Moving your website to https / SSL: tips & tricks
In January I wrote about our plans in moving Yoast.com to SSL. We’ve since done that, with great results from an SEO perspective: we had no negative effect on traffic, whatsoever. Two weeks ago, we also moved our tool Quix to https. There are quite a few things we learned in the process of moving these two sites to SSL that we thought would be worth sharing with all of you. Also, some things happened in the last few weeks that make SSL a hot topic, so we’ll discuss those first.
Ranking benefit for completely SSL sites?
Last month, Search Engine Land reported that Matt Cutts had said about SSL that he’d “personally love to make it part of the ranking algorithm”. The Wall Street Journal picked up on this two days ago. Whether or not this actually happens (or, perhaps, has already happened) doesn’t really make much of a difference to me. A completely SSL site looks more trustworthy than a non-SSL one [reference needed].
From a spam fighting perspective I think I can see why Matt would like it. I don’t think many spam network creators would go through the hassle of setting up SSL for all their sites and buying certificates for all of them. The cost would soon become higher than the profit in many niches.
The recent Heartbleed debacle (if you don’t know what it is, read this and / or this simple explanation) showed us once again how vulnerable the web can be. The good thing about it is that when you think about people being able to “listen” to your web traffic, you suddenly realize it might actually make sense to encrypt a whole lot more of it.
Moving your site to https
In moving yoast.com completely to https / SSL we figured out there’s a few things you need to be aware of:
- Your CDN needs to support SSL too. Of course, we use and love MaxCDN and they can set up SSL for your CDN subdomain very easily.
- SPDY, a networking protocol primarily developed by Google that you can enable for SSL traffic, is awesome. It makes your website faster and funnily enough that means that your fully SSLed site could actually be faster for those people who visit your site with modern browsers than your plain http site.
- Not all SSL setups are equally safe. Once you’ve set up your site with SSL, it’s important to then make a conscious decision about how safe you want your traffic to be and act on that, more below.
You will need a static and unique IP for your site. This is “logical” if you know how SSL works, but it also means that most shared hosting servers won’t allow you to do this.– As mentioned by David in the comments: if your server supports Server Name Indication you don’t even need a dedicated IP.
https & SSL Web server config
Because yoast.com is hosted on Synthesis, we didn’t have to do much to allow for SSL with full support for SPDY, as they took care of all the details for that, which is only part of the reason we love them. For Quixapp.com we had to do it ourselves, which meant re-compiling our NGINX with SPDY support and a few more bits and bobs. For most people it’s probably a better choice to either go with a smart hosting provider like Synthesis or hire someone to do this for you. If you’re not sure whether your current setup supports SPDY, you can use spdycheck.org to check, or simply type
spdy in Quix.