In August 2014, Google started considering HTTPS to be a ranking factor. If a website exclusively uses the HTTPS-protocol it may gain a slight boost to their Google rating. This means that HTTPS is only a weak ranking factor.
What is HTTPS?
HTTPS is, just like the HTTP protocol, a communications protocol for transmitting data over the internet. The difference between HTTPS and HTTP is the encrypted and eavesdrop-proof transmission of data using SSL/TLS – which is itself an encryption protocol.
Without encryption, all data transmitted over the internet can be looked at in plain text and is in danger of being manipulated or changed by third parties. If webmasters use a so-called SSL-certificate to enable access to their website via HTTPS, all communication and interactions on the website are encrypted before being transmitted.
How to spot a HTTPS-encrypted connection in the webbrowser
Usually you can spot a HTTPS encrypted connection by looking at the address bar where you can see a lock symbol, a green mark as well as the written out protocol version “HTTPS”.
The above screenshot shows the domains of two banks. Santander.co.uk, the Santander Consumer Bank and db.com, the “Deutsche Bank”.
- When opening the domain santander.co.uk, the user is being send to the URL http://www.santander.co.uk/uk/index – which is not encrypted.
- When opening the domain db.com, the user is being send to the URL https://www.db.com/index_e.htm – a secure connection.
What does the HTTPS Ranking Factor Update come down to?
The HTTPS Ranking Factor Update is its own algorithm and not, for example, part of the Google Panda Updates. The algorithm is applied to Google’s existing Search Index, or the indexed data for a domain, and works on a per-URL basis.
To make a website available through the HTTPS-protocol, you have to use a so-called SSL-certificate. Here you need to pay attention to use a certificate with 2048-Bit-encryption (or better).
The SSL-certificate has to also be issued by a accredited certification authority (also called CA). Google does not, for the most part, care if the certificate validates just one domain or an entire organisation.
Very Important: The web browser has to be able to validate the certificate in use. If a warning is returned, it is also a negative signal for Google and the HTTPS ranking factor will not be administered.
Examples of SSL certificates that do not validate in the webbrowser
In both cases above the SSL certificate does not validate in the web browser. In this case, Google will not consider the HTTPS connection for a ranking boost.
- Marked in red: A self-signed SSL certificate whose identity cannot be confirmed.
- Marked in yellow: An SSL certificate validated by a CA. Its identity is confirmed. However, not all resources are being transmitted over a secure connection, which means that a potential safety issue exists. The web browser does not validate this certificate.
SSL Ranking-Signal: SISTRIX requests clarification and Google’s John Müller answers
SSL: Does Google take into account, which type of ssl cert is being used? E.g. self-signed, domain or organisation validation. What about “free” ssl certs? Are they any good? Is there any “weight” given according to the new soft ranking signal?– Rene Dhemant, SISTRIX– Rene Dhemant, SISTRIX
Video explanation by John Müller / Google on this topic
Additional information about this topic was also provided by John Müller in a different Google Webmaster Hangout:
If a website has no 301-redirect set up and can be reached through both HTTP and HTTPS, where the encrypted connection does not validate in the browser, then Google will crawl and index the HTTP version.