Google Tightens Down on Security: HTTPS Now a Ranking Signal

Sep 18, 2014  | 

In early August, Google announced a change in their search ranking algorithm. This update takes into account whether sites use secure, encrypted connections such as HTTPS, which is now being used to determine a website’s authority and therefore search ranking. For a quick overview, following is a portion of the exact release that Google published on their Google Webmaster Central Blog: 

Security is a top priority for Google. We invest a lot in making sure that our services use industry-leading security, like strong HTTPS encryption by default. That means that people using Search, Gmail and Google Drive, for example, automatically have a secure connection to Google. 

Beyond our own stuff, we’re also working to make the Internet safer more broadly. A big part of that is making sure that websites people access from Google are secure. For instance, we have created resources to help webmasters prevent and fix security breaches on their sites. 

We want to go even further. At Google I/O a few months ago, we called for “HTTPS everywhere” on the web. 

We’ve also seen more and more webmasters adopting HTTPS (also known as HTTP over TLS, or Transport Layer Security), on their website, which is encouraging. 

For these reasons, over the past few months we’ve been running tests taking into account whether sites use secure, encrypted connections as a signal in our search ranking algorithms. We've seen positive results, so we're starting to use HTTPS as a ranking signal. For now it's only a very lightweight signal — affecting fewer than 1% of global queries, and carrying less weight than other signals such as high-quality content — while we give  webmasters time to switch to HTTPS. But over time, we may decide to strengthen it,  because we’d like to encourage all website owners to switch from HTTP to HTTPS to keep everyone safe on the web. 

Now, it almost goes without saying that anytime Google makes an update to their algorithm, webmasters should take notice. I believe that this update, although currently not carrying a lot of weight (in fact, only affecting somewhere around 1% of global queries) is one that we should consider carefully. This is because unlike many previous modifications that aimed to catch people trying to manipulate it, this modification shows that Google is really redefining – and in my opinion, improving upon – best practices for webmasters, and the standards of the Internet in general. 

Why This Update Is Needed 

At the heart of this change is the issue of trustworthiness and security (lest Google is actually slyly abandoning their “Don’t be evil.” mantra). Simply put, Google has customers. I am one of them and you probably are too. Everyday, Internet users around the world rely on Google to navigate the web — making purchases, finding specific websites, aggregating cat pictures, etc. But what’s more, this dominant popularity when it comes to web navigation means that Internet users don’t just use Google, they inherently trust Google as well. And so, a critical question is raised — and in truth, there are valid points made by both sides. 

Should We Place Our Trust in Google? 

We should trust Google to deliver us relevant results based on our search queries. And for the most part, Google is great at getting me the information, products and services that I want in an efficient manner. Like most people, I find search results so accurate that I rarely even need to navigate to the second page of results. In fact, for what it is designed to do –  point users in the right direction and lead them to relevant, popular, authoritative websites – Google excels beyond its competitors. 

We should not trust Google when it comes to the security or even the validity of the websites that it leads us to. Google is not responsible, nor should they be, for our safety on each website that appears in the search results. What someone does on a website – the information they give up, the things they sign up for, and the files they download – is   ultimately the responsibility of the individual, not Google

The problem that arises (and it’s at the heart of why I think this algorithm change is a good idea) is that most Internet users do not know very much about security. Case in point, just look at the eternal, invariably successful scams of the world — dating scams, lottery scams, loan scams and even dead relative scams. Over time, these scams have led to huge losses, both in terms of money and invaluables such one’s identity as well. Today, the scam industry remains alive and well, and perhaps that shouldn’t surprise us. After all, why do we keep seeing them over and over again? The answer doesn’t rely in the flaws of victims, rather the incentives of the scammers: scams exist because people profit from them. With this in mind, the same logic follows through to the Internet. Most searchers want to believe what they hear and trust the websites they visit — but truth is, the internet is not always open and honest, and there is always someone looking to make a quick buck off of someone else’s relative niavety. 

From a security standpoint, it’s safe to say that most high-traffic websites aren’t out to scam users. However, many websites have begun to ask for more information as a means to deliver content, such as requiring email addresses for mailing lists or to download a whitepaper or report. Additionally, many popular websites have some sort of signup process, such as Facebook, Twitter, Pinterest, e-commerce sites and various publications. Simply stated, any time you are giving information, that information is at risk. In the past, hackers, disgruntled employees and identity thieves have all been responsible for taking that information and using it for malicious purposes. Adding an extra layer of security allows our information to be more secure, and should also increase the level of trust we have in how that information will be used or not used. 

Google and other search engines often get blamed for what searchers do when they find a website via search engine. At the end of the day, we all naturally want to trust that everything that we are pointed to is legitimate, secure and real; Google is doing its part to help us out by adding HTTPS as a ranking signal. 

What Webmasters Need To Know

 The first thing that webmasters should know is that this is not something that will have a huge affect on your ranking or traffic — at least right now. In its announcement, Google made it clear that this algorithm modification involves “a very lightweight signal”. Signals such as high-quality content still carry much more weight than having a secure domain. However, as more and more websites adopt HTTPS in the coming months and years, I expect the weight of this factor to increase. With this change (and like all their changes), Google is attempting to update and improve the best practices for webmasters everywhere, ultimately enhancing the Internet we know and love. Once enough websites adopt this standard, it will be easier for Google to increase the weight and necessity of HTTPS. With this in mind, I encourage webmasters to either go ahead and adopt HTTPS, or at the very least keep an eye on your competitors and be ready to change when it looks like adoption has become the norm. 

How To Implement This Change On Your Website

Here are some tips from Google to make the HTTPS adoption process easier, and to avoid common mistakes: 
    1. Decide the kind of certificate you need: single, multi-domain, or wildcard certificate 
    2. Use 2048-bit key certificates 
    3. Use relative URLs for resources that reside on the same secure domain 
    4. Use protocol relative URLs for all other domains 
    5. Check out Google’s Site move article for more guidelines on how to change your website’s address 
    6. Don’t block your HTTPS site from crawling using robots.txt 
    7. Allow indexing of your pages by search engines where possible, and avoid the noindex robots meta tag. 
For a more in-depth look at security and what webmasters can to do improve security on their sites, check out the full article over at Google’s help center.

It’s no secret that Google has built a lot of trust equity with searchers. Most of that trust equity leads to more searchers, a bigger market share, and ultimately more profits. But at times this can come at a cost, like when Google is blamed for the actions of websites, their lack of security, or even our general lack of knowledge and awareness. Google may simply be doing what they can to cover themselves from blame with this algorithm update, or they may genuinely be concerned with the overall security of the Internet and its users. Regardless, a move to a more secure and trustworthy Internet is one that should benefit us all.

By  Rusty Brett

Rusty Brett is the owner and Chief Executive Officer of Lift Division. With several years of entrepreneurship, business ownership and marketing experience under his belt, Rusty has a passion for not only launching businesses, but also helping other businesses grow their sales and client base.