In October, Google Chrome will release version 62, which will warn website visitors with a “Not Secure” message when they type in data — such as site searches and newsletter signups — on pages without HTTPS. Chrome will issue the “Not Secure” warning to all HTTP pages in Incognito mode.

This will certainly affect ecommerce conversions. For small shops, my detailed guide makes moving to HTTPS relatively painless. But for large sites, roughly 50,000 URLs and larger, there is more risk, given Googlebot’s crawling priorities and slow re-indexing. A sound strategy is to migrate to full HTTPS incrementally and measure traffic and sales impact.

In this post, I’ll explain how to do that.

Google has sent out warnings via Google Search Console to registered sites with HTTP profiles. I have clients that moved to full HTTPS long ago. But they still received the warning.

Google Search Console recently released this message to all registered sites, stating that Chrome will show security warnings starting in October 2017 for sites that haven't migrated to HTTPS.
Google Search Console recently released this message to all registered sites, stating that Chrome will show security warnings starting in October 2017 for sites that haven’t migrated to HTTPS.

If you haven’t made the move to full HTTPS yet, you will soon be able to test whether Chrome will issue the “Not Secure” warning on your site by using Google Chrome’s Canary version, which is the beta version of Chrome, used by developers and early adopters to test the latest features.

At the time of writing, Canary is using version 62, the one supposed to introduce the warning. But, I couldn’t get the “Not Secure” warning to appear in my tests. I plan to monitor Canary, to learn when the warnings start appearing.

Use the Google Chrome Canary version to see if your site will be affected.
Use the Google Chrome Canary version to see if your site will be affected.

I scanned through the National Retail Federation’s 2017 list of top traditional retailers, and found a number of them have not made the move to full HTTPS yet, including well-known brands such as AutoZone, Nordstrom, Gap, Publix, Sears, Subway, BJs, QVC, and Saks Fifth Avenue. The delay is understandable given the risk of losing valuable search engine traffic during the move.

The main risk for large sites is that Google takes too long to re-index pages due to crawl prioritization issues.

Here is the HTTP profile from Google Search Console of one client with a few thousand pages that moved to full HTTPS.

Some sites experience quick re-indexing of pages after switching to HTTPS.
Some sites experience quick re-indexing of pages after switching to HTTPS.

Google re-indexed the HTTPS pages quickly, in roughly two weeks. But another client with over 1 million pages saw a much slower (and painful) re-indexing. It took approximately six months.

Other sites might experience a long and painful re-indexing.
Large sites, such as this one with over 1 million pages, might experience a long and painful re-indexing.

The first client didn’t see any negative impact on SEO traffic. The second one did. This has led me to plan high-stakes migrations incrementally. Many sites, such as The Guardian and Wired, have shared their experiences with making an incremental move.

My incremental migration plan involves three phases.

  • Perform server log analysis to identify which groups of pages need to be migrated first. Prioritize pages that Googlebot crawl more often, as this will let us learn the impact quickly.
  • Incrementally update redirect maps and canonical tags to perform the actual move.