Internet security is, of course, paramount to Google and it is consistently looking for ways to promote further protection measures. One of the latest pushes has been to further promote HTTPS to improve the security of websites that people access. An increasing number of webmasters have adopted HTTPS (also known as HTTP over TLS, or Transport Layer Security) on their website but Google would like to further encourage HTTPS. As a result, Google has started to use HTTPS as a ranking signal. The signal is only lightweight at the minute (with other signals such as high quality content carrying more weight) because Google wants to give webmasters time to switch to HTTPS. However, Google has said that over time they “may decide to strengthen it, because we’d like all website owners to switch from HTTP to HTTPS to keep everyone safe on the web.”
It is pretty rare for Google to advise us of something that will directly affect site rankings. It seems that if they do, as in this case, it’s often because they want to modify our behaviour. A past example of this is when Google first started to raise web performance – it later announced that site speed is a ranking factor.
So, what is so great about HTTPS and why is Google so interested in promoting it? What’s in it for them? Well, Google ultimately wants its users to have a good experience and to trust that they are getting a safe experience. Identity theft and privacy issues are top of the agenda and internet users are increasingly conscious of these threats. As a result, if Google is to continue to be the search engine of choice – it needs to be consistently showing that it is moving forward privacy and data protection. HTTPS has greater security so for Google it is important that as many people adopt it as possible.
How does the ranking work?
Google runs the HTTPS ranking signal in real time (unlike Penguin or Panda algorithms). This means that as soon as Google indexes your new HTTPS URL, that URL will immediately see a very small ranking boost because of the HTTPS URL. The behind the scenes overall ranking algorithm boost is tiny at the minute and you won’t see your ranking jump hugely but it will have a small effect.
The signal is on a per-URL basis and not on a site wide basis. This means that if you have some parts of your site migrated to HTTPS and some parts not, Google will give the boost to the ones on the HTTPS URLs and not to the others. Google obviously wants whole sites to be migrated to HTTPS but it can be done in stages e.g. if you want to test it, on a URL by URL basis.
It seems that the motivation is clear – giving HTTPS sites a ranking boost to encourage webmasters to migrate their sites from HTTP to HTTPS hence increasing security. However, why might some SEOs have concerns?
There have been issues raised about the site load speed of HTTPS and Google has said that sites with slow loading times may get reduced rankings. Is there therefore a conflict here?
Well, Google says that as long as HTTPS is properly implemented, it will not cause a significant performance penalty. It seems unlikely that Google would be promoting HTTPS so strongly if it felt that web performance was going to be compromised but clearly it is important that HTTPS is implemented in the right way.
Redirecting HTTP to HTTPS
In basic terms, http://www.abcd.com is different from https://www.abcd.com. Serving the same content on two different URLs is duplicate content. When you do a site move, Google recommends that you use the change of address tool within Google Webmaster Tools. However, this cannot be done with HTTP to HTTPS because the change of address tool does not support HTTPS migrations, yet.
There is no estimate time for when Google will support it. However, Google’s John Mueller said if you are doing the migration, a 301 redirect is enough of a signal to communicate the change, even without using the change of address tool.
Another option is to contemplate adding a canonical link element pointing from the http version to the https version.
How to do it properly
Generally speaking, there are ways around the issues that can arise in the migration. Clearly it is important to follow best practice to do it properly and minimise any problems. Google is due to publish detailed best practices to make TLS adoption easier and to avoid common mistakes (you can find the information in its help centre now though) but these are Google’s few basic top tips:
- Decide the kind of certificate you need: single, multi-domain, or wildcard certificate
- Use 2048-bit key certificates
- Use relative URLs for resources that reside on the same secure domain
- Use protocol relative URLs for all other domains
- Check out our Site move article for more guidelines on how to change your website’s address
- Don’t block your HTTPS site from crawling using robots.txt
- Allow indexing of your pages by search engines where possible. Avoid the noindex robots meta tag.
So, there we go, Google wants us to speed up adoption of TLS and it is trying to push this along more quickly by affecting rankings. I wonder how long it will be before the amount that rankings are affected increase to something more meaningful to move the last stubborn few?