HTTPS Now a Ranking Signal


While Google’s money-making focus will always be on paid search, they depend on having “successful” organic use so users even see their text/shopping ads - and any kind of reliance on organic search means that the SEO industry is never far behind! In a “can’t-beat-em-join-em” mindset, Google have always made moves to provide their own advice to SEOs, through Matt Cutts’ renowned webmaster videos and even through the publication of their own search engine optimisation starter guide.

Despite this, it’s on an extremely rare occurrence that “the big G” will actually announce (and very specifically define) a ranking signal that isn’t a derivative of “Create High Quality Content™” or similar practice.

To the surprise of many, that’s exactly what they did earlier this week with the announcement that HTTPS is now being used as a ranking signal. There’s no leaving it to interpretation or beating around the bush, no need for there to be an exposé or lengthy research conducted, just a direct “this is now a ranking signal and you should be doing this” message.

What is the HTTPS Protocol?

Before we continue perhaps it would be pertinent to briefly cover what HTTPS actually is, so in the words of Wikipedia:


In plain English, using an HTTPS connection ensures communication between your machine and another on the internet is encrypted. As a result, the data sent from one machine is much more secure from any prying eyes.

If you would like to read up on the full technical description of HTTPS and the layering of HTTP protocol over the SSL/TLS protocol for increased web security you can read the full Wiki article here.

Why does Google consider HTTPS important?

This follows Google’s long-term mission to make the web safer as a whole, having campaigned for ‘HTTPS Everywhere’ at this year’s Google I/O conference, and by ensuring that their own services use strong HTTPS encryption at every opportunity.

The secure campaigning goes back as far as 2008 with the option for HTTPS access for Gmail, to 2010 when this was enabled for everyone by default alongside encrypted search. This was then enhanced even further in 2011 with the implementation of forward secrecy, making it a little more secure than standard HTTPS operation.

For the SEO industry, the move to HTTPS really hit home with the realisation that the announcement of secure search would put an end to organic search keyword referral data within Google Analytics (and all other web statistic software). In April 2014 Google extended this further, removing query data from the referrer on ad clicks originating from SSL searches. So it comes as no surprise that Google are pushing the movement towards a secure web.

For the time being the HTTPS ranking signal is said to be a weak signal bearing minimal impact on search results (the official word on this change is an effect on less than 1% of all queries worldwide) but Google has stated that as time goes on there’s the a strong possibility of this ranking signal being strengthened as they strive to move everyone towards a secure, safer web. This is but the first step in this journey, using the coveted ranking signal as a powerful method of persuasion for webmasters and SEO around the globe to change their protocol methods.

Should I Move My Site to HTTPS/SSL as a Priority?

Whenever Google announce anything which may influence organic search ranking the industry is flooded with conjecture as webmasters come to terms with the latest change and what they should/should not do. This post over at Search Engine Land highlights some of the reactions to the SSL announcement, such as:

We’ve also seen a few, somewhat more sarcastic, tweets in reaction to the announcement. Our favourites include:

The public reaction is often worsened by the publication of articles with misleading headlines. The recent article by PC World with the headline “Google Search starts penalizing websites that don’t use encryption” is a prime example.

Penalisation (indicating a manual or algorithmic penalty) is misleading and unjust. To clarify, at no point did Google say that they would penalise websites which do not utilise HTTPS, they simply said HTTPS will act as a “lightweight signal” for those operating a secure site.

So, should you move to HTTPS immediately? As it stands the strength of the HTTPS ranking signal is minimal therefore renowned optimisation techniques such as the addressing of content related issues, managing duplication, ensuring your pages are crawlable/indexable and managing the quality of your link profile will inevitably take precedence over HTTPS for the time being.

If your website is already running SSL, perhaps for your checkout or other sections of your site, and rolling out HTTPS/SSL site-wide would take minimal effort and minimal cost then it would be a beneficial move to make.

However, if the ranking signals are your only interest, you don’t have an SSL certificate on your website (and no current plans to buy one) and if you currently have no other need for that level of security, then in my opinion there’s no immediate rush. It’s definitely an investment to be making in the near future but there’s no need to panic and jump on the bandwagon straight away. You will not see a huge ranking spike as a result of this move – at least not yet!

There’s a huge variety of SSL certificates available, where do I even begin?

From a security/crypto perspective, almost all SSL certificates are effectively identical, but Domain Validated SSL certificates don’t typically require an identity check or human validation.

In order to apply for an SSL certificate, you first need to create a Certificate Signing Request. Creating a CSR is entirely dependent on the server you’re running your site on, and most SSL certificate companies offer support on how to correctly set this up, such as Comodo.

Domain Validation SSL certificates are entry-level certificates for securing your site. They’re very cheap (prices vary between £9.99 a year to £49.99 a year with a warranty attached) and very easily obtainable, usually by an automated procedure with very little checks involved. It goes without saying that from a trust perspective, this isn’t ideal, as phishing sites could easily obtain one.

If you’re adding an SSL certificate for the sake of securing the website, with no real need for further trust involved (IE: no ecommerce), then this is the bare minimum. Recommended for individuals, but businesses should definitely consider a higher option if trust is important.


Organizational Validated SSL certificates are very similar, but they validate the company and usually have warranties attached to them. Applying for an OV SSL certificate involves a check on your business credentials and requires correct WHOIS information, giving users an extra layer of trust above a Domain Validated certificate.

Extended Validation SSL certificates are the top level of certificate requiring a high level of verification, involving thorough business checks that usually take a few days to complete. When complete, your organisation name will appear next to the secure certificate clearly highlighting in most browsers that the connection is fully secure, and the business you’re currently dealing with is completely legitimate.


I’ve got my SSL certificate. Now what?

Once you’ve obtained your SSL certificate and installed it on your server as instructed, accessing any page on your site with HTTPS as opposed to HTTP should return your page with the corresponding secure padlock icon. You may encounter a problem at this point, in that all your internal links and page elements are still served as HTTP, with your browser complaining about the page trying to load insecure elements over a secure connection.

Providing that your site is configured to serve all secure elements (Images, CSS, JavaScript, etc) on a secure version of the page, this shouldn’t be an issue.

How else will moving to HTTPS/SLL effect SEO strategy?

The move from HTTP to HTTPS could cause issues from an SEO prospective, because after all, you are changing all the URLs across your site which has the potential to cause duplication. But realistically speaking, this isn’t difficult to overcome; you just need to ensure the site is primarily crawled and indexed as HTTPS and that the HTTP version is set up in a way that doesn’t duplicate and allow for both to be indexed separately. This can be achieved in a couple of ways:

  • Implementation of site-wide 301 redirect, taking any HTTP URL request and redirecting to HTTPS equivalent.
  • Implementation of canonical tags on each page of the site, pointing search engines towards the HTTPS version as the preferred version of each URLs.

Some may argue that you’ll only require one of the above methods to handle HTTPS migration, however we would recommend the implementation of both. The implementation of 301 Permanent redirects is the logical choice but this can be supported through the use of canonical tags as a fail-safe mechanism should redirects become no operational for whatever reason. Google’s John Mueller also supports the use of both methods:

John Mueller https Comment

You can now also find Google’s Secure your site recommendations for more information.

Update: We have recently released a whitepaper on migration to HTTPS. You can download The SEO Guide for HTTPS/SSL Migration for free today!

The Future of HTTPS

But just how much will Google’s announcement impact on the overall migration over to HTTPS? It is hard to tell. Google have the full attention of the SEO community but how far will it reach beyond that?

As a Google ranking signal HTTPS is its infancy we will no doubt have to wait and see what unfolds in the coming months and what research highlights moving forward to truly understand its extent and impact.

Will the ranking signal increase as time goes on? Will more secure means of SSL certificate be ranked higher than others? (John Mueller: “we currently don’t treat certificates differently” & “certificate doesn’t play a role at the moment”) Will blogs be treated in the same light as an ecommerce website? Will Google improve the way it identifies and manages HTTPS/HTTP duplication by default? Can we expect new tools in GWT? Who knows…?

One thing is for certain; online security and protection of data is of paramount importance and always will be. For the web, this announcement by Google is a positive step in that direction and will potentially be a safer place as a result of it.

What’s your take on the Google’s move to a secure web, is this ranking boost worthwhile if everyone does it, or will you feel obliged to do it so you don’t miss out? Let us know your thoughts, or other impressions about the move to HTTPS in the comments below!


Leave a Reply

Your email address will not be published. Required fields are marked *

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>