SSL Google Ranking Signal Silliness
Security is important, sure. However, Google has announced they are now rewarding sites using secure, encrypted (SSL) connections a search ranking boost. That’s fine, but it’s misleading. HTTPS only encrypts data in-transit. In no way does it guarantee the security of a website.
I first heard about the Google announcement on NPR this morning. Then I got a tweet from Search Engine Land. What concerns me is all this focus on HTTPS/SSL stuff is misleading. Before I get into why, let’s back up a little.
What is an SSL?
Short for “Secure Socket Layer,” SSL (as opposed to TLS) is the most widely deployed encryption protocol used today. Essentially, a webmaster would purchase an SSL certificate, either through a provider like GeoTrust or via a reseller like their web hosting company. The SSL certificate is installed on the web server so data is encrypted in-transit.
Once installed, you can access the site via HTTPS (encrypted) as well as HTTP (un-encrypted). Most visitors won’t notice the added “s” so modern browsers will add a closed padlock icon to the address bar when the page is fully under HTTPS.
There are basically just two kinds of SSL certificates: 128-bit SSL and 256-bit EV SSL.
Your garden-variety SSL is plenty secure and browsers will add that closed padlock. For about double the money, you can purchase a 256-bit “EV” SSL. Aside from the added cost, you have to undergo a fair amount of verification to be awarded one. Once verified and installed, an EV SSL will do the closed padlock icon as well as that green address bar that makes the encryption that much more obvious.
Is HTTPS secure?
That’s a complicated question. When you go to your WordPress website under HTTP and login, your username and password may be sent to the server un-encrypted. In that split-second, they are vulnerable to a hacker who might be sniffing for loose passwords. If you login under HTTPS, that information is encrypted in-transit, so even if they’re intercepted, it’ll take years for a hacker to break the encryption.
You might notice I keep saying using the phrase “in-transit.” That’s because, although information sent or received via HTTPS is encrypted, it’s decrypted once it arrives.
For example, view this post under HTTPS. Go ahead. I’ll wait.
You see the green address bar? You’re now viewing this under HTTPS. But right-click on this page and click “view source.” Doesn’t look very encrypted, does it. That’s because it’s not. It WAS encrypted, sent from our server to your browser, and then decrypted.
So, is HTTPS secure? Yes, but only in-transit. In no way does a HTTPS/SSL guarantee security or freedom from malicious code.
SEO concerns with going HTTPS
Are there SEO concerns with changing things over to SSL/HTTPS? Not really. Google Webmasters has been telling people for years it’s safe. The only thing to be aware of is what it’ll do to your tracking. Remember, Google Analytics will see http://you.com
as different than https://you.com
. You may have to make some edits to your web property so your analytics reports don’t get weird.
For more HTTPS/SEO concerts, see Google webmaster trends analyst, John Mueller, answering questions about the change on Google+.
Don’t get too wrapped up..
As I said, just because a site is under HTTPS, doesn’t guarantee security or freedom from malware. All it means is information (sometimes sensitive) transmitted via things like forms are vulnerable to interception. However, a site could be riddled with malware and still encrypted in-transit.
Google has used negative reinforcement for years by notifying visitors that a site may be compromised (see adjacent SERP results will Google malware warning).
It’s our opinion that this latest move by Google is an attempt at positive reinforcement for webmasters who take security and encryption seriously. However, don’t get too wrapped up in the hype.
HTTPS may make your visitors feel warm and fuzzy, but it does NOT guarantee security. It’s a good start, but it’s just one piece of a very large pie.
Get the Email
Join 1000+ other subscribers. Only 1 digest email per month. We'll never share your address. Unsubscribe anytime. It won't hurt our feelings (much).