HTTPS Ranking Factor Update

In August 2014, Google started considering HTTPS to be a ranking factor. If a website exclusively uses the HTTPS-protocol it may have gained a slight boost to their Google rating.

What is HTTPS?

HTTPS is, just like the HTTP protocol, a communications protocol for transmitting data over the internet. The difference between HTTPS and HTTP is the encrypted and eavesdrop-proof transmission of data using SSL/TLS – which is itself an encryption protocol.

Remember: HTTPS = HTTP + SSL/TLS

Without encryption, all data transmitted over the internet can be looked at in plain text and is in danger of being manipulated or changed by third parties. If webmasters use a so-called SSL-certificate to enable access to their website via HTTPS, all communication and interactions on the website are encrypted before being transmitted.

How to spot a HTTPS-encrypted connection in the web browser

Usually you can spot a HTTPS encrypted connection by looking at the address bar where you can see a lock symbol.

The padlock icon in Chrome indicating an HTTPS encrypted link
The closed padlock indicates a secure connection. (Desktop Chrome browser.)
The padlock icon in Chrome indicating an HTTPS encrypted link
A closed padlock on the Google browser on an Android smartphone.

The above screenshot shows two domains using HTTPS. The Chrome browser no longer shows the full domain name but instead shortens. Clicking or tapping on the padlock reveals more information about the status of the connection security including protocol details and certificate details.

Sites that are not secure will be highlighted and there may be restrictions of what can be input and downloaded via these insecure sites.

A warning triangle shown in a browser for a non-encrypted HTTP connection.

What did the HTTPS Ranking Factor Update do?

The HTTPS Ranking Factor Update was its own algorithm and not, for example, part of the Google Panda Updates. The algorithm is applied to Google’s existing Search Index, or the indexed data for a domain, and works on a per-URL basis.

John Müller von Google weißt auf die Arbeitsweise des Algorithmus hin

To make a website available through the HTTPS-protocol, you have to use a so-called SSL-certificate. Here you need to pay attention to use a certificate with 2048-Bit-encryption (or better).

The SSL-certificate has to also be issued by a accredited certification authority (also called CA). Google does not, for the most part, care if the certificate validates just one domain or an entire organisation.

Very Important: The web browser has to be able to validate the certificate in use. If a warning is returned, it is also a negative signal for Google and the HTTPS ranking factor will not be administered.

Best practices for implementing HTTPS pages.

Google have outlined best practices for HTTPS pages including certificates and HSTS which will inform a browser about the HTTPS version of a website if the user attempts to access an HTTP URL.

Is HTTPS a ranking factor?

Google does not specifically say (Jan 2021) anything about HTTPS and ranking factors but it makes recommendations, whih should always be followed.

We encourage you to adopt HTTPS in order to protect your users’ connections to your website, regardless of the content on the site.

Search Central

In addition, some browsers, browser extensions and even security software might block HTTP content which means the customer might not get to your insecure content, even if Google doesn’t regard it as a ranking factor.

SSL Ranking-Signal: SISTRIX requests clarification and Google’s John Müller answers

SSL: Does Google take into account, which type of ssl cert is being used? E.g. self-signed, domain or organisation validation. What about “free” ssl certs? Are they any good? Is there any “weight” given according to the new soft ranking signal?

– Rene Dhemant, SISTRIX

Video explanation by John Müller / Google on this topic

Additional information about this topic was also provided by John Müller in a different Google Webmaster Hangout:

If a website has no 301-redirect set up and can be reached through both HTTP and HTTPS, where the encrypted connection does not validate in the browser, then Google will crawl and index the HTTP version.

More information on HTTPS from Google