Yesterday, we switched our entire website and this blog to HTTPS, thus securing every Backblaze web page with encryption between our servers and your browser. Ironically, this is how we started seven years ago, then switched some of the pages to just HTTP (including the home page), and now flipped back.
Why did we do this roundtrip to HTTPS-land and back?
The Origins of Our HTTPS Philosophy
A decade ago we were building an enterprise anti-spam company and our application asked our servers for anti-spam updates. These updates were sent over HTTP since there was nothing that needed to be secured in them; all of the updates were identical for all customers. However, customers would see these unsecured connections and it would raise questions and concerns that required explanation. Once customers understood, they agreed it was a reasonable decision, but the question alone caused friction.
Fast forward a couple years to Backblaze and we decided there was no downside to encrypting all connections—even if there were nothing private in the content. For backups, we encrypted the actual files before sending them, but we sent those encrypted files over an HTTPS connection anyway. For the website, we secured it with HTTPS as well.
The Problems
However, about five years ago there was some concern that Google wasn’t indexing HTTPS webpages well, thus lowering the site’s ranking in search results. Google was definitely treating HTTP and HTTPS webpages as different sites and it appeared that HTTPS pages were not as highly valued by Google as their unsecured versions. Ultimately this forced us to reconstruct our site. We split our “static” pages (which just had Backblaze product information) from “dynamic” pages (which either asked customers for information or would display personal information), and then secured the “dynamic” pages. The later pages weren’t likely to rank for searches anyway so we felt confident that securing them for a better user experience wouldn’t negatively impact our business growth.
There was just one problem: the homepage. We wanted it to be HTTP for Google to index it correctly, but the home page had a free trial sign up that required people to enter an email and password. We ended up creating a secure form inside of an HTTP page to try to give our customers the best security without Google dropping us from their search rankings.
One problem: people have been trained to see HTTPS and the lock icon in the browser on secure pages. Not seeing that, some assumed we were sending their email and password in the clear (which wasn’t the case.) Again, not a good end user experience.
Coming Back to HTTPS
A few weeks ago we started discussing that Google seemed to be happier with HTTPS sites, and we decided it was time to re-encrypt all pages to provide our customers with the best user experience. Luckily we hired Chris a month ago, so this ended up on his plate. Yesterday, that project was finished and the entire site and blog switched to HTTPS.
In an incredible coincidence, today, Google announced a change to their algorithm that will actually give a slight preference to sites that use HTTPS! From Google’s blog post:
We’ve seen positive results, so we’re starting to use HTTPS as a ranking signal. For now it’s only a very lightweight signal—affecting fewer than 1% of global queries, and carrying less weight than other signals such as high-quality content—while we give webmasters time to switch to HTTPS. But over time, we may decide to strengthen it, because we’d like to encourage all website owners to switch from HTTP to HTTPS to keep everyone safe on the web.
It’s been a bit of duplicative, extra work for us—but we always aim to make things easier for customers. One of the ways to make things easier is to reduce questions and concerns. I’m thrilled that switching to site-wide HTTPS is one more small item that will help people sleep easy. The irony is we changed our site originally to please Google. We ended up deciding that providing a better user experience was worth the risk of lost rankings and instead of getting punished, Google actually changed their tune and might end up giving us a small reward :)
(By the way, if you have a website, it’s a great time to convert it to all HTTPS—and now for multiple reasons.)
