Google: To HTTPS, or not to HTTPS? 9 August 2014  |  Rich

UPDATE: Full site HTTPS was implemented into the Bluepark platform in April 2016 and is recommended for all sites.

Google has recently blogged about using the HTTPS protocol "everywhere", on every page of the Internet:

http://googleonlinesecurity.blogspot.co.uk/2014/08/https-as-ranking-signal_6.html

At the moment, if you use an SSL certificate on your Bluepark site, it forces HTTPS mode on what are classed as "sensitive" areas of your site. These are any pages involving signing in (authentication using passwords) and checking out (submission of personal and payment details). Specific sections of your Admin Console are also protected in this way.

So why don't we just turn on HTTPS for every page?

The main reason is that it's substantially slower than regular HTTP. Instead of just making a request for a page and getting a response from the server, a more complex exchange ensues along with all of the data having to be encrypted at one end and then decrypted at the other end. It can also affect caching on some browsers, so users can end up spending more time downloading the same content repeatedly.

I've seen some articles suggesting that, with modern technology, HTTPS is comparable to standard HTTP in terms of speed. My own experience is that HTTPS is still noticeably slower, I believe you and your customers will notice it as well. The effect is particularly pronounced on mobile devices.

So the question is whether the additional security given by HTTPS is worth having a slower site. Personally, if I'm viewing a catalogue of products on a website, and all that is exposed is my IP address, I'm not particularly worried about my privacy (even less so than if someone saw me browsing products in a physical shop). The only thing I'd be worried about is submitting my personal information, which is performed via HTTPS already.

Using HTTPS on every page is akin to walking around in a wetsuit all day long, just in case you fall in any water.

There's another issue here. If you move your entire site to HTTPS, that's classed as a URL change for every single one of your pages, see below:

https://support.google.com/webmasters/answer/6033049

Our system would automatically 301 redirect from HTTP to HTTPS, but this still involves a URL change for every page and a possible short-term (or even long-term, there are no guarantees) impact on search engine rankings. Do a search on whether 301 redirects pass 100% of PageRank.

Google may think this is a good idea, it thought Google Checkout was a good idea, but for this to be a reality every website on the Internet would need its own unique IP address (which is the requirement for having an SSL certificate). IPV4 addresses are becoming more and more difficult to acquire. We actually provide one to each of our customers at no extra charge, but I can't see this happening throughout the Internet. IPV6 technology has some answers, but the support for IPV6 is not just not there yet.

The capability actually exists within Bluepark to do this, it could be achieved, but I personally think it's a bad idea at this point in time. It will result in slower servers, slower websites and no perceivable benefit other than a non-specific SEO ranking tweak. If you have a read of the comments on Google's own blog post (which is not even on HTTPS, by the way) you'll see that there are a lot of skeptics regarding this announcement.

For now, we'll wait and see how the Internet reacts.