On August 6th, Google publicly announced HTTPS being a ranking signal / giving websites a boost in rankings. I’d like to quote the article because it implies a few important points:

“[…] we’re starting to use HTTPS as a ranking signal. For now it’s only a very lightweight signal — affecting fewer than 1% of global queries, and carrying less weight than other signals such as high-quality content — while we give webmasters time to switch to HTTPS. But over time, we may decide to strengthen it, because we’d like to encourage all website owners to switch from HTTP to HTTPS to keep everyone safe on the web.“

 

This is the first time that Google has ever explicitly called something a ranking factor. Even though they mentioned some factors to have an impact on ranking, such as site speed (where we saw a significant increase in importance in our 2014 Ranking Factors study), this direct tone is new. 1) On one hand Google tries out new communication styles all the time, but 2) this implies a certain seriousness.

They also mention the ranking signal to be rather lightweight (for now).  I’ll come back to this at the end of this article when talking about whether the effort is worth the benefit. Just keep in mind that the benefit might be relatively small.

Their statement also implies that high-quality content is more important. Google even provides an explanation within one of their courses (https://support.google.com/webmasters/answer/6001093). In it they explicitly recommend content to be “useful and informative“, “more valuable and useful than other sites“, “credible“, “high quality” and “engaging“. On the other hand they warn of broken links, bad grammar and spelling, excessive amount of ads (what’s excessive though?) and spam. They clearly say that high-quality content is a ranking factor, but this should not be news to you.

In the final point they make, notice how they say “we may” see this ranking signal become stronger. Google is a company that is using its enormous data to improve the rankings over time and will see how pushing webmasters to migrate to HTTPS will affect the search landscape. For now, you find mostly trustworthy and strong sites using SSL. Personally, I guess they want to hold the door open to change the effect of SSL if more spammy and untrustworthy sites begin using it.

Google’s (self stated) main goal is making the internet more secure, which comes at the perfect timing. Moving to HTTPS also takes away more data from webmasters: even though you as a surfer can see the query in the url when connected via https, the sites between your browser and Google can’t. It is not possible to read out the referrer (meaning what URL you came from) and therefore what keyword you used, for example. After Google implemented HTTPS on their site – basically causing webmasters to lose keyword data over night – asking them to follow is the next logical step. Pushing webmasters to use SSL will enforce not provided  even more. According to notprovidedcount.com, the average percentage of not provided traffic has been around 85% for quite some time now.

Bing implemented HTTPS as well, but unlike Google, they give you the keyword data back when you use HTTPS. Google actively avoids returning keyword data, arguing it would be a violation of privacy.

What is SSL and HTTPS?

If you’re already experienced with SSL, you might want to skip this section.

SSL stands for Secure Sockets Layer and is a protocol that provides a secure connection when accessing a website. It is important to understand that you don’t encrypt a website with SSL, but you encrypt the connection. An SSL certificate is used to correspond to a static domain via a session key that encrypts the data flowing between server and client.

An encrypted domain would be: https://www.domain.com/index.html.

An unencrypted domain would be: http://www.domain.com/index.html.

Normal HTTP website traffic is unencrypted. Every server that your traffic flows through on the way to the website’s server can read that data. This is how analytics tools get the keyword query for example. If a website you visit uses HTTPS, the data is encrypted, so in theory only you and the website you visit can see what you’re doing on that website.

There are three types of certificates: single domain (www.domain.com), multi-domain (www.domain.com, www.subdomain.domain.com, www.domain.net) or wildcard (www.domain.com, www.subdomain1.domain.com, www.subdomain2.domain.com, www.subdomain3.domain.com, etc.). A basic SSL certificate will only be valid for a specific domain name, so if the certificate is for the www.website.com and someone follows a link to website.com a warning will be displayed. Certificate prices range from $9 to $500,000+. Amongst others and not trying to prefer anyone, providers could be GoDaddy, Thawte, VeriSign, GeoTrust or Comodo.

The thought of giving websites using SSL a ranking boost is nothing new.

 

Additionally, Barry Schwartz wrote about Matt Cutts giving some signals about it at SMX West 2014 (http://www.seroundtable.com/google-ssl-ranking-18256.html) in March 2014.

“At the end of the session, I asked Matt if this means Google is looking to give sites that enable SSL a ranking boost. Matt Cutts shrugged his shoulders and explained that if it was his choice, he would make it so. But he said, it is far from happening and there are people at Google that do not want this to happen. On one hand, if Google announced they would give a ranking boost to SSL sites, it would encourage a ton of sites to go SSL, which would be a good thing. On the other hand, some older sites are hard to make SSL and they would feel at a disadvantage.”

John Mueller, as well as Matt Cutts, mentioned it would be very unlikely for HTTPS to become a ranking factor, but the folks at Google must have changed their minds. Cutts even dedicated a blog post on the topic in May 2010 (http://www.mattcutts.com/blog/google-secure-search/), when Google integrated “search over SSL”. Cutts stated in the article: “I believe encrypted search is an important option for Google searchers.” Even the Wall Street Journal reported about it (http://blogs.wsj.com/digits/2014/04/14/google-may-push-sites-to-use-encryption/).

What are the benefits of using SSL aside from the ranking boost?

Generally it comes down to two major benefits: trust and security. When SSL is in place, users are actively made aware of its presence by the green notification in front of the URL. This not only creates trust, but it can even support conversions and therefore be a revenue driver.

I already mentioned security in times of huge hacks, data steals, frauds and phishing. But security also implies fighting spam and pushing SSL would help that. Yoast formulated this in a nice way: “From a spam fighting perspective I think I can see why Matt would like it. I don’t think many spam network creators would go through the hassle of setting up SSL for all their sites and buying certificates for all of them. The cost would soon become higher than the profit in many niches.”

But of course, there are also some downsides of SSL usage.

Acquiring an SSL certificate means you have to pay for it, which as I mentioned previously can be very expensive.

Also, using SSL can imply a loss of page speed. This could be a potential problem for sites with massive traffic like social networks or heavily trafficked new sites. In the next section I will also hand you a tool (SPDY) that helps you when optimizing page speed while using SSL. The page speed issue should not keep you from migrating to SSL, if you have the chance, so don’t overrate this.

Let’s get to the nitty gritty:

What to regard and what to avoid when migrating to SSL.

These recommendations are assembled from our own expertise, Matt Cutts, John Mueller, the Google Webmaster Central Blog, the Google Support Forum and partially other bloggers:

Do:

• Redirects & canonicals should be in place. If you run on Apache, you can use the .htaccess file in order to set domain-wide redirects from HTTP to HTTPS. Whenever you implement redirects, use 301 redirects only. Also ensure all of your canonicals are pointing at the HTTPS version of the URL. This will also avoid link juice from external backlinks being wasted
• Internal linking must be changed, so that they point to the HTTPS version of the URL
• Use HSTS (HTTP Strict Transport Security), a protocol securing websites even more by avoiding so called “men-in-the-middle” attacks (intercepting data during the transfer between server and client). In very simple terms HSTS makes sure the connection to the server happens only via SSL for future requests, even when the HTTP URL is linked
• List the https site separately in The Google and Bing Webmaster tools, since it’s a different site
• In accordance with this, make sure your analytics / tracking tool is setup for the HTTPS version
• Be aware that HTTPS caching can be controlled with response headers just like HTTP, but it needs to be changed for all resources
• Make sure the infrastructure can handle the higher load, caused by SSL, caching, etc.
• Use SPDY, a networking protocol developed by Google for transporting web content. It manipulates HTTP traffic, with particular goals of reducing web page load latency and improving web security, but you can also enable it for SSL. In the end, it might make your SSL connected website faster than the HTTP version of it
• Upgrade your CDN to use HTTPS
• Every element of your site needs to start using HTTPS (CSS, JS, images, videos, etc.)
• Use relative URLs for resources that are located on the same domain, so you don’t run into trouble with HTTP vs. HTTPS

Do not:

• Avoid expired or old certificates. Any type (single, multiple, wildcard) of SSL certificate is fine at the moment. If you have an older certificate, make sure to have 2048 bit keys
• Don’t forget to ensure server indication and browser support
• Avoid incorrectly registered websites name
• Avoid crawling issues, like blocking the HTTPS version in the robots.txt
• Don’t keep HTTPS URLs from being indexed
• Have no different content on HTTP and HTTPS URLs
• Stay clear of status code errors for HTTPS URLs

Some personal recommendations to take along:

Firstly, don’t panic about implementing SSL. It might be a ranking factor, but Google explicitly mentioned it to be a relatively weak one and that they give webmasters time to implement it. Take your time to plan the implementation, estimate the costs and plan the resources.

Secondly, measure efforts against benefits. The ranking boost might be relatively small. Implement SSL when you have a chance and when it fits (as long as it’s not in five years), don’t force it with all means. You might be disappointed by the ROI.

Thirdly, it is more important to get the basics right. I wouldn’t push a client to implement SSL from a ranking factor perspective, if he hasn’t used at least 80% of his optimization potential.

These three points are strongly related to each other and should be made clear when migrating to SSL – it’s not a 1-2 days type of move.