Always On SSL
What is it? Why should I use it?
You got an SSL for your site, and that's great! Now you need to take it to the next level and turn on what they call, "Always On SSL".
What is Always On SSL? It's really quite simple, rather than only utilizing SSL on certain pages of your site, like your checkout or login page, you actually configure the SSL to be used on every single page of your site by default, that's Always On SSL! You may have also heard this called "HTTPS Everywhere", which is Google's preferred name or AOSSL by the Online Trust Alliance – they are ALL the same thing! All SSL certificates and websites are capable of using Always On SSL (AOSSL) or enabling HTTPS Everywhere.
What are the benefits?
There are tons of benefits on why you should use Always On SSL and some common misconceptions or inaccuracies you should be aware of:
Google now views SSL/HTTPS as a ranking signal
Last year Google made a major announcement in support of SSL. They said that using SSL will now be counted as a signal for their search engine rankings. The signal is applied per-page, so you don't get any credit on the pages where you aren't using SSL. Learn more about SSL and how it boosts your rankings.
We all know SEO is hard and extremely competitive. Leveraging SSL as a ranking signal is the low hanging fruit and highly-recommend for anyone with a website. Once Always On SSL is used, you will start to receive this benefit for each page of your website. After all, Google's results are displayed on a page-by-page basis.
SSL Can Make Your Website Faster
A common misconception is that SSL slows you down and puts your site's PageSpeed at risk. This is simply no longer true. Encryption isn't slow anymore, and your site can not only be fast with SSL, but it can be even faster!
For instance, did you know there is a performance boost that requires SSL? Yes, it's true! The newest web standards have been developed with SSL in mind, and can only be used in combination with SSL. Both HTTP/2 (the new version of HTTP) and Google's SPDY (which is an alternative to HTTP) are able to significantly increase the speed of your website through engineering improvements such as compression and multiplexing. Don't believe us? See it in action here . If you want to know even more about the advantages of using SSL, check out the website Is TLS Fast Yet?
The Most Advanced Features of the Web Require SSL
If you have been working closely with the Internet for a while you know that browser and web technology have made huge gains in recent years. Entire applications can now be written for and run right in a browser.
There are a lot of nifty features out there, and the best of them will soon require SSL because of their potential for misuse. This suite of features was previously referred to as "Powerful Features" as Google. It's now become a W3C Proposal known as "Secure Contexts". It's expected to be accepted and adopted by Google, Mozilla, and others. This will reserve use of device orientation, geolocation, and full-screen mode to HTTPs-only.
Every Page Should Be Secure
Some people may say that only pages where users are entering "personally identifiable information" such as a credit card number, address, or username and password, need to use SSL. We believe that there are benefits to encrypting and keeping everything about a user's visit private.
Studies have shown that seemingly insignificant information can also be considered "personally identifiable information". On an ecommerce site the items someone is shopping for could identify them, as could knowing what specific information they were looking at on WebMD. The reality is that informational website and pages don't necessarily just tell you about a specific topic, but more importantly about the person reading it.
For that very reason, your users can benefit from Always On SSL. Since the technological cost of providing SSL is at an all-time low, there are fewer and fewer reasons NOT to protect visitors on every website.
Stop ISP Content Injection
There have been multiple instances of Internet Service Providers (ISPs) being found guilty of modifying websites by injecting their own content. In 2014, it was discovered that Verizon was using “Supercookies” to track users across devices and were investigated by the FCC. Websites using HTTPS were protected from this unwanted cookie injection.
Comcast was found to have been injecting advertisements onto websites when people were accessing their Wi-Fi hotspots. This was only possible on sites viewed over HTTP because Comcast was able to modify the content at the network level. Again, websites using HTTPS were saved from this unwarranted behavior.
Just imagine! Your website could be slowed down by irrelevant and unwanted content and code injected by an ISP. Visitors could navigate away thinking your site is slow when it is not even your fault!
Ok I'm sold, how do I implement Always On SSL?
Implementing it is a multi-step process. You will need to do three things:
Analyze your website
Edit your server configuration
That last step is the easiest. It will differ from server to server, but turning on support for Always On SSL is actually the simplest part.
But before you are ready to go live, you need to make sure your website is ready to go, and that Google knows you are making this change.
The first step will be to dive into your website to see if migrating to using SSL by default will cause any problems. You will want to look at your HTML to see if any resources or links guide users directly to "HTTP". If you do have HTTP links, simply update them to HTTPS. This will prevent mixed-content warnings and other inconveniences.
If you run an API or use third-party services, check to make sure it can be transitioned to HTTPS without any trouble. Also ensure any network hardware (such as a CDN or load balancer) is equipped to handle SSL.
Depending on your website and network there may be further pre-checks. Its best to consult with your Web developer and do a thorough check, and then do a test run before making any permanent changes.
Next, you will want to prepare Google for your switch. See, Google treats"https://www.yourwebsite.com" and "http://www.yourwebsite.com" as two separate webpages. That means they have their own PageRank scores and are viewed as different pages in search results. Luckily it's easy enough to tell them that this change is happening and have your PageRank and other WebMaster Tools statistics migrated over. They even prepared a super handy guide to do so.
Once you have prepared your website, it's time to edit your server configuration. You will want to ensure that a redirect is in place to send users to the HTTPS version of your site, as well as enable SSL on every page of your site. Every server will have its own configuration, so you will want to consult official documentation on how to do this. For the most popular servers – such as Apache and Nginx check out Mozilla's SSL Configuration Generator.