Google just made a big announcement that affects search engine optimization; they are starting to use HTTPS as a ranking signal. If you don’t know what HTTPS means, have a look at the lengthy Wikipedia article.
Currently most websites only have their contact forms or checkout pages on HTTPS, and everything else on HTTP. Traditionally, there were issues with site speed and certificates when using HTTPS. It seems now that these issues are no more, or are at least easier to fix. Google says that for now the increased ranking signal is only a very lightweight signal — affecting fewer than 1% of global search queries, until they give webmasters time to switch to HTTPS. But over time, they may decide to strengthen it, because they would “like to encourage all website owners to switch from HTTP to HTTPS to keep everyone safe on the web.”
This step was coming; during the 2014 Google I/O conference, held June 25-26 in San Francisco, Google called for “HTTPS everywhere” on the web (see the video from the conference.
Google’s description of the session, from the Google I/O website gives the following summary: Data delivered over an unencrypted channel is insecure, untrustworthy, and trivially intercepted. We must protect the security, privacy, and integrity of our users data. In this session we will take a hands-on tour of how to make your websites secure by default: the required technology, configuration and performance best practices, how to migrate your sites to HTTPS and make them user and search friendly, and more. Your users will thank you.
This caused quite a flutter in the SEO community, but this wasn’t the first time this year that a call for all sites to move to HTTPS was making headlines. In January, Dutch SEO maestro Joost de Valk (AKA Yoast) published an article on his site titled ‘Should we move to an all HTTPS web?’ In that article Yoast talked about his reasons for moving his site to HTTPS. He also links to the Electronic Frontier Foundation’s (EFF) HTTPS Everywhere page. The EFF is the leading nonprofit organization defending civil liberties in the digital world, so they have internet users’ best interests at heart.
The Heartbleed Bug brought the whole HTTPS system into mainstream news in April of this year. While some websites lost data, the exposure of the bug led to tightened security overall. So it looks like the every changing world of SEO has just evolved again. Webmasters and website owners need to follow suit or get left behind as their competitors who adopt HTTPS climb past them in the rankings.
What should Webmasters do?
In the coming weeks, Google promises to publish detailed best practices to make TLS adoption easier. To avoid common SEO mistakes they have outlined some basic tips to get started:
- Decide the kind of certificate you need: single, multi-domain, or wildcard certificate
- Use 2048-bit key certificates
- Use relative URLs for resources that reside on the same secure domain
- Use protocol relative URLs for all other domains
- Check out Google’s Site Move article for more guidelines on how to change your website’s address
- Don’t block your HTTPS site from crawling using robots.txt
- Allow indexing of your pages by search engines where possible. Avoid the noindex robots meta tag
It will be interesting to see how quickly this gets adopted by webmasters. Google is essentially forcing us to change to HTTPS by saying that our rankings may suffer as a consequence of not switching. There is no knowing how long Google will give us to make the switch, but previous algorithm changes such as Panda and Penguin quickly forced a lot of changes in the SEO landscape — for the better.