What Google’s New Ranking Signal Means For You

    August 8, 2014
    Chris Crum
    Comments are off for this post.

This week, Google introduced the webmaster and SEO world to a new ranking signal. Webmasters using HTTPS (HTTP over TLS, or Transport Layer Security) to make their sites more secure will be looked upon more favorably than those that don’t in Google’s search engine.

Do you think Google should use HTTPS as a ranking signal? If so, do you think it should be weighted heavily? Share your thoughts in the comments.

That’s not to say that HTTPS trumps everything else. In fact, the company indicated that it’s a pretty weak signal, at least for now. You can expect it to grow in importance over time.

In a blog post, Google webmaster trends analysts Zineb Ait Bahajji and Gary Illyes said, ” For now it’s only a very lightweight signal — affecting fewer than 1% of global queries, and carrying less weight than other signals such as high-quality content — while we give webmasters time to switch to HTTPS. But over time, we may decide to strengthen it, because we’d like to encourage all website owners to switch from HTTP to HTTPS to keep everyone safe on the web.”

As you may know, Google’s algorithm uses over 200 ranking signals to determine what search results to show users. Even if this one is lightweight, just how far down on that list the signal actually falls in terms of significance is anybody’s guess. Perhaps it’s not yet one of the most important, but many of the other signals are no doubt lightweight as well. And it’s not often that Google flat out says that any particular signal will likely increase in weight, so this is something all webmasters better pay attention to.

“Security is a top priority for Google. We invest a lot in making sure that our services use industry-leading security, like strong HTTPS encryption by default. That means that people using Search, Gmail and Google Drive, for example, automatically have a secure connection to Google,” write Bahaji and Illyes. “Beyond our own stuff, we’re also working to make the Internet safer more broadly. A big part of that is making sure that websites people access from Google are secure. For instance, we have created resources to help webmasters prevent and fix security breaches on their sites.”

That refers to Google’s Webmaster Help for Hacked Sites site, which helps those who have been hacked get back on track.

At Google I/O (its developer conference) this summer, Google gave a presentation called HTTPS Everywhere, giving “a hands-on tour of how to make your websites secure by default”. If making your site secure wasn’t a good enough reason to watch that, perhaps Google making it a ranking signal will make it worth your while. You can view it in its entirety here:

Google says it has seen a lot more webmasters adopting HTTPS, and has already been testing it as a ranking signal with positive results.

If your site is already serving on HTTPS, you should be in good shape (as long as your whole site is on it), but you’re encouraged to test its security level and configuration using this tool.

If you’re looking to adopt HTTPS for your site, these are the basic tips for getting started straight from Google:

  • Decide the kind of certificate you need: single, multi-domain, or wildcard certificate
  • Use 2048-bit key certificates
  • Use relative URLs for resources that reside on the same secure domain
  • Use protocol relative URLs for all other domains
  • Check out our Site move article for more guidelines on how to change your website’s address
  • Don’t block your HTTPS site from crawling using robots.txt
  • Allow indexing of your pages by search engines where possible. Avoid the noindex robots meta tag.

I’d also advise you to read through this Google help document on the subject, and stay tuned to Google’s Webmaster Blog, as it says it will be talking more about best practices over the coming weeks.

Google webmaster trends analyst Pierre Far responded to some concerns in a Hacker News thread on the subject. One concern was that Google will treat the HTTP and HTTPS versions of a domain as separate properties.

“That’s not quite accurate,” he says. “It’s on a per-URL basis, not properties. Webmaster Tools asks you to verify the different _sites_ (HTTP/HTTPS, www/non-www) separately because they can be very different. And yes I’ve personally seen a few cases – one somewhat strange example bluntly chides their users when they visit the HTTP site and tells them to visit the site again as HTTPS.”

Another concern was that even if you 301 every HTTP to HTTPS when you transition, all of your current rankings and PageRank will be irrelevant. According to Far, this is simply “not true.”

He responded, “If you correctly redirect and do other details correctly (no mixed content, no inconsistent rel=canonical links, and everything else mentioned in the I/O video I referenced), then our algos will consolidate the indexing properties onto the HTTPS URLs. This is just another example of correctly setting up canonicalization.”

Far, who was involved with the signal’s launch, also weighed in to address what he says is a “very common misconception”:

Some webmasters say they have “just a content site”, like a blog, and that doesn’t need to be secured. That misses out two immediate benefits you get as a site owner:

1. Data integrity: only by serving securely can you guarantee that someone is not altering how your content is received by your users. How many times have you accessed a site on an open network or from a hotel and got unexpected ads? This is a very visible manifestation of the issue, but it can be much more subtle.

2. Authentication: How can users trust that the site is really the one it says it is? Imagine you’re a content site that gives financial or medical advice. If I operated such a site, I’d really want to tell my readers that the advice they’re reading is genuinely mine and not someone else pretending to be me.

On top of these, your users get obvious (and not-so-obvious) benefits.

If your site is in Google News, and you’re concerned about how switching might impact that, Barry Schwartz got this statement from Google’s John Mueller: “I checked with the News folks — HTTPS is fine for Google News, no need to even tell them about it. If you do end up noticing anything, that would (most likely) be a bug and something worth letting the Google News team know about. A bunch of sites are on HTTPS in Google News, it would be great to have more.”

As Schwartz points out, however, some have had issues with switching when it comes to support from Google’s Change of Address Tool in Webmaster Tools.

“In short, when you do a URL change in Google, from one URL to another, i.e. HTTP to HTTPS, you want to use the Change Of Address Tool, as the Google documents clearly say. But it simply does not work from HTTP to HTTPS within Google Webmaster Tools,” he writes.

The general reaction to Google turning HTTPS into a ranking signal has been mixed. Many see it as a positive, but others don’t think it should make a difference if the content is relevant. Some have even suggested the change has already negatively impacted their sites, though such claims are questionable this early into the existence of such a “lightweight” signal.

The fact is, we’re just going to have to wait, and see what happens over time as Google starts to give the signal more weight. By that time, however, it’s probably going to be hard to tell, because it’s doubtful that Google will tell everybody when they crank up the dial.

Is this the right move for Google’s search results? Let us know what you think.

Image via Google

  • William Eldridge

    So… if I want my small hobby site that I currently pay $15/month for to compete in the search results, I need to pay $200-300 for a security certificate per year which will introduce a new attack vector to my site, pay more for bandwidth since SSL is an expanding encryption, and have slower response times as the content is encrypted (a negative signal for Google, by the way)? Yay for wanting an inexpensive hobby of webmastering?

    • Alain Connu

      Yes, that is correct. But google hates small businesses, they are really pushing hard to destroy them. I think they will probably start selling Google Certificates soon.. Not enough money in our bahamas account, need morrrrrrrree !

    • @myhomeliving
    • Phillip Stromberg

      You can get a free SSL certificate from http://www.startssl.com/
      It’s pretty easy to have HTTPS even on a small hobby site.

  • kellyjoerockers

    Good Site! Post and comments were very good, topics and discussions are very close to the life, very fine narrative site.
    track accurate information.

  • http://binaryoptionevolution.com/ Richard Dambrosi

    its just another way for google to manipulate theweb internet to do it bidding no small busines or site has the $$ it take to do what the multi billion dollar media companies can afford to them its pocket gum change to real people its months of saving year after year .

  • Rob Donovan

    I think this is bad, and just being used to force people to use HTTPS and spend more money. If your site doesnt have logins, passwords, users and doesnt transmit data to the server, then HTTPS will do nothing for you, and will just cost your more money. :(

  • fastlane

    If it is so important to Google, then why don’t they use https for their own blogging platform, Blogger?

  • Gerald Garrett

    Not that long ago, notification was spread across the internet about the new BLEED VIRUS, and stated that this virus was situated on the HTTPS servers. If everybody is to transfer from HTTP to HTTPS, then there is a high possiblity that everybody’s systems will be infected by the BLEED VIRUS

  • Madhur Bhaasi

    SSL certificates are too costly to for a small website or blog owner. If one has multiple websites or blogs then the cost will be too stiff to be borne by the owner. This is a very bad move

  • http://www.ccrengines.com Emily Johnston

    We have a website for our company. Although we have an online catalog, we do not sell anything online, we do not take credit cards or any personal information through the site, we do not allow comments from outside users. I fail to see how adding a secure layer to our site will help in any way. It will simply cost us more and add more IT headaches.

  • https://www.facebook.com/robert.brady.TexasSoundGuy Robert Brady

    200-300 a year! Someone is trying to sell you a bill of goods!

    I pay $30/yr for our SSLs, and it works with all the major credit card processors.


    Just to name a few….

    • Laura R Gullett

      What if I don’t have, or need, a credit card processor? This article is not about cost, as much as it is about a large corporation controlling and monopolizing over everyone on the web who has any website.

      • Myhomeliving.co.uk

        You don’t need to take cards. If you have any way of collecting data ie contact us form then at that point you should go to https and get a cert for $8.95. Also there are kudos to using https

        • http://www.twocentsgroup.com.au/ Simon Dell

          Exactly. $9 is hardly a huge price to pay when you think about the other aspect costs of SEO. And besides, this is one of 200 signals. Pretty sure you could forget about an SSL certificate, concentrate on the other 199 and still rank well. And finally, SEO is just one way to get traffic to your website: maybe try diversifying you marketing strategy a bit?


  • https://www.facebook.com/robert.brady.TexasSoundGuy Robert Brady

    BTW – I think ALL websites SHOULD be encrypted anyway….especially if there is even the simplest form to fill.

  • Laura R Gullett

    Here we go. Another way for a big corporation to remove and control something the average person wants to enjoy their own way. I want to know what Yahoo!, Bing, and other search engines think of all this, since they have been connecting to Google’s index for so long. This is the perfect opportunity for other search engines to care about user comments and make the internet friendly to those people again. They can now take Google traffic if they wanted to and should invest in advertising to do just that is what I think. All they have to do is focus on what the user wants, what worked for the user (keywords, etc) before Google communized every site and allow friendlier more accessible user interactions via Twitter and forms on what works and what doesn’t for that web site owner.

  • Laura R Gullett

    I bet I know the political reason Google did this. It is to allow more search results to sites like Amazon who btw is already Google’s highest paying advertising customer.

  • Laura R Gullett

    Also I want everyone to remember something. In reality you do not have any control over the server where your website is hosted, or where your forms, or database information are hosted. All internet security of any kind is based solely on words in a contract that you buy with any encryption certificate based on trust of that company. If that company fails to secure your form or payments then what? It then costs a ton of legal fees and customer service time to deal with it. If you want control of your own security then you have to own your own server that your website is located on. How do you know how well that company can handle new security attacks when criminals are more and more sophisticated every day? What are you really paying for when you still have to monitor everything to make sure there are no problems, being that you can’t control the server your website is located on?

  • Scott

    I’m suspecting that there is more to the story behind Google using HTTPS as a ranking signal, rather than a security issue. Using an SSL certificate only encrypts the data as it is being transferred from the server. It doesn’t mean the content on the site is any more secure. That’s because if a hacker gains entry through a back door in the server they can still replace your home page with another page and the new hacked page will still go through the SSL. I think it is a waste of resources to secure general text content. More emphasis, however, should be placed on securing the back-end to prevent data loss.

  • joes

    Quick everyone!!! Google said JUMP!!! How high mr Google?

  • Fredrick

    So, now I pay a yearly price for a SSL certificate for a simple website of mine http://www.header.no which doesn’t have a single form on it. This is bad and a behavior of a real bully :(

  • http://webmaster-talk.eu Chris Hirst

    I wonder how long it will be before Google announce their acquisition of GeoTrust?

  • Wev Hosting

    Strong security HTTPS encryption by default http://webhostingservices795.duoservers.com/ Encryption certificate. The internet must be secured for all of us, buy yours today.

    • http://webmaster-talk.eu Chris Hirst

      Ooh! And I wonder where you recommend buying it from????

  • http://webmaster-talk.eu Chris Hirst

    Just to add a little more conspiracy theory/cynicism to the pot.
    HTTPS links going to a HTTP URL will not have a referer, could it be that their decision to go all on HTTPS has ‘hurt’ their Adwords revenue somewhat as site owners are no longer seeing Google as a referral source in their access logs?