AS REPORTED IN SEARCH ENGINE NEWS
On August 6th, 2014 Google announced their intention to use HTTPS as a Ranking Signal, the only search engine in the world at this time to do so. A few months back, Google reported that their testing had shown positive results when using encrypted connections as a signal in their ranking algorithm so they decided to add it as a permanent search ranking signal.
According to Google, HTTPS is currently a very lightweight signal which only affects less than 1% of global queries. Of course they didn’t say “which” specific queries are affected (you’ll have to use your own imagination what those might be). At the time of this article, no one is reporting ranking changes they believe are based on this signal, either good or bad. Our current expectation of what you might see is that if two sites are perfectly equal, and one uses HTTPS and the other doesn’t, then the secure page might rank above the other. Note that we said page…
This boost is URL specific, not site wide.
Google also noted this signal is a lighter weight signal than most others, such as high quality content. What this means to you as an SEO is that Google is sending you a very clear message that you’ll be sure to notice. Google wants you to switch and they are offering a very small ranking increase as a carrot. Google has already indicated several times that in the future the HTTPS signal may become a larger factor in the algorithm – and we expect them to follow through with that promise.
Why do we need a Secure Server?
Like us, you’re probably wondering why all sites, such as non-ecommerce, or content only sites would need to use a secure server? It’s a valid question, according to Google’s John Mueller, the reason Google wants all sites to be secure is:
- Data integrity: only by serving securely can you guarantee that someone is not altering how your content is received by your users. How many times have you accessed a site on an open network or from a hotel and got unexpected ads? This is a very visible manifestation of the issue, but it can be much more subtle.
- Authentication: How can users trust that the site is really the one it says it is? Imagine you’re a content site that gives financial or medical advice. If I operated such a site, I’d really want to tell my readers that the advice they’re reading is genuinely mine and not someone else pretending to be me.
Google does go into more detail on the reasons why within the Google I/O 2014 – HTTPS Everywhere Video – We recommend taking the time to watch this video, but if you don’t have time we’ve included the important tidbits in this article.
There are likely more reasons Google wants to nudge us all to secure servers that they haven’t disclosed such as the fact that it raises the bar to run a successful Web site and can also help them identify the site ownership better, which may lead to less spam. Perhaps it’s more of a political message to get back at the NSA by making it harder for government agencies to sniff what content you’re consuming? There’s certainly been a lot of that going on lately in the news. Hopefully there are plenty of good reasons because the implementation costs World Wide to go secure are going to be immense.
Migration doesn’t have to be a nightmare if you plan ahead and be sure to test!
When Must You Switch to HTTPS?
The biggest problem with migration to a secure server isn’t the addition of a Security Certificate, that’s relatively easy. The problem is having to 301 redirect your entire Web site from HTTP to HTTPS and the issue of doubling the potential for duplicate content, not to mention the other technical problems that can occur during and after the transition.
One of the keys to success with this is to avoid redirect chains whenever possible. An example of a chain redirect you’ll want avoid would be something like this:
- Someone tries to visit your site as http://domain.com
- Then you redirect them to http://www.domain.com
- Then to https://www.domain.com
Based on Google’s past history, we’re estimating that we have about 2 YEARS before an insecure Web site becomes a critical problem for SEO. To be clear, we are NOT saying wait 2 years to make the switch. We’re telling you that from this moment on, you’ll see the secure server ranking signal slowly increasing in importance, but your site’s rankings are not where the immediate threat is…
Example of a Chrome v38 visit to site with broken security certificate
What we want to help you avoid totally is the warnings that Google (and or others) will likely generate via either the Web browser, or directly in search results. These scare screens warn visitors that they’re about to connect to a Non-Secure site.
Privacy warnings, such as the one above, will kill a site’s traffic!
You can bet the bank that this will become widespread at some point; the only question is “when”. This is all based on how politically motivated Google is on the topic of privacy. Take a minute right now and notice the wording on the warning… They are saying Privacy, not techno speak about secure servers, etc. Make no mistake if they want to make a big deal about this issue, they most certainly can, all in the name of Privacy. It gives them a blank check with consumers.
Google already uses these types of warnings for mobile users about to connect to a flash site, or warnings about desktop sites redirecting to a mobile home page. It’s easy to see them using similar tactics with privacy warnings.
You should switch to a Secure Server NOW if you’re-
- Building a new site on a new domain.
- Changing domain names.
- Making a major change to the URL structure on your site, like a site redesign or platform change.
We advise the above because the biggest issue in migration is the redirects and updates to links that will be needed. The above situations either will not require redirects at all, or will occur at a time when you’ll have to employ site wide redirects anyway, making it an ideal time to switch.
Note: Just like updating your site to be mobile compatible and fast to load, the HTTPS switch is not something you should ignore. It’s vital to your long term success. We just want you to know it’s not a “drop everything and make the switch now” situation. Learn what you need to do and be aware of the areas that can give you trouble – before you dive in.
Which Security Certificate Should I Choose?
There are many different types of Security Certificates available, in some cases they are free, others can be quite expensive. In order for you to understand the different browser warnings you’ll first need to understand that there are 5 different types of security certificates to choose from:
- Shared Certificates – These are certificates that are offered by many Web hosts where you use their Certificate, but it is not tied to your domain name. For example if your site is FredsTreds.com, you might put your non-secure content on your domain, but your shopping cart on secure-freds.yourhost.com. This can be very cost effective, but you do lose your domain branding and likely some shopper confidence using this method. Another example of this would be shopping cart services that are hosted off site on the cart provider’s domain such as yoursite.cartprovider.com.
- Free Certificates – For personal Web sites, public forums, etc. — some companies offer free security certificates such as: StartSSL and GoDaddy offers Free SSL Certificates for qualified Open Source Projects. None of these free ones would be valid for a business, but you might look at these offers and shop around if your doing this for a hobby site or other non-profit project.
- Domain Validated (DV) Certificate – The most common SSL certificate used for small businesses. A DV Certificate typically covers a single subdomain like www.domain.com, but not necessarily domain.com (no-www). A visitor to a site with a DV Certificate at this time will see the same security icons as those with Organization Validated certificates, unless they are using FireFox v31 (perhaps earlier) versions. That browser and perhaps others may have an alert icon and when clicked says the organization is not verified but is secure. This icon is often shown only once, then the typical padlock secure site icon is displayed.
- Organization Validated (OV) – OV Certificates require verification at both the organization and domain registry level. In most cases an OV cert will require a vetting procedure before the certificate is issued, this ensures the business is a legitimate company. OV certificates are more expensive than DV certificates, but really offer little value above the DV certificate. Visitors to a site will typically not notice any difference between a DV and OV cert unless they click the padlock icon, which makes the extra cost debatable at this time. Perhaps soon we’ll see some additional browser identification feature that will make an OV certificate identifiable (and more worthwhile).
- Extended Validation (EV) Certificates – These are the more extensive and difficult to get SSL Certificates. EV Certificates are the ones that turn your browser bar Green indicating a secure site. They require an extended validation of the business including domain ownership, organization information, plus legal existence of the organization. These certificates take longer to acquire and process, and are more expensive. The existence of the Green Bar in the browser can be a strong incentive to step up to the EV level to increase shopper confidence and likely conversion rates. It’s doubtful a content or non-eCommerce site would benefit from this level certificate.
Google has commented that the type of certificate isn’t factored into ranking signal at this time
This means that your primary decision should be based on what impact the type of certificate will have on conversion rates, user trust, etc. and not rankings.
Browser Security Indicators
You’ll often see different security icons depending on what browser you’re using. It’s a good idea to get an idea what the different security symbols look like, including security warnings when using a desktop browser.
Note: Mobile and Tablet indicators may look different, for example the DV and EV certs look the same when using a Chrome Browser on a Smartphone. As you use your browser start paying attention to these security icons to familiarize yourself with them.
Click the padlock icon in your address bar to display certificate information for the site you’re viewing.
Google Chrome Version 38
Internet Explorer 11
DV/OV Certificate Valid
EV Certificate Valid
DV/OV Certificate Error (invalid cert)
DV/OV Certificate Error (mixed content)
DV Certificate Valid (1st Visit DV cert)
DV/OV Certificate Valid (after 1st Visit)
EV Certificate Valid
We do not want anyone to panic at this time. We do have a transition period. If you want to move to a secure SSL, we are using the DV/OV level of certificate by GeoTrust for all non-ecommerce sites and either this certificate of the EV certificate for ecommerce sites as we move forward. Current clients with SSLs installed will have the option to upgrade to the EV. Current clients with no SSL installed with have the DV/OV or EV option.
We suggest you contact us (if we host your website) or your hosting company to discuss options, costs, annual renewal fees and to schedule a time for installation.
If ranking is important to you and you want to stay ahead of the competition, don’t delay. We are in the process of adding SSLs to all of our sites.