Google’s new HTTPS ranking signal — what does it mean for you?
Answers to common questions and actionable tips for your site.
In the sleepy summer or early August Google officially announced that HTTPS would now become a component of the Google search ranking algorithm, meaning that websites using secure encryption may get a certain boost in Google rankings.
The search algorithm are mighty complex and involve a great many components. This is the Google’s secret search sauce and nobody knows the formula. We also know that the formula changes constantly. We do know that for now HTTPS is said to be a “lightweight signal”, given less importance than numerous other quality factors, but Google admits it may become stronger over time:
The news is shaking up the SEO industry with lots of polar opinions. And to help you decide whether switching to HTTPs may be a good solution for your website, we’ve created a short guide that explains:
- What HTTPS is;
- Who should use it;
- How it may affect your SEO;
- And what pros and cons there are in switching to HTTPS;
So, let’s get a closer look at HTTP and HTTPS.
Most sites use the standard HTTP way of connecting the website or server to a user computer. In this data is exchanged in an open way. It is fundamentally insecure in that if an eavesdropper can access the data stream that can easily read the data sent. While this is mostly fine for the vast majority of webpages it is inadequate as soon as any sensitive data is being transmitted. Sensitive data covers all financial transactions, bank records and e-commerce as well as forms requesting address, date of birth and other important personal data.
HTTPS adds a level of security, hence the S, to encrypt the data sent between the user and the website making it much harder but not impossible to read.
If you look at the top left of your browser windows you will see the protocol in use. With HTTP you will see the name of the domain.
In a secure site the browser will show the HTTPS and adds a padlock and usually shows this is green.
These images are from Google Chrome, Microsoft IE, Safari and Firefox show things slightly differently.
So what is HTTPS?
HTTPS is a secure method of exchanging information across the Web that uses several extra means to protect the transferred data.
Normally (with a commonly used HTTP protocol), browsers and web servers exchange data in plain text, leaving you vulnerable to eavesdropping — an attacker is able to intercept your data, and then see and use it.
When sent via a “secure” HTTPS version of the protocol, your data gets protected by:
Encryption — encrypting the exchanged data to keep it secure from eavesdroppers. That means that while the user is browsing a website, nobody can “listen” to their conversations, track their activities across multiple pages, or steal their information.
This way HTTPS ensures you can safely send personal data online (like credit card information, login details and so on) without a risk of its leaking to a third-party.
For protecting the transferred data, HTTPS uses SSL technology. So, to enable HTTPS for your website, you need to purchase an SSL Certificate and install it on the website server you want to secure.
Does my website need HTTPS?
For any site that is taking transactions, like e-commerce stores and payment gateways, using HTTPS has long become a standard. And if you’re not yet offering this protection to you users — you’d better do that asap.
For websites collecting personal information for account login, comments, email subscription and so on, HTTPS is a good practice, and can help you build user trust.
For a purely informational website, without any sensitive data transferred, there’s no direct necessity in HTTPS protocol. Though this can to some extent protect your visitors from phishing and other scam practices.
Do I need HTTPS sitewide?
Even though HTTPS is already used by thousands of websites, quite a common tendency for many of them is to protect only separate checkout or login pages, rather than the entire site.
While this approach is definitely better than not having HTTPS at all, here are some cons of not having HTTPS on your entire site:
- Users’ session IDs and cookies cannot be protected. With partial HTTPS protection, when a user switches from HTTPS to HTTP, his session ID and cookies must be transmitted in the clear, and thus can be intercepted and used to impersonate your users.
- Users may end up entering their credit card or login details on another website. Not protecting your landing page with HTTPS or protecting only the “Submit” form on the submission page leaves criminals an opportunity for a man-in-the-middle attack: they can intercept the unsecure pages of your site and lead your customers to fake submission forms instead of the intended ones.
Another case against partial HTTPS implementation (if you’re only planning a move to HTTPS), is that setting the switch from HTTPS to HTTP within one website may itself be complicated. And, when set improperly, may often result in a scary error messages popped up to your users.
Note: if you decide to use HTTPS only on the submission pages, make sure none of them slips your attention. If you’re setting HTTPS protection for a login page, make sure you also set it for pass reset pages, and so on.
Will HTTPS boost my rankings?
Ever since the “HTTPS ranking signal” announcement, fears spread that not having an SSL certificate can now push your site down in Google results, making many website owners start moving their sites to HTTPS without proper research and understanding.
Yet you need to remember that for now HTTPS is considered only a “very lightweight signal” that can potentially give you a tiny rank advantage (together with a set of some 200+other SEO signals), rather than push you to Google top.
If transitioning to HTTPS would be relatively easy for you or important for your business (i.e. e-commerce), then by all means make the switch.
However, if it would be quite difficult to convert to HTTPS it may not be worth the burden, and you surely can find more effective SEO techniques to implement.
Pros and cons of switching to HTTPS
HTTPS protects your users from man-in-the-middle attacks and other forms of unauthorized eavesdropping and tampering.
SSL certificates cost money and have to be renewed and maintained.
Note: The price ranges tend to vary here, so you may find a reasonably priced solution (sometimes a shared SSL if it is provided by your hosting).
Online businesses that handle cardholder information can use this website security as a way to comply with the PCI DSS (Payment Card Industry Data Security Standard)
Each SSL certificate requires its own private IP address.
Note: If your server supports SNI (Server Name Indication) you may go with a shared IP. Yet you have to realize that SNI is not supported by some older browsers (ex. IE on Windows XP)
With a growing awareness of online fraud, many internet users will simply refuse to buy anything from an online merchant that doesn’t encrypt their transactional data.
Encrypting and decrypting information requires extra server processing power and thus can slow down your website.
HTTPS padlock icon in the address bar has become a symbol of trust, and can boost your brand’s image as a trustworthy source.
If you have little or no experience in server configuration, the process of properly redirecting all your content to HTTPS may be complex.
— Proper canonicalization lets you avoid duplicate content issues.
— All HTTP URLs have to be permanently redirected to HTTPS with 301 redirect.
— Any absolute internal links within your website need to be edited into the HTTPS URLs or into relative URLs (ex.)
Even being a small signal for now, HTTPS can potentially have an increasing effect on your search engine visibility.
Most social signals you’ve earned will be lost over the moving.
Trying to leave external content from non-HTTPS resources will result in error messages shown.
Note: Make sure your HTTPS pages feature only content from HTTPS sites and your CDN (Content Delivery Network) supports it too.
For instance, some WordPress plugins may not properly work on the HTTPS version of your site.
Note: Run a deep research to make sure all external plugins you use support HTTPS, or find a replacement.
As Google states on their AdSense page, “HTTPS-enabled sites require that all content on the page, including the ads, be SSL-compliant. As such, AdSense will remove all non-SSL compliant ads from competing in the auction on these pages… Ads on your HTTPS pages might earn less than those on your HTTP pages.”