2. @aysunakarsu @searchdatalogy #seocamp
Aysun Akarsu / Search Data Strategist
Digital data strategist specialized in technical and architectural SEO wanting to
help companies in making data driven decisions to generate more search traffic.
12 Years in Search Data Analysis
Founder & Blogger of SearchDatalogy
https://www.searchdatalogy.com/blog/
14. @aysunakarsu @searchdatalogy #seocamp
Google Explains
"Security is a top priority at Google. We are investing and working to make sure
that our sites and services provide modern HTTPS by default. We're committed to
making the web a safer place not only for Google users, but for all users. HTTPS
makes it difficult for Internet Service Providers, governments and others to
watch what you're doing online."
16. @aysunakarsu @searchdatalogy #seocamp
How Google Motivates HTTPS Migration 2/2
By Chrome
■ Supporting HTTP2 on Chrome only if encrypted
■ Marking HTTP sites as Non Secure on Chrome
18. @aysunakarsu @searchdatalogy #seocamp
Among Top Sites
Google was one of the
■ First in moving on HTTPS
■ Last bringing HTTP Strict Transport Security(HSTS) to Google. (HSTS is
brought only to www.google.com on 27/07/2016)
19. @aysunakarsu @searchdatalogy #seocamp
HTTPS Across Google
According to Google's statistics, 86 percent of requests sent from around the world to
Google's servers used encrypted connections by mid February 2017. That was 47
percent at the end of 2013.Google has done a good job in terms of HTTPS at its own
side.
20. @aysunakarsu @searchdatalogy #seocamp
HTTPS In Google Index
SMX Advanced on 23/06/2016
http://searchengineland.com/key-takeaways-google-ama-rankbrain-panda-pengui
n-bots-252506
21. @aysunakarsu @searchdatalogy #seocamp
HTTPS Usage On Chrome
Percentage of pages loaded over HTTPS
Percentage of browsing time spent on HTTPS websites
Desktop users load more than
half of the pages they view
over HTTPS and spend
two-thirds of their time on
HTTPS pages.
22. @aysunakarsu @searchdatalogy #seocamp
HTTPS On Top 100 Non Google Sites
Google shared the data concerning a list
of top 100 non Google sites on the
Internet and their HTTPS states in
February 2016.
According to Google the sites in this list
accounts for approximately 25% of all
website traffic worldwide.
25. @aysunakarsu @searchdatalogy #seocamp
Type Of TLS Certificates 1/2
TLS Certificates by Validation Level
■ Domain Validation TLS Certificates
■ Organization Validation TLS Certificates
■ Extended Validation TLS Certificates
26. @aysunakarsu @searchdatalogy #seocamp
Type Of TLS Certificates 2/2
TLS Certificates by Secured Domains
■ Single-name TLS Certificates
■ Wildcard TLS Certificates
■ Multi-Domain TLS Certificates
27. @aysunakarsu @searchdatalogy #seocamp
Free Certificates / Let’s Encrypt
Pros
■ Free (Accepts donations)
■ Sponsored by leading companies
Cons
■ TLS Configuration
■ Don’t provide wildcard certificates
■ Provide only domain-validated certificates. No future plans to provide
Organization Validation or Extended Validation Certificates.
■ Renewals
28. @aysunakarsu @searchdatalogy #seocamp
Free Certificates / Caddy Server
Pros
■ Free (Asks for donations)
■ Automatic Renewals
■ No TLS configuration
Cons
■ Don't provide wildcard certificates
■ Don't provide Organization Validation or Extended Validation Certificates.
■ It is the new kid in town.
30. @aysunakarsu @searchdatalogy #seocamp
HSTS
Strict-Transport-Security: max-age=31536000; includeSubDomains; preload
In seconds
Optional
(Recommended)
Optional
HSTS lets a website tell web browsers that it should only be communicated with
using HTTPS instead of using HTTP.
HSTS eliminates HTTP → HTTPS redirects
41. @aysunakarsu @searchdatalogy #seocamp
Get & Configure TLS Certificate On Staging Server
■ Certificate from a reliable CA offering technical support.
■ Choose a 2048-bit key.
42. @aysunakarsu @searchdatalogy #seocamp
Collect Data
■ Production Site’s Crawl
■ Staging Site’s Crawl
■ Analytics Tools e.g. Google Analytics
■ Google Search Console
■ Web Server Logs
■ External Links e.g. Majestic
44. @aysunakarsu @searchdatalogy #seocamp
Analyze Data (Staging)
On each page check
■ Status Code
■ Scheme(Protocol) on the URL of the page
■ Scheme(Protocol) on the URLs of the links, web assets (images, tracking,
ads, js etc)
■ Canonical tag
■ Hreflang tag
■ Meta tags (e.g. noindex, nofollow)
■ HTTP Headers
■ Content
48. @aysunakarsu @searchdatalogy #seocamp
Register
Google Search Console
https://example.com
https://www.example.com
https://m.example.com (If mobile on the origin)
https://en.example.com (If subdomains on the origin)
https://www.example.com/en/ (If directories on the origin)
49. @aysunakarsu @searchdatalogy #seocamp
Configure (On The Destination Site)
Google Search Console
Replicate Origin’s Configuration
■ URLs Parameters
■ Geotargeting
■ Disavow
■ Preferred domain
Submit Sitemaps
Analytics Tools e.g. Google Analytics Configuration
56. @aysunakarsu @searchdatalogy #seocamp
Data
■ Production Site’s Crawl
■ Sitemaps Crawl
■ Web Server Logs
■ Analytics Tools e.g. Google Analytics
■ Google Search Console
■ External Links
COLLECT
MONITOR
ANALYZE
57. @aysunakarsu @searchdatalogy #seocamp
Implement HSTS
■ Send HSTS headers with a short max-age.
Strict-Transport-Security: max-age=300; includeSubDomains
■ Increase slowly the HSTS max-age.
Strict-Transport-Security: max-age=86400; includeSubDomains
■ If no impact on audience and search engines consider being added to the
Chrome HSTS preload list.
Strict-Transport-Security: max-age=31536000; includeSubDomains; preload
58. @aysunakarsu @searchdatalogy #seocamp
“Protecting less sensitive sites strengthens the protections of more sensitive sites.”
https://https.cio.gov/
“The good we secure for ourselves is precarious and uncertain until it is secured for
all of us and incorporated into our common life.”
Jane Addams