Google has now announced HTTPS is a ranking factor! Only a month after my original article below! Does that mean that the “not yet” I describe below has now happened and you’re missing out if you don’t switch?? No, not really.
The advice below is still valid and the weight of this ranking factor is still “very lightweight”. According to Google it’s a factor that only shows on < 1% queries and doesn’t have much weight even when it does show. The main message from Google is, “You better start thinking about switching, because we’re serious about SSL”. In my opinion this is a great way to try and move the needle of getting more people to switch to SSL without hurting the sites that aren’t ready for it yet. If I was Google I would start with that <1% being in spaces like banking where not having SSL is already a very clear signal of quality, but that’s pure speculation.
Will it affect my SEO?
When should I switch?
How much work is it?
Let’s answer the big question first. No, it does not improve your SEO. At least not yet. In fact you’re a lot more likely to hurt your SEO by implementing SSL poorly than you are to improve it with SSL. (update 8/7/2014 — it may slightly improve your SEO in some very limited cases, Google has taken the first step on the road to making it a meaningful ranking factor in the future)
So strictly from an SEO perspective, should I just stay away from HTTPS?
Nope, you aren’t getting off that easy. Google’s Matt Cutts has said that they would like to make SSL part of the ranking algorithm. Search Engine Land covered this well in March. It should be obvious why Google would like to consider it; a site under HTTPS means not only is the user’s data more secure, but they are getting the site they expect to be (i.e. not a fake version of the site), and the site itself has some amount of additional verification. It could certainly still be spam, but it’s clearly much less likely to be. That could be great for weeding out spam, but it’s not so easy for Google to add that ranking factor in a way that could possibly disadvantage all the sites out there that aren’t under SSL but are still good & authoritative content.
Google is encouraging this transition though, and eventually once HTTPS becomes closer to ubiquitous and easier to implement we should expect it will be considered as a ranking factor.
How close is that to happening? It’s a critical question, since switching on SSL isn’t a checkbox-type thing for most sites and will require some advanced planning. It’d be good to know if we need to start planning and doing that now or there is still some time.
I decided to test how far along this transition is by checking how many of the Quantcast.com top 1,000 sites have their homepage served under SSL. I did a simple test of using curl to request the homepage explicitly with http:// and see how many sites redirected me to https://.
This turned out to be quite low, only 6% defaulted to HTTPS. Additionally only 2 of MozCast’s “big 10” sites (domains with the highest percentage of top 10 SERPS) defaulted to send users to HTTPS (Facebook & Twitter). I think it’s fair to say that until we see heavyweights like Amazon,Wikipedia & Yelp switch to default HTTPS there’s unlikely to be any disadvantage for the rest of us that aren’t on HTTPS.
Most of these sites do have SSL available though, otherwise projects like EFF’s HTTPS everywhere that force you over to HTTPS would be pretty useless. In this study by Julien Vehent from earlier this year, he tested for the availability of SSL on the top 1M Alexa sites and found that 45% had SSL available. That’s not a measure of who is defaulting to it, it’s a measure of how many sites have it enabled for some kind of use. So in other words, a lot of sites do have a valid SSL certificate setup & installed, they just aren’t running all their users through it.
I decided to apply the same test to just the top 100 vs. bottom 100 sites in the Alexa top 1M, and found that the following percentage had SSL available (even though most were just redirects back to the non-SSL version):
Top 100 sites: 69%
Bottom 100 sites: 41%
(Failures included sites without any SSL active as well as sites with invalid or mismatched certs)
Just from that comparison you can see how SSL could be a good potential measure of quality, but until a lot more than 6% of the top 100 actively use SSL for everything (vs. just having it available) it wouldn’t make sense to give it too much weight in any ranking factors.
Why aren’t more top sites using HTTPS for everything?
If the majority of the top sites have SSL setup, then why aren’t they running everyone through it yet? The answer is that there’s still a lot of technical challenges with running SSL for everything, and not a lot of direct business benefits.
SSL adds complexity and can slow requests down, so until there’s more call for it from users & product managers and it’s simpler to implement it’s easy to understand why adoption is still low. It should go without saying that most users don’t understand the technical details of web security, but just to confirm look to studies like this one from Baymard Institute that showed that users didn’t generally consider security until they entered their credit card information, and even then were influenced by the graphic design of the form elements and badges rather than actual security. It’s no wonder then that most sites have been slow to to roll it out for all traffic.
On the technical front there’s good solutions already out there for many of these technical issues: SPDY, OSCP, SNI, and HSTS all solve issues that exist with speed, server resources, and client-side functionality. However support for those things aren’t universal yet — and it’s a lot of alphabet soup to swallow when all you want is to encrypt your site.
The top 1,000 sites should all have the technical know-how to handle these issues, but until end-users expect to see that browser lock icon for things other than entering their credit card or standards change it will be slow progress.
So what do you recommend?
Considering what a low percentage of big sites are all-HTTPS and the early stage that many of the necessary add-ons like SPDY are at, I expect that it will be still quite some time because Google considers HTTPS as a ranking factor of any note. I’m sure that they eventually will though, so now is a good time to get ahead of the game — if you’re up for that sort of thing. If you want to hit snooze on the whole migration at this point I couldn’t really blame you, it can be a lot of work.
If you’re doing a new site, consider doing it all-HTTPS from the start. It’s always easier to do it right first than to redo it later.
If you have a site based around logins, consider moving to SSL in the near future. Hopefully you already have your login area under SSL. If so you’ve probably already experienced some of the SSL vs. non-SSL’d pain of users switching back and forth. You can lose sessions because of cookie issues, you can have problems with insecure elements on the page, or you can get into problems with redirects leaving you on the the wrong protocol when you don’t expect it. Switching to all-HTTPS can make many of those problems go away.
If you run WordPress, consider switching when you next overhaul your site. The security reasons for running your /wp-admin area under SSL are obvious, and again once you’ve got part of the site under SSL may as well start working on the rest. For this site (quantable.com) I’m using the iThemes Security plugin which has an option to set the entire front-end to SSL in one click, easy enough. Since you’ll want to avoid a lot of redirects for existing media, make sure to either explicitly put src=”https:// on those elements, or even better use src=”// (protocol relative URLs) so it will work under either.
If you’ve got a high-volume site where speed or legacy browser support is important, or a lot of existing code & infrastructure that would need to be changed maybe put it off for now.
Any instructions on how to make the move?
If you do move your site to all-SSL scenario Yoast’s guide here is an excellent overview on how.
Some of the references from that article (and elsewhere) that I have found helpful include:
- mod_spdy for Apache, allowing newer browsers (60% support) to massively speed up HTTPS pages with many elements on them: https://developers.google.com/speed/spdy/mod_spdy/
Important note: doesn’t work with mod_php, use fcgi.
- HSTS header to force the browser (57% support) to always use HTTPS: https://www.owasp.org/index.php/HTTP_Strict_Transport_Security
- OCSP stapling, which speeds up the SSL certificate verification process by reducing requests on the browser side: https://raymii.org/s/tutorials/OCSP_Stapling_on_Apache2.html
Note: Requires Apache >= 2.3.3