Read on Twitter
Uncommon SEO Knowledge #1 HTTPS
I think most people know HTTPS is a very lightweight ranking signal for Google. Here's what you might not know about HTTPS and things that may be useful to know as an SEO.
I think most people know HTTPS is a very lightweight ranking signal for Google. Here's what you might not know about HTTPS and things that may be useful to know as an SEO.
1. The certificates required for HTTPS are commonly called "SSL certificates" but the last release of SSL was version 3.0 in 1996. These are more often referred to as "SSL/TSL certificates" or "TLS certificates". Even early versions of TLS, 1.0 and 1.1, were deprecated in 2020.
2. HTTPS is required for many modern web technologies. HTTP/2 (H2), HTTP/3 (H3), Accelerated Mobile Pages (AMP), Progressive Web Apps (PWAs), service workers, geolocation, push notifications and more require HTTPS by default.
3. When migrating to HTTPS, you don't need to do a change of address in Google Search Console. You should setup a domain property or a new property with HTTPS so you can monitor the migration. You should re-upload your disavow file. You don't need to update links to your site.
4. Google prefers HTTPS pages over HTTP pages. What that means is if you have 2 pages with duplicate content, Google is likely going to index the HTTPS version of the page to show to users.
5. There are many types of certificates. The most common is Domain Validated (DV) which you can typically get for free from your web host, CDN, or issuers like https://letsencrypt.org/ . Organization Validated (OV) and Extended Validation (EV) may be seen as more trustworthy.
What you may not know is that there are wildcard certificates that also cover subdomains like http://blog.domain.com . One certificate for a domain is a lot easier to maintain if you have a need for different subdomains.
There are also MDC/SAN/UCC certificates that cover multiple domains like http://domain.com and http://other-domain.com . When old domains are redirected, they are often neglected which means if you have a certificate covering that website it may not be renewed.
You should setup monitoring on old domains with something like @contentking alerts. If your cert expires, users will receive a warning on your old pages and not be redirected to the new site. Google will not have this issue and will still see and follow your redirects correctly.
6. In fact, Google doesn't actually validate certificates. Google only looks at the URL to determine if a page is secure. A URL either starts with http:// (insecure) or https:// (secure).
You can appear secure without being end to end secure such as with @Cloudflare's Flexible SSL option. With this, your connection is secure between Cloudflare and your users, but not between Cloudflare and your server. The full connection path is not secure.
7. Another fun fact is you can't redirect to HTTPS from the Domain Name Service (DNS) level. DNS doesn't support protocols like HTTP/HTTPS. *Some DNS services have solutions for this so check with your provider. I've seen SEOs leave the old hosting active just to do redirects.
You should forward the domain to the new server and handle any redirects and upgrades to HTTPS there. You can maintain the paths for pages in the redirects so check your settings or documentation.
8. While a 307 status code is similar to temporary redirects such as a 302, often when you see this it's because HTTP Strict Transport Security (HSTS) which basically says the page should be requested with HTTPS instead.
The actual redirect status code may be obscured by this and it could be a 301 or a 302. You can check in the very first request to a site or by using incognito to see if the actual redirect is a 301 or 302 status code. It should be a 301.
9. A lot of people upgraded to HTTPS so they weren't missing out on referral data from other websites. Be default, the referer is passed like this:
HTTP > HTTP - YES
HTTPS > HTTPS - YES
HTTP > HTTPS - YES
HTTP > HTTP - NO
HTTPS allowed for better analytics about referring pages
HTTP > HTTP - YES
HTTPS > HTTPS - YES
HTTP > HTTPS - YES
HTTP > HTTP - NO
HTTPS allowed for better analytics about referring pages
Did you know this can actually be controlled with what's called Referrer Policy? https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Referrer-Policy
This is why some websites show up with only their domain name and not the referring page in your analytics.
This is why some websites show up with only their domain name and not the referring page in your analytics.
There's a new default in Chrome 85 that will mean that no page URLs are passed in Chrome and you'll lose the page data in your analytics. https://twitter.com/ChromiumDev/status/1289185313747697668?s=19
You can still change the Referrer Policy for your site, but this mostly benefits other websites. You are still losing much of the referring page data to your own website. To see who is driving you traffic, you'll have to get data from a backlink index like @ahrefs.
A fun fact about the "referer" is it's actually misspelled and should be referrer. It was in the original policy documents this way and the misspelling was kept as it was.
You can use the referer value on your own website to send the referring page along with contact forms. This solves a lot of headaches for clients especially with vague requests like "can I get a quote" or "can I get more details" by sending the page where the request originated.
10. A common problem when moving to HTTPS is mixed content. These are requests to files that are still http://. While you can scan a website to find these references to update, it's a lot of work. There's an easier way with Content Security Policy https://developer.mozilla.org/en-US/docs/Web/HTTP/CSP
There's a Content Security Policy (CSP) called upgrade-insecure-requests that when added to your header can solve for mixed content issues by forcing the requests to https://.
However, this does not solve issues like canonical tags, Og: tags, links, or other link references.
However, this does not solve issues like canonical tags, Og: tags, links, or other link references.
11. HTTP sites allows for some nasty stuff like injecting ads or even changing content. ISPs, hotels, airlines, etc have been caught in the past, but if the web hadn't moved mostly to HTTPS we may have seen some interesting content changes or even censorship by now.
Correction on 9. in case someone makes a thread.
Where's an edit button when I need it? It should be:
HTTPS > HTTP - NO
Thanks for pointing it out
@iPullRank & @darth_na
Where's an edit button when I need it? It should be:
HTTPS > HTTP - NO
Thanks for pointing it out
@iPullRank & @darth_na
For this one, if you get a cert that covers multiple domains it's less likely you'll have a certificate expire since the same cert covers your main domain as well. https://twitter.com/patrickstox/status/1289950210471260160?s=19
For 5, @darth_na adds
* Diff. types of encryption
* Causes tiny delay on handshake ("speed" metrics)
* Delay may be longer on higher encryptions
* Some encryptions work faster on different CPUs https://twitter.com/darth_na/status/1289955792116805632
* Diff. types of encryption
* Causes tiny delay on handshake ("speed" metrics)
* Delay may be longer on higher encryptions
* Some encryptions work faster on different CPUs https://twitter.com/darth_na/status/1289955792116805632
For 10, @Making8 seems to like Better Find and Replace for WordPress for fixing link references. https://twitter.com/Making8/status/1289983471989878788 and sounds like @jennyhalasz concurs. https://twitter.com/jennyhalasz/status/1290021671210909696
For 9, @victorpan calls out issues even within the website that can cause you to lose referral data. When this happens, the traffic may be recorded as direct traffic in your analytics. https://twitter.com/victorpan/status/1290017277513887745
12. h/t to @jennyhalasz, update your landing page URLs in Google Ads or you will lose referral data. https://twitter.com/jennyhalasz/status/1290022617034833921
For 2, @andreapernici adds Brotli to the list of technologies that requires HTTPS. https://twitter.com/andreapernici/status/1290025051165581312
For 7, @inkovic mentions some free/cheap ways to handle these redirects including Friebase, Netlify, and @Cloudflare workers. https://twitter.com/inkovic/status/1290051504368312320
For 10, @DarrenHuangTW adds there are 2 types of mixed content, active and passive. He shared more details about them here: https://twitter.com/DarrenHuangTW/status/1290693008149450752
And to wrap up this thread on HTTPS, it seems that China is now blocking traffic where they can't see the destination site. TLS1.3 + ESNI https://twitter.com/campuscodi/status/1292160917858385920
