Google and the SEO community have been encouraging website owners to convert from HTTP to HTTPS since 2014. The idea is to create a more secure internet so that hackers can’t steal passwords and information that users input online. It’s a good idea, but it’s not a thoroughly flushed out idea. As a result, it’s always better to wait until all the kinks are fixed before making any changes.
I thought long and hard about switching Financial Samurai to HTTPS when my private server administrator encouraged me to do so last November. But after reading every single authority article on the internet I could get my hands on about the topic since 2013, and going ahead and upgrading Yakezie.com to HTTPS, I’ve decided to hold off for now.
Here are my reasons. Perhaps they pertain to you. Also, feel free to share more reasons why a publisher should or shouldn’t hold off. If you’ve made the switch, I’d love to hear about any snags you experienced, and whether you saw any apples for apples improvement in traffic.
Reasons Not To Switch To HTTPS / SSL
1) Your CPC/CPM advertisement will take a big hit. Based on my research, those who made the switch saw their Google Adsense revenue decline by as much as 50%. I spoke to the folks at Adthrive, and they said they’ve seen publishers experience a 30% to 90% decline in ad revenue. Depending on how much CPC/CPM ad revenue you make, this can be a significant loss of revenue.
The reason why there’s such a decline is because Google and Adthrive’s advertisers aren’t HTTPS ready, nor are Google and Adthrive’s respective platforms. Isn’t it weird that Google is encouraging HTTPS conversions, yet their own Adsense platform isn’t 100% converted/compatible? I’m not willing to lose that much in CPC/CPM revenue just for HTTPS.
2) You will likely break your site for at least a little while. When you do the HTTPS conversion, you’ve got to resubmit your sitemap, wait for Google to crawl your sitemap, make sure all the links within your post are HTTPS, and make sure all your redirects are redirecting properly. Even after switching to HTTPS, if you have a post where the SRC image you link to is from a non-HTTPS site, your browser will show a warning (mixed content issues). The warning is worse than if the browser just showed an “i” or nothing at all!
If you or your webmaster don’t fully understand what you are doing, you may lose your search rankings and traffic. The longer you leave any of your problems unfixed, the harder it will be to climb back to even. As a reference, my administrator is still working out kinks from November for clients he switched over.
3) Google might change its mind. Only about 30% of websites out there have converted to HTTPS. Remember Google+ or Google Authorship? They pushed the heck out of these two things only to retract. Imagine going through the conversion process, spending hours fixing all your links, paying for the certificate etc only to have Google say HTTPS doesn’t really matter because not enough sites have complied to go HTTPS. Google doesn’t control the internet. At the very least you’ll have a nice secure site. But what if it causes major losses in rankings and crawl issues because you didn’t catch all your links?
4) Your site isn’t asking for sensitive info. If you are a free blog that doesn’t ask for passwords, credit card info, and other sensitive info, then there’s no need to go HTTPS. I can easily see a situation where Google just requires e-commerce sites and the like to go HTTPS, but leaves the rest of us alone. If you have a forum, you may want to switch. But even still, I would hold off for a while longer.
5) There’s been no evidence of ranking improvements. Supposedly HTTPS is a weak ranking signal. Some say converting to HTTPS might give your site a 5% boost in organic search traffic. But from what I’ve read and seen, there hasn’t been such a boost yet. Even if your site does get a 5% boost in traffic, does that offset the 30% – 90% decline in CPC/CPM revenue? It won’t for me.
Here is an interesting graphic that shows the percentage of HTTPS websites showing on page one. Given ~30% of the sites have switched, showing 30% of the sites as HTTPS on page one is as expected. If there was a significant ranking signal improvement, there would be a much greater percentage than 30%.
Holding Out For Now
Just like how it’s never a good idea never to buy the first year of a car redesign, it’s also never a good idea to be a guinea pig for a new web experiment that isn’t absolutely necessary. Google, like everybody else is making things up as they go along. They’re doing the best they can, but they don’t know how everything will work or should work. They just have an idea, and will A/B test everything until they come to the best logical conclusion.
I’m only going to convert Financial Samurai if browsers like Chrome start showing a warning sign or something egregious before going to HTTP sites. Indications are that sometime around Feb 1, the latest version of Chrome will show a warning sign on pages that take passwords and credit cards. But since Financial Samurai and most blogs do not take passwords and credit cards, I think we should be fine.
I’ve seen sites linked from Yahoo that when clicked, result in an ominous page that says “are you sure you want to continue?” That’s the bully move Google, Bing, Firefox, Safari, DuckDuckGo, and Chrome can implement to force change and make lives miserable for all website owners. I hope they never go this route carte blanche, but if they do, I’ll bite the bullet and upgrade that day.
Finally, given only about 30% of sites have switched to HTTPS, there’s still plenty of time before the tipping point occurs where Google starts giving more weight in their algorithm to HTTPS. That weight increase will probably occur after 50% of sites switch over, which will be sometime in mid-to-late 2018. Pay attention to the stats.
If browsers start making ominous warnings, then it’s time to switch. If your site is still pretty small, and you can edit all your posts within a day, then you can probably switch with no negative impact. But if your site has hundreds if not thousands of posts, I’d hold off if I were you. Do some pre-scrubbing work first before making the switch.
Good posts to read:
https://moz.com/blog/https-tops-30-how-google-is-winning-the-long-war
https://www.wired.com/2016/05/wired-first-big-https-rollout-snag/(they’ve been trying to get back to even after the switch for 6 months now!)
https://www.wordfence.com/
Information About HTTPS and SSL
Hyper Text Transfer Protocol Secure (HTTPS) is the secure version of HTTP, the protocol over which data is sent between your browser and the website that you are connected to. The ‘S’ at the end of HTTPS stands for ‘Secure’. It means all communications between your browser and the website are encrypted.
SSL (Secure Sockets Layer) is the standard security technology for establishing an encrypted link between a web server and a browser. This link ensures that all data passed between the web server and browsers remain private and integral.
Updated 2/8/2017: The latest Chrome browser Version 56.0.2924.87 (64-bit) went live on 2/1/2017 and everything is working fine. There aren’t any ominous warnings for users saying those sites that are not HTTPS should not be viewed. All it shows is that if you click the “i” button, it’ll say not to input personal financial information. Given we are blogs, such a warning doesn’t matter to us because the vast majority of readers pay us nothing.
I switched my site over a few months ago. But (and that’s a big ol’ butt!), my site doesn’t draw the traffic that Financial Samurai does so I figured I’d work out the kinks now before my site grows too big.
I also went the easy route and didn’t buy a certificate. I’m currently using CloudFlare and they allow the use of Flexible SSL, which basically handles the encryption for the end user and then talks to my server over non-SSL.
And when I say “easy”, I did run into small problems that I needed to work out. I had plugins and different code that wasn’t SSL compliant, so there would be “mixed content” warnings until I worked with the developers and fixed the issues to make everything work correctly. I also used the “SSL Insecure Content Fixer” plugin for WordPress to help until those issues were resolved.
Being in the IT industry for the past 17 years and seeing everything I’m seeing, I can’t see how this wouldn’t stick. However, if it would affect ad revenue, then it makes sense to hold off until they get those problems worked out.
In the meantime, I’m glad I got it done and out of the way!
— Jim
Thanks for the tip on the SSL Insecure Content Fixer plugin. Good to know!
If you’ve got a smaller site, then by all means go ahead. I did the switch for Yakezie.com another smaller site I own, and the switch was easy, but it then took HOURS to get everything compliant. Given FS is 1,000X bigger, I need to do the Mixed Content stuff beforehand for hours, and then write a checklist of stumbling blocks, and then do the switch to minimize downtime.
Thanks for posting this write up Sam. I thought about switching to HTTPS since my blog is less than 1 year old (almost there!) and the hassle would be less than for a site like yours, but ultimately I couldn’t get behind it because it seemed pretty complicated and I’m not convinced that Google will insist on it. As you said, they don’t control the entire Internet, so it’s not just their choice. If it gets to point where the majority of sites are HTTPS and the browsers are showing ominous messages every time you visit an HTTP site, then I’ll do it. Until then, I don’t see the point.
The only issue is, Chrome does control ~50% of the web browsing space. So you gotta pay attention to that. For sites under a year, I would probably give it a go and switch. But based on the size of your site, whether you switch or not at this moment in time won’t be a huge impact either way.
I made the switch and have mixed feelings about it. I’m glad I got it over with, but since there’s still so much I don’t really know/understand with this https stuff I don’t feel completely confident yet that I made the right move. I don’t plan to reverse the changes though. I gotta just roll with it now!
I’ll be very curious to see how Chrome search results work after the upcoming new release in ~ 2 weeks. When it comes to Google, you just never really know what to expect until after the fact. Hopefully blogs won’t really be affected that much either way.
I’ve been nervous about switching to https since 2014, and still am. I was really glad I didn’t switch when I started hearing bloggers report a hit to their Adsense earnings, but anyway – you basically voiced nearly all the reasons why I was uncomfortable with https. The last is, as Sydney pointed out, discomfort about not completely getting everything there is to know about the technical aspects. Would love for you to throw up a post if/when you do switch Financial Samurai to https – just in case I miss some obvious signs that I should make the switch as well.
I’d actually love for you to go first and make the https switch and then tell me the glitches! You first! :)
The more glitch reporting posts after HTTPS switch, the better.
It’s the reason why plugins were invented. They solved the glitches so the rest of us could just press a button!
Perfect timing on this blogpost. I was about to launch my blog and than decides to add ssl. I used “Let’s Encrypt” a free service through my webhost.
[…] Samurai reported on this issue earlier in January: “I spoke to the folks at Adthrive, and they said they’ve seen […]
How recent is the research regarding CPC/CPM revenue? In November, Google claimed all AdSense, AdWords, and DoubleClick sources completely support https/ssl, and they cited The Washington Post, whose site recently transitioned. They saw no appreciable difference in revenue, apparently.
As of now, Feb 7. You can always give it a go and see what happens. Please let me know!
I know AdThrive is not completely ready yet.
Thanks,
Sam
I did just transition to HTTPS, but we don’t use any adds beyond affiliate link banners (that seem to work fine), so I couldn’t tell ya!
This is the post from Google that seems to suggest all ads from Google sources support it: https://webmasters.googleblog.com/2016/11/heres-to-more-https-on-web.html
Haven’t done the switch and am not willing to go through it all just for this. Right now it’s just a blog with articles, so it’s really not something that requires credit card information or something similar. We’ll see …
You know what? I don’t think the boost will be permanent so maybe its best not to change at all!
Another perfectly timed read on your post Sam. I was recommmended last week to move to HTTPS by another blogger who said “it’s what everyone’s doing now!”. Just goes to show that you should take freely given advice with an extremely large pinch of salt! Thanks for your thoughts. I think I’ll hold off for now!
I just recently started a gaming blog, and I switched to HTTPS, for now, I don’t see a huge increase in my traffic, my site is relatively new.
I’ve talked to other bloggers, and some of them switched to HTTPS, they told me It decrease their traffic for a couple of weeks, but now it’s slowly going back up.
I have no clue on the impact it did on my site, but I’ll stick to it for now.
Yeah, if you have a new site, do the switch. No downside really. Big sites… bide your time and see who gets blown up in the process and why first.
I’m admittedly biased on this topic because my day job is in the computer security space and I swim in this stuff daily.
That said – it’s not a question of “if” you should move your site to HTTPS, it’s “when”. That change is eventually going to be forced upon you (for good reason) and the pros of making that shift will outweigh all cons.
If you’re just starting out with your site, OR it’s small enough that there aren’t a ton of dependencies, bite the bullet and make the switch now – or at LEAST look into your options. Your hosting provider may even have automagic ways of doing this for you. But do look into it.
Google is a huge example of “tail wagging the dog” when it comes to advancing the state of internet security. Very few companies have the juice to do this – Google is one of them. And they’re VERY motivated to lead here.
Their security team is one of the best on earth. If you’re at all interested in learning more about their mission (and how they’re leading the charge to make the internet more secure) – follow their blog:
https://security.googleblog.com/2017/04/next-steps-toward-more-connection.html
I agree. An upgrade is an inevitability. But I’m happy to let everybody go first with no benefits, and then wait to see the negative impact of folks messing up their switch over and then learning from their mistakes.
[…] January 17, 2017, I published that I was delaying updating Financial Samurai to HTTPS. The reasons were […]