In a recent blog post, Google talked about a top priority – security.
This a high consideration for Google; it has already worked on its own services – relying on industry-pioneering security systems such as strong HTTPS encryption in its Search, Drive and Gmail services. But for Google it doesn’t stop there – its algorithms are designed to improve internet security holistically. This means that one of the most recent algorithm changes is to recognise HTTPS as a ‘ranking signal’, meaning that webmasters who’ve implemented secure encrypted connection systems will experience a slight benefit in their search engine rankings with Google.
How much, or little, will HTTPS help your SEO?
Google wants to encourage people to move to HTTPS and the way they’re rating HTTPS is designed to do exactly that – encourage the move. The current position is that sites that have HTTPS will be given slightly more weighting than others, and the actual range effect is slightly under 1% of all Google queries worldwide – that’s really quite a slender benefit, so is it worth doing?
Yes, for two reasons:
What is HTTPS and why does it matter?
HTTPS stands for Hypertext Transfer Protocol Secure and rather than being a system, it’s a protocol which sits on top of the previous TLS (Transport Layer Security) to increase security.
SSL is the Secure Sockets Layer – it’s a cryptographic system that uses two keys to encrypt data that the user (client, customer, buyer) inputs into the website. It matters because it protects the website user, and it’s significant because users can easily recognise if they are SSL protected by seeing the digital SSL certification which appears as a padlock on the site or as https in the address bar.
What does that mean for a website owner? Easy to answer. Bit keys have been increasing in length (ie strength) fairly exponentially, as computing power does the same. the currently claim is that 1024-bit keys are potentially crackable (although the resources required are not easily mobilisable – probably requiring 400 computers working full time for around a year) but 2048-bit keys will be sufficient security until the 2030s – an investment that any website owner can undertake with some certainty that it will prove to be a lasting contribution to business safety.
Investing in HTTPS – how to do it
There’s very little problem with the idea of switching from HTTP to HTTPS, but the practical implications are relatively demanding. There’s a series of steps that Google recommends taking to ensure you don’t have any traffic loss during or after the transition.
A. Certification is key to ensuring you get the current benefit, and avoid any future rankings loss. There are several forms of certification and while they all need to be 2048-bit key, you need to decide what form of certification is best for you.
Digital certification uses trusted third parties to back up the claim of a website, individual or other digital entity to be who it clams to be. This is because certification offers four forms of guarantee –
– authenticity (using the certification asserts the identity of the user),
– verification (only the certified user can make that assertion),
– integrity (any attempt to alter the website/email etc will register as tampering unless carried out by the certified user), and
– security (encryption of information is possible and any attempt to break encryption will register with user/certificate owner).
It’s important to decide what form of certification will work for you: single, multi-domain or wild card and expert support is vital to that decision. The security certificates for your organisation are obtained as a part of enabling HTTPS. Ask your SEO consultant how to proceed and because certificates are usually only valid for 12 months, make sure you keep them up to date!
B. Make sure you haven’t blocked your HTTPS site from crawling using robots.txt. Ensure you haven’t used the noindex robots meta tag as both these will inhibit your search engine ranking.
C. Check your security level and configuration with one of the many tools available, before, during and after migration to HTTPS, and be certain you’re using a web server that has HSTS (HTTP Strict Transport Security) enabled – this instructs browsers to automatically request pages using HTTPS, even though the enquiry entered into the search bar starts HTTP – in other words it keeps your customers safe even if they don’t know what HTTPS is, or how to use it. In addition, it instructs Google to return secure URLS when it reports research results – this means that Google chooses HTTPS rather than HTTP when listing your website, once again keeping users safe.
E. Consider OCSP stapling for your site. This is where you, as the SSL certificate hold, query the OCSP at a regular interval, receiving in return a signed, time-stamped OCSP response stating that you have TLS/SSL. Then, whenever any website visitor arrives at your site, they get this response ‘stapled’to their site connection. This means that your visitors don’t have to query the OCSP server themselves and that can save you money as well as speeding their access to the website.
There is a third reason, your visitors won’t have their browsing history revealed to any third party the way they would if they queried the OCSP server themselves – as people increasing request ‘do not track’online behaviour, providing OCSP stapling may prove to be a long-term strategy with surprising benefits. A website expert is best placed to determine whether OCSP stapling will benefit you.