“[…] we’re starting to use HTTPS as a ranking signal. For now it’s only a very lightweight signal — affecting fewer than 1% of global queries, and carrying less weight than other signals such as high-quality content — while we give webmasters time to switch to HTTPS. But over time, we may decide to strengthen it, because we’d like to encourage all website owners to switch from HTTP to HTTPS to keep everyone safe on the web.“
This is the first time that Google has ever explicitly called something a ranking factor. Even though they mentioned some factors to have an impact on ranking, such as site speed (where we saw a significant increase in importance in our 2014 Ranking Factors study), this direct tone is new. 1) On one hand Google tries out new communication styles all the time, but 2) this implies a certain seriousness.
They also mention the ranking signal to be rather lightweight (for now). I’ll come back to this at the end of this article when talking about whether the effort is worth the benefit. Just keep in mind that the benefit might be relatively small.
Their statement also implies that high-quality content is more important. Google even provides an explanation within one of their courses (https://support.google.com/webmasters/answer/6001093). In it they explicitly recommend content to be “useful and informative“, “more valuable and useful than other sites“, “credible“, “high quality” and “engaging“. On the other hand they warn of broken links, bad grammar and spelling, excessive amount of ads (what’s excessive though?) and spam. They clearly say that high-quality content is a ranking factor, but this should not be news to you.
In the final point they make, notice how they say “we may” see this ranking signal become stronger. Google is a company that is using its enormous data to improve the rankings over time and will see how pushing webmasters to migrate to HTTPS will affect the search landscape. For now, you find mostly trustworthy and strong sites using SSL. Personally, I guess they want to hold the door open to change the effect of SSL if more spammy and untrustworthy sites begin using it.
Google’s (self stated) main goal is making the internet more secure, which comes at the perfect timing. Moving to HTTPS also takes away more data from webmasters: even though you as a surfer can see the query in the url when connected via https, the sites between your browser and Google can’t. It is not possible to read out the referrer (meaning what URL you came from) and therefore what keyword you used, for example. After Google implemented HTTPS on their site – basically causing webmasters to lose keyword data over night – asking them to follow is the next logical step. Pushing webmasters to use SSL will enforce not provided even more. According to notprovidedcount.com, the average percentage of not provided traffic has been around 85% for quite some time now.
Bing implemented HTTPS as well, but unlike Google, they give you the keyword data back when you use HTTPS. Google actively avoids returning keyword data, arguing it would be a violation of privacy.
If you’re already experienced with SSL, you might want to skip this section.
SSL stands for Secure Sockets Layer and is a protocol that provides a secure connection when accessing a website. It is important to understand that you don’t encrypt a website with SSL, but you encrypt the connection. An SSL certificate is used to correspond to a static domain via a session key that encrypts the data flowing between server and client.
An encrypted domain would be: https://www.domain.com/index.html.
An unencrypted domain would be: http://www.domain.com/index.html.
Normal HTTP website traffic is unencrypted. Every server that your traffic flows through on the way to the website’s server can read that data. This is how analytics tools get the keyword query for example. If a website you visit uses HTTPS, the data is encrypted, so in theory only you and the website you visit can see what you’re doing on that website.
There are three types of certificates: single domain (www.domain.com), multi-domain (www.domain.com, www.subdomain.domain.com, www.domain.net) or wildcard (www.domain.com, www.subdomain1.domain.com, www.subdomain2.domain.com, www.subdomain3.domain.com, etc.). A basic SSL certificate will only be valid for a specific domain name, so if the certificate is for the www.website.com and someone follows a link to website.com a warning will be displayed. Certificate prices range from $9 to $500,000+. Amongst others and not trying to prefer anyone, providers could be GoDaddy, Thawte, VeriSign, GeoTrust or Comodo.
Additionally, Barry Schwartz wrote about Matt Cutts giving some signals about it at SMX West 2014 (http://www.seroundtable.com/google-ssl-ranking-18256.html) in March 2014.
“At the end of the session, I asked Matt if this means Google is looking to give sites that enable SSL a ranking boost. Matt Cutts shrugged his shoulders and explained that if it was his choice, he would make it so. But he said, it is far from happening and there are people at Google that do not want this to happen. On one hand, if Google announced they would give a ranking boost to SSL sites, it would encourage a ton of sites to go SSL, which would be a good thing. On the other hand, some older sites are hard to make SSL and they would feel at a disadvantage.”
John Mueller, as well as Matt Cutts, mentioned it would be very unlikely for HTTPS to become a ranking factor, but the folks at Google must have changed their minds. Cutts even dedicated a blog post on the topic in May 2010 (http://www.mattcutts.com/blog/google-secure-search/), when Google integrated “search over SSL”. Cutts stated in the article: “I believe encrypted search is an important option for Google searchers.” Even the Wall Street Journal reported about it (http://blogs.wsj.com/digits/2014/04/14/google-may-push-sites-to-use-encryption/).
Generally it comes down to two major benefits: trust and security. When SSL is in place, users are actively made aware of its presence by the green notification in front of the URL. This not only creates trust, but it can even support conversions and therefore be a revenue driver.
I already mentioned security in times of huge hacks, data steals, frauds and phishing. But security also implies fighting spam and pushing SSL would help that. Yoast formulated this in a nice way: “From a spam fighting perspective I think I can see why Matt would like it. I don’t think many spam network creators would go through the hassle of setting up SSL for all their sites and buying certificates for all of them. The cost would soon become higher than the profit in many niches.”
But of course, there are also some downsides of SSL usage.
Acquiring an SSL certificate means you have to pay for it, which as I mentioned previously can be very expensive.
Also, using SSL can imply a loss of page speed. This could be a potential problem for sites with massive traffic like social networks or heavily trafficked new sites. In the next section I will also hand you a tool (SPDY) that helps you when optimizing page speed while using SSL. The page speed issue should not keep you from migrating to SSL, if you have the chance, so don’t overrate this.
Let’s get to the nitty gritty:
These recommendations are assembled from our own expertise, Matt Cutts, John Mueller, the Google Webmaster Central Blog, the Google Support Forum and partially other bloggers:
Do:
Do not:
Firstly, don’t panic about implementing SSL. It might be a ranking factor, but Google explicitly mentioned it to be a relatively weak one and that they give webmasters time to implement it. Take your time to plan the implementation, estimate the costs and plan the resources.
Secondly, measure efforts against benefits. The ranking boost might be relatively small. Implement SSL when you have a chance and when it fits (as long as it’s not in five years), don’t force it with all means. You might be disappointed by the ROI.
Thirdly, it is more important to get the basics right. I wouldn’t push a client to implement SSL from a ranking factor perspective, if he hasn’t used at least 80% of his optimization potential.
These three points are strongly related to each other and should be made clear when migrating to SSL – it’s not a 1-2 days type of move.