In 2014, Google implemented the secure version of hypertext transfer protocol (https) as a ranking signal.
However, this gave rise to the dangerous assumption that you should never ever use any other type of protocol (such as HTTP).
This isn’t true.
In fact, Google still crawls non-https URLs.
John Mueller stated as much on Twitter in July 2021:
Busting the Myths: HTTPS is Not Required for Ranking
One of the causes of the perpetuation of this myth is the fact that HTTPS is a required component for ranking.
Which is not true, as we have just demonstrated.
HTTPS is more of a tie-breaker signal than anything and does not carry a heavy weight. The thinking is, all things being equal, if a site has HTTPS over HTTP, it’s going to rank higher than the HTTP one.
Once more, this is just one of those tie-breaker signals that has gained much traction in recent years due to myths spreading on Twitter and elsewhere.
Google Even Says So
Some time ago, Gary Illyes was asked on Twitter about this and he also explained that HTTPS is more of a dealbreaker signal than anything:
Don’t Discount HTTP
In other words, don’t discount HTTP in favor of HTTPS for the wrong reasons. The tie-breaker nature of HTTPS means that for quite a number of sites, the HTTPS signal likely won’t make much of a difference.
For those who are in significantly-competitive SERPs (search engine results pages), this tie-breaker is something that may give some sites a super extra boost as a result of using HTTPS.
It’s important to note, however, the push by Google for more sites to move forward with HTTPS, citing security concerns with HTTP.
This is likely an empty excuse (and that there is a vested financial interest for such a blanket statement), and the fact that no user data metrics are ever significantly shared in Google Analytics (and never were), using HTTPS has some benefits.
What are the Benefits of HTTPS?
There are a number of benefits to using HTTPS over its insecure counterpart, HTTP.
They include the following:
- Greater security for users and their data
- Ease of deployment with solutions like Let’s Encrypt
- Improved search rankings in Google
- Early adoption of a new standard
- Browser support for HTTP/2
- Increased speed for users
Any one of these reasons is enough to consider migrating your site to HTTPS, but taken together, the clear choice is obvious: it’s time to implement HTTPS on your web server if you haven’t already done so!
Privacy Through Greater Security for Users and Data
HTTPS prevents eavesdroppers from intercepting and reading your traffic. It also protects against a “man-in-the-middle attack”, in which an attacker places himself between you and the destination server to read or change the data.
If you check the certificate of any website that uses HTTPS, it will be signed by a trusted Certificate Authority so you can verify that nobody has tampered with the information before it reaches your computer.
This prevents attackers from tricking users into thinking they are visiting one site when they are really on another (commonly done through phishing).
The attacker cannot forge the certificate because he does not have access to the private key used to sign it.
Therefore, if someone tries to send you a link to a website that appears to be https://www.paypal.com, you can check the certificate and see that it actually belongs to paypalsecure.paypal2.com, which is definitely not an official PayPal site.
The security of HTTPS comes from the use of cryptography in public key infrastructure (PKI). The PKI consists of certification authorities (CAs) and a list of trusted root certificates installed on computers; these enable web browsers and other software to verify that websites are authentic or fraudulent.
A user’s system already contains several certificates, including ones needed for accessing network resources such as email servers over encrypted connections (SSL), verifying identity through Secure Shell (SSH), protected S/MIME email, and so forth. Users who follow good security practices will have a certificate for the website they are viewing and all of its subdomains.
Security is often an afterthought in website development and SEO, but it shouldn’t be. If you don’t care about users’ privacy, that’s one thing—but if you do, make sure you take every precaution to protect their data from attackers.
HTTPS Impacts on Performance
HTTPS pages load faster than HTTP pages because the encryption overhead is usually negligible compared to the size of a plaintext page, especially on modern systems and networks.
A typical HTTPS page may load slightly slower if there is more encryption involved (e.g., an Extended Validation certificate), but not always by much.
The reason HTTPS can be faster than HTTP is that the browser can begin fetching other resources (such as advertisements, tracking devices, or images) before it receives the entire HTML page.
Browsers are optimized to download more than one thing at a time over the same connection—as long as they are all part of the same secure session. This means that using HTTPS doesn’t prevent you from making full use of web optimization techniques.
Some people may argue that an improvement in load speed is trivial because most users have high-speed connections and computer systems capable of handling multiple requests simultaneously. While this is true for many users, there are still plenty without such a luxury.
So what?
If you don’t already use HTTPS on your website, it’s time to make the switch. The benefits are numerous, and you don’t need a certificate issued by a trusted certificate authority to get them. You do have to upgrade your server software to support TLS 1.1 or 1.2, though (see links below).
HSTS and its Relation to HTTPS
As an SEO professional, you may have seen in some SEO audit recommendations information about HSTS. What is it, exactly, and how does it relate?
HSTS, or HTTP Strict Transport Security, is an HTTP header that lets a website tell browsers they should only interact with it using HTTPS and never via the insecure HTTP protocol.
Browsers will take note of this information for a period of time.
A typical value in Strict-Transport-Security headers is about six months, but up to two years is possible depending on how frequently the website changes its content.
Usually, users can reach an HSTS website without any issue, but if they accidentally visit it via HTTP (such as by typing a URL directly into the browser), the browser will display an error message.
Strict-Transport-Security cannot protect you from users who disable your HSTS header, nor is it a substitute for HTTPS. It’s best used in combination with HTTPS on an otherwise plain HTTP site.
Because Strict-Transport-Security tells browsers to expect nothing but HTTPS traffic, some developers also use it in anticipation of their HTTPS deployment just to stop visitors from seeing mixed content warnings.
The downsides are that TLS 1.1 and 1.2 require more processing power than previous versions; and there may be compatibility issues with older devices or software that don’t support them yet. In some cases, the encryption strength may be reduced as well. They are also a security risk, exposing clients to potential issues while their successor (TLS 1.3) reduces these risks.
It’s also worth noting that not all websites need to use HTTPS. As a general rule of thumb, if your site requires user input (such as an e-commerce store or login credentials), then it should be HTTPS-only. If it doesn’t, then you can at least consider making it HTTP and redirecting any insecure traffic to HTTPS.
With Google’s push to HTTPS, however, it may just make sense to use the Let’s Encrypt option on your web server and call it a day.
Encryption: Why You Should Use It for Your Site
HTTPS encrypts the connections between users and servers on your website in order to prevent attackers from being able to view sensitive information like passwords or credit card numbers that could be sent in clear text.
The encryption protects users against “man-in-the-middle” attacks, where an attacker might try to intercept information as it travels from the user’s computer to your server and change what they see in order to trick them into handing over sensitive information or taking some other action that is harmful to them.
Encryption for a site should be enabled on every page of the website, but not necessarily all subdomains; if you have a blog that isn’t part of your main domain, then you wouldn’t want it using HTTPS. The same thing goes for other assets like images or videos. Useful content is fine without HTTPS, but anything with login credentials or other private data should use it.
However, with the simplicity of setting up HTTPS, you may just want to opt for the blanket solution, because there aren’t exactly any SEO benefits to using the other protocol for other parts of your site.
Some types of websites will benefit more from HTTPS than others. In general, any website that deals with passwords, financial data, or personally identifiable information (PII) should be encrypted. When you’re setting up an ecommerce site, the most important thing when it comes to encryption is getting a certificate and configuring your web server correctly. There are several options for choosing an SSL certificate today: name-based certificates (DV), wildcard certificates (OV), multi-domain/SAN certificates, and extended validation (EV).
Playing Webmaster: Encryption Is Worth The Trouble
In order to keep users safe from many types of cyber attacks—including eavesdropping and man-in-the-middle attacks—all websites should use HTTPS rather than HTTP to transmit data. HTTPS helps ensure that users’ sensitive information is encrypted and isn’t vulnerable to tampering by third parties.
Green Padlock on Your Browser, Showing It’s Secure
You get a green padlock in your browser’s address bar which shows that you are on an encrypted site.
Google Chrome even began warning users who are visiting non-secure sites, beginning in July of 2018.
Your Password and Credit Card Number Are (Generally) Safe
If someone tries to steal your password or credit card number, they will not be able to read the information because of encryption.
Encryption Enforces Security Protocols, Continually Improving
When a website only uses HTTPS or an app has the option to switch to HTTPS if it’s running on localhost, there are fewer security loopholes. When one is found, protocol issues can be addressed more quickly because all websites use the same guidelines: encryption. Also, since most sites use encrypted SSL certificates (rather than self-signed ones), that means their information is validated by a trusted organization—another great way to keep your data safe.
Free and Easy With Let’s Encrypt
It is free and easy to set up an SSL certificate for your website using Let’s Encrypt.
Even if your site doesn’t use any sensitive information, you can use encryption to protect user passwords and credit card numbers. It’s a great way to make sure your users’ information stays private while improving their experience.
The more websites that use Let’s Encrypt to provide encryption for their users, the more awesome it is. And since Let’s Encrypt can be trusted because its certificates are issued by organizations like Mozilla and Google, using HTTPS makes sense for even non-eCommerce sites.
Don’t make the mistake of thinking that just because you don’t have any data collection occurring on your sites, you may have an excuse not to switch to HTTPS. There are benefits that are hard to ignore.