Google introduces HTTPS as a ranking factor

Last week, Google announced that a website’s security has started counting towards its prevalence in search results. This is something that has long been expected by the industry, especially after Google made the move to split secure and non-secure reporting in Google Webmaster Tools in March of this year.

• Why does this matter?
• Is this a small update?
• How security certificates work
• Buying an SSL certificate
• Running a secure website
• Our thoughts on migrating to a secure website

Impression.co.uk moved to a secure website over this year’s Easter weekend and has since seen impressive improvements in visibility, though as we’re a growing agency it’s tricky to pinpoint exactly the direct impact this has had.

Secure websites, denoted by the padlock symbol and ‘https://’ in a browser’s address bar, is not new technology. HTTPS is a secured method of data delivery built upon standard HTTP communication and an additional layer of SSL (secure socket layer)/TLS (transport layer security).

It has been used by as much as ten per cent of all websites as standard up until this announcement, traditionally used almost exclusively on websites requiring above-and-beyond security such as banking systems or websites with login areas. Google’s move to preferring secure websites is likely to significantly increase the number of websites moving to SSL.

Why does this matter?

Search engine optimisation, the process of improving a website’s visibility in search engines, is an important digital marketing channel for all businesses that are active online. A ‘better’ web presence, as judged by Google, will lead to more search engine traffic which in most cases leads to more enquiries and online purchases.

Website security is just one of many hundreds of ranking ‘signals’ search engines calculate. Google, like other search engines, weights its signals differently, using these and an unknown algorithm to rank websites for particular keywords.

Many in the industry have reverse engineered this algorithm via a multitude of tests, to calculate important traits a great web presence must have. Occasionally, Google also releases brief explanations, which is fortunately the case with secure search. According to a post on Google’s Webmaster blog, this update will affect in the region of only 1% of all English searches on the platform, with the opportunity to affect more in the future.

Is this a small update?

Although just 1% of searches will be affected by this update; this is by no means a small update. This move, backed up by conference activity earlier in the year and major tech companies’ reacting to the NSA/Edward Snowden scandals, has led to a wide discussion about making the entire web secure by default. Yahoo, Facebook and other high profile tech companies have already made the move to go secure and Google moved all of its business tools (Gmail, Calendar, Docs and Drive) secure by default in Q3 2013.

Within the release there was also talk about Google potentially increasing the weight of the ‘secure’ signal in the algorithm at a later date. No doubt the reason behind this is that large enterprises will need some time to test and deploy secured-by-default web experiences.

We see this as a great opportunity for small to medium enterprises to get a competitive edge over larger competitors online. More nimble website owners will be able to take advantage of this a lot sooner, which may lead to small jumps in visibility in the short to medium term.

How security certificates work

Unlike traditional web communications, which are simple requests and responses, secured connections operate a ‘handshake’ process before encrypted data is transferred. The reasons for this handshake are:

• To verify that you are talking to the correct server,
• To agree on a method of encryption that the connection will use
• To swap private ‘keys’ which will be used to cypher and decipher the normal HTTP traffic.

As a result of the handshake, both computers agree on a secret key that will be used for all communication during that session. This secret key is what stops anyone snooping in on the connection and seeing the data being transferred.

Almost all web hosts support security certificates, so it’s a relatively painless process to purchase and implement on a server.  There are plenty of guides on this online, based on server type, but for smaller businesses using more client-friendly platforms there may be simpler ways of getting started through easy-to-use setup wizards.

Buying an SSL certificate

Not all security certificates are equal. There are three types of certificate that show a measure of how much vetting has been done by the certificate issuer on the company purchasing the certificate. And there are three certificate configurations that dictate how the certificate can protect traffic on your domain name.

1. Extended Validation (EV) SSL Certificates – the premium of the three types of certificate, the EV certificate verifies the legal, physical and operational existence of the company. It checks the company’s right to use the specified domain name, and also checks that the company details match official records. For this additional level of validation, website owners are awarded with larger verified padlock symbols often with a green organisation badge or background colour in browser address bars.
2. Organisation Validation (OV) SSL Certificates – OV certificates check the organisation’s right to trade under the specified domain name and provides a good level of company details vetting.
3. Domain Validation (DV) SSL Certificates – DV certificates check that the applicant has the right to use the specified domain name, and is therefore the most straightforward SSL certificate. For many businesses though, this is all that is required to move from a non-secure to a secure website.

When purchasing an SSL certificate, your website setup will dictate which deployment method will be required. For instance, web presences can be spread over multiple domain names, hosted on multiple sub domains, or hosted entirely on one domain name. From a wider SEO angle, it’s always best to host a web entity entirely on one domain and, to an extent, this approach pays dividends here as a single-domain SSL is the cheapest option.

Here’s a brief run down of the setup options you may be faced with:

1. Single domain SSL – Simply, this is for most cases, where a business uses only one domain name that requires protection online. E.g. www.example.com
2. Multi-domain SSL – A company may wish to administer all secured domains via one SSL certificate. In this scenario a multi-domain SSL would allow many different domain names to share a certificate. E.g. www.example.com, www.otherdomain.com, mail.domainmail.net
3. Wildcard SSL – When a company is forced to use multiple platforms, it’s sometimes the default to house each platform on different sub domains. For a company doing so, all sub domains of a single domain name can be secured under a wildcard SSL certificate. E.g. mail.example.com, www.example.com, store.example.com

Running a secure website

For a long time there have been pro’s and con’s to running secure websites, the tables are clearly now turned towards running a secure-by-default web. There are just a few things to consider:

Negatives

• There’s additional server and network load times associated with the additional volume of communication needed over a secure connection
• A poorly implemented SSL certificate can throw up nasty errors for users, which is likely to scare them away
• There’s a cost associated with maintaining a secure website, that not all website owners will want to commit to

Positives

• Better security by default for any features you implement on your website
• The transition should be seamless (if redirects are implemented correctly)
• Most, if not all previous SSL concerns have been mitigated against or resolved
• Improved rankings in search engines NEW!

Our thoughts on migrating to a secure website

There’s a lot of information here to take in on something that’s actually quite complex. Though many web people will be quick to implement this change, it isn’t without cost and there are a multitude of other things business owners and marketers can be doing with their websites to achieve better traffic levels from search engines.

Migration to HTTPS isn’t without risk. Google treats each individual URL separately, so care should be taken in redirecting traffic from the non-HTTPs to the HTTPs version. A poorly implemented SSL certificate can lead to errors displaying for users, or could lead to search engine issues relating to duplicated content. For that reason, we would suggest seeking the advice of a web or SEO consultant, to make the process as pain-free as possible.

Finally, one thing Google was keen to reiterate is that this update affects only a small part of the search algorithm. Great, quality content, produced well and distributed to your audience is almost guaranteed to yield better results, so that’s worth bearing in mind if moving to SSL makes you feel a little out of depth.

Image via www.globalsign.co.uk, a supplier of SSL certificates.