you don’t redirect your old pages to HTTPS resulting in lost authority, broken pages, and poor experience.
  • Not getting all assets under HTTPS can create user panic.  Ever see the popup, “This site has insecure content?” That creates bounced traffic by the droves.

When is the best time to make the move?

We think that it’s a safe bet that HTTPS is a good idea going forward as securing data becomes more important each day. If security is important to your visitors, then the right time is always now. If it’s just because you want to make the move and get a leg up on the future, then we’d suggest the best time is when you’re relaunching your site or there is a lull in seasonality. If it’s just for rankings, fix all of the other things that are wrong with your site first, because right now HTTPS isn’t going to be what breaks the bank.