SEO and online marketing forums are abuzz this week with discussion surrounding Google’s announcement that https is now a ranking factor. While they’ve indicated that it’s a very weak ranking factor at this point, the announcement seems to indicate that it will become an increasingly important factor over time. While they state that factors like high-quality content are much more important at present, the announcement also clearly alludes to the fact that we’re only seeing the beginning when it comes to SSL as a ranking factor: “[O]ver time, we may decide to strengthen it, because we’d like to encourage all website owners to switch from HTTP to HTTPS to keep everyone safe on the web.” They go on to state that the reason it’s currently only a lightweight factor is “to give webmasters time to switch to HTTPS.” In other words: Switching your site to HTTPS does not appear to optional, and over time, will likely be a necessity if you want your site to rank.
A Brief Primer on SSL and HTTPSBefore we go into the nitty gritty of what we know about Google’s move towards increased security on the web, I thought it would be helpful to take a brief look at exactly what we mean by SSL and HTTPS. SSL, or Secure Sockets Layer, is simply a way of encrypting data passed between a server and a browser. Sites that have an SSL connection provide a higher level of security than those that don’t, as information can be transmitted without fear that it will be intercepted (this is why you’ll often see an https connection on e-commerce sites, where personal data like credit card info is transmitted). In order to have an SSL connection, you must first have an SSL certificate. There are many companies that sell SSL certificates, including many web hosts. The cost can range from free up to several thousand dollars if going with a company like Symantec (formerly Verisign). Be sure to do your research before buying, as not all certificates are created equal.
This isn’t the first we’ve heard from Google on the subject…Google Webmaster video, Matt Cutts answered the question, ‘Can switching to SSL hurt my rankings?’. His response: “To the best of my knowledge, I don’t know of any reason why you wouldn’t be able to rank with just HTTPS.” You may have also noticed a new feature was added to your Google Webmaster account back in March – a feature that clued many webmasters in to the fact that change was coming in terms of secure protocols. In the Index Status section of your account, you may have noticed separate listings for HTTP and HTTPS URLs: for instance, http://www.yoursite.com AND https://www.yoursite.com (this is assuming you have verified both versions). The final clue that change was on the way was an off-handed remark by Cutts at SMX West back in March that – at least in his opinion – Google should give SSL sites a boost in rankings. And the fact that Google is now using HTTPS as a ranking factor hasn’t come as a surprise to anyone who attended (or who has watched the video of) Google’s annual developer’s conference in June of this year. In a session entitled HTTPS Everywhere, Google’s Ilya Grigorik and Pierre Far stress the importance of using SSL for ALL online communication, not just transactional communications (more on this below). So, it appears this emphasis on increased security and privacy is something Google has had in the pipeline for a while now; although this may be the first time many webmasters and site owners are hearing about it.
But why does ALL info need to be secure?A question many webmasters have been asking since the announcement is, “Why does ALL info need to be secure? Why not just info that has the potential to be stolen and mis-used?”. In a Google+ post from last week, John Mueller answers this question at length, indicating that even content-only sites (like personal blogs) can benefit from switching to HTTPS. He gives 2 reasons why all sites should make the move: “1. Data integrity: only by serving securely can you guarantee that someone is not altering how your content is received by your users. How many times have you accessed a site on an open network or from a hotel and got unexpected ads? This is a very visible manifestation of the issue, but it can be much more subtle. 2. Authentication: How can users trust that the site is really the one it says it is? Imagine you’re a content site that gives financial or medical advice. If I operated such a site, I’d really want to tell my readers that the advice they’re reading is genuinely mine and not someone else pretending to be me.” If we look at the HTTPS Everywhere session I mentioned above, we can also see that Google is encouraging site owners to secure all types of content – even news and playlists. In the session, Ilya Grigorik explains succinctly why this is the case: “We should be using secure by default communication for all communication, everywhere. And that includes my playlists, the news articles I read and where I read them, and all other things that I do online. Because while it seems like while individually the metadata…that you can gather by looking at these unencrypted sites is benign, when you actually put it all together, it reveals a lot about my intent…it can actually compromise my privacy.”
What do we need to watch out for when switching to SSL?According to Google, there are a number of steps webmasters should be be sure to take when switching to a secure connection. Some of the more pertinent ones include:
- Using 2048-bit key certificates
- Ensuring you’re not blocking access to your HTTPS pages in your robots.txt file
- Following Google’s best practices when switching your domain to the new HTTPS version
- Using relative URLs for resources on the same domain, and protocol relative URLs for those on other domains
- Choosing the right type of SSL certificates