Switching to SSL
Posted on: 10-29-2015 by: Edgar Reihl
Thinking of switching your web site over to SSL? We’ll give you some helpful tips and walk you through an actual changeover experience.
First, what exactly is SSL (Secure Sockets Layer)? It is a technology that ensures that data transmitted between a web site and client (user) is encrypted and protected from modification by a third party enroute. When you log on to an SSL encrypted web site, you will see a lock icon in your browser’s address bar instead of a regular “globe” icon.
You may have heard that Google has been pressing for nearly universal adoption of SSL technology. They are hinting that sites using SSL technology will be ranked higher than those that don’t at some point. Should you make the move?
If you are selling products (engaging in e-Commerce) on your site, hopefully you already have implemented SSL on at least those pages where transactions are being processed. If your site only provides information to visitors, you must decide whether it is worth the trouble and expense to convert. It isn’t clear yet whether Google is actually favoring SSL sites in search results.
As with most choices, there are pros and cons. First, to implement SSL, you’ll have to pay for a certificate. There are at least three levels of certificates ranging from basic to extended. A basic certificate involves fewer steps to authenticate and is therefore less expensive. For our test case, we purchased a basic certificate through our web hosting service for an annual subscription price of about $50. The test site is in a shared hosting package and we discovered that you are only allowed to purchase one certificate per package. If you are hosting multiple web sites in your shared package, you will most likely only be able to secure one of them. To get certificates for additional sites, you may have to upgrade your hosting package to a dedicated server (considerably more expensive) or move the sites you want to secure to their own separate hosting packages. If you have a small business site, you may only have one site in your package, in which case you’re all set.
Another potential concern is performance. While security is a big concern these days, so is page speed. You may already be using an edge server or page acceleration service like Cloudflare or Google PageSpeed. Your visitors expect your pages to load swiftly or they’ll be on their way. Google knows this too, and will demote you in SERPs (Search Engine Result Pages) if your site loads slowly. A key point here is that if you are not using your web hosting service’s own Domain Name Servers (DNS), you may not be able to use a certificate from them. Check with them to be sure. In that case, before you order your certificate, you would have to point your domain back to your host’s name servers and discontinue using an external acceleration service. That’s what we had to do in order to implement SSL on our test site.
We were concerned that our site would take a hit in performance by giving up the use of the external acceleration service, and that the extra burden of SSL encryption would further slow down our pages. Happily, we saw hardly any impact. Our small business test site does not have a lot of graphics or multimedia, which probably helps us in that respect.
You can go to SSL for your entire site, or just for certain pages that require it. Good choices here would be pages where visitors or administrators are logging in. storing or viewing personal information, purchasing products, or private (password protected) areas of your site. If you have a lot of pages that only have product information, or a blog, you wouldn’t necessarily have to serve those over SSL. It’s up to you, really. However, many high visibility sites such as Google, Facebook, Twitter, and others have gone to SSL exclusively for their entire sites.
Here are the steps to follow in making the switch to SSL. Before you start, check the following:
- Carefully review all of the terms and conditions of your web hosting service before you make the move.
- If you are required to use their own name servers, switch back to them before you order your certificate.
- Allow time for DNS addresses to propagate over the Internet; typically 24-48 hours.
- Delete any conflicting subdomains you may have set up earlier in connection with the use of a page acceleration service.
- In particular, if you previously set up a separate www subdomain to feed your site to a service like PageSpeed, delete that subdomain before you order your certificate. Otherwise, your site may go down for an extended period of time if the DNS settings conflict with those for your bare domain, especially if you are trying to use the “www” prefix for your site.
- As a side note, you can choose whether to use the www prefix or not. However, if you have published your web site with the www prefix, you should not change to the bare domain address unless you have thought about the consequences to your SEO work beforehand.
Once you’re finished with all of that, you are ready to begin:
- Go to your web hosting control panel and order your SSL certificate. Be sure your payment information is up to date!
- Choose which domain it should be applied to (if you have more than one).
- It will take some time before your certificate is ready (perhaps as long as 2-3 days). Do not force your site over to SSL until you are sure that your certificate is ready and is functioning properly.
- With some site configurations, you can test for yourself whether SSL is working by trying to load one of the pages with the https:// prefix. If it loads properly, you should be in business.
- You will need to change some parameters to force your traffic over to the SSL address. Otherwise, although a page could be loaded in SSL, it will just continue to load without SSL. Here you will need to decide whether you want your entire site to reside at the secure https:// address, or just certain pages.
- If you are running a WordPress site, there are plugins that can force your site to load in SSL. Or, you can make the changes manually in your WordPress site settings and add a script to the root of your site if you are running on an Apache server in Linux.
- Again, be very careful that your site is ready to run in SSL before you install or activate any plugins to force it to load only at the SSL address. Otherwise you can end up in a situation where your site is down and you can’t even access the administration area (back end) to change the settings back, or troubleshoot the problem.
- It’s important to always have a full backup of all your site files and your database before you make any changes that might take your site down. This is one of those situations, so be prepared! I have known people that wound up in situations where they lost everything and had to rebuild their entire site from scratch because they hadn’t backed up beforehand. Forewarned is forearmed!
Congratulations; you have completed all steps and your pages appear to be loading properly at the https://address. But wait, what’s wrong with the lock icon? It looks broken! You have now encountered the infamous “insecure content” warning. If any of the resources being used on the page come from an “insecure” (non-https) address, you will see this warning. You will need to track down and fix every single instance before your page will load properly without the warning.
Once everything is working properly without any warnings, you’re all done. Google will beat a path to your door now, right? Well, not exactly.
You will have to go into Google Webmaster Tools and add two more sites to your site collection. Add both the bare domain and the www subdomain with the https address. You will most likely now need four entries for the same site (both http and https versions of the bare domain and the domain with the www prefix) if you want to use the www address. Then go in and configure both of the new https URLs completely. Bing is smarter. You will not have to do this additional work in Bing Webmaster Tools. One would think the folks at Google could figure this out. Go figure.
You should resubmit all of your https page URLS (“fetch as Google” and submit to index). Depending on the popularity of your site, it could take anywhere from a few days to three or four WEEKS for Google to re-index your site. How much of an issue is that? Well, probably not as serious as you might at first think, because the non-https URLs are most likely still in their index until they get updated. So you’re probably not losing that much traffic. But on the other hand, you won’t benefit from your switchover to SSL for awhile.
That’s a quick summary of some of the main points involved in switching a site over to SSL. If you’re doing this for a client, you should charge them appropriately because it’s a lot of work, and for a large site it can be extremely time consuming. If you accidentally take the site down and have to troubleshoot or rebuild it, you better have a lot of coffee on hand.
If you decide to take the plunge, good luck and much success to you! Just remember that in web development as in so many other things, “measure twice and cut once” to avoid having to dig yourself out of trouble.