Skip to main content

SEO

How Strong is HTTPS as a Ranking Factor?

On August 7th, 2014, Google announced that it was going to provide a rankings boost to sites setup with SSL over those that were not (HTTPS vs. HTTP). The above linked post makes it clear that “For now it’s only a very lightweight signal”, but how small?
In today’s post, I will share:

    1. Data from seoClarity that directly measures the ranking impact
    2. Access to a comprehensive HTTP to HTTPS conversion guide in a PDF that we put together with SSLGuru that discusses how to execute a conversion to SSL, and key steps for optimizing SEO during the process

The team at seoClarity wanted to find out, so they did a detailed study to see how much it might count. As part of this study they looked at rankings across 50,000 keyword searches and 218,000 domains. They monitored these rankings over time, and observed which URLs in the SERPs changed from HTTP to HTTPS after August 7th, and whether or not the rankings changed after the changeover. The study ran for 6 weeks, from August 10th to September 21st 2014.

HTTPS Study Data

Of the 218,000 sites looked at, only 630 (0.3%) of them made the switch to HTTPS by September 21st. [Tweet This!]
Percentage of studied sites that switched to https
 
Among the sites that made the switch, it took some time for Google to register the switch over to HTTPS. seoClarity measured this on a URL by URL basis, and only for the URLs these sites presented in the sampled search results. As a result, the chart below shows the switchover only for those URLs, not the whole site:
Indexation of HTTPS by Google
One of the key aspects of HTTPs is that it has an immediate impact as John Mueller indicated in this video (The link takes you to the point in the video where this is discussed, credit to Barry Schwartz for tagging this). For that reason, if the rankings boost was significant, you’d expect to see it in the SERPs as soon as the new URL was indexed.
seoClarity directly measured the results of the rankings for the URLs that made the switchover, and here is what they found:
Measurement of HTTPS Impacts Ranking
As you can see, there was actually a slight decrease in ranking, but the movement shown here is actually not significant. The way to read this data is that the general movement of SERPs over time was far more significant than any ranking boost received.
This pretty much confirms that Google told us – that any ranking impact is so small that it’s not noticeable, even in a test of this scale. [Tweet This!]

Summary

HTTPS Conversion Guide
The numbers are in, and they tell us to not rush off to convert your site to HTTPS as part of your plan for world SEO domination. It’s a tiny factor at best.
However, there are many other reasons to convert to HTTPS. Consider this service uncovered by Google’s Pierre Far that allows people to remotely edit content read on wireless devices. If your site is HTTPS, they can’t do that to you.
Security issues are a big deal, and HTTPS is one step you can take to keep control over your own content. For more on how to make the switch, please download the full conversion guide here. You can also get the seoClarity study here.
See all our SEO & Social Media Studies!

Thoughts on “How Strong is HTTPS as a Ranking Factor?”

  1. As people continue to evaluate Google’s proposed change, they should keep in mind that HTTPS does not in any way protect the data behind the Website; it only encrypts the information being transferred between browser and Website.
    Also, any HTTPS proxy server can be used to capture your unencrypted data.
    Also, any smart phone or WiFi-capable laptop or tablet can be configured as a WiFi hot spot and used to set up a rogue router or network in any public area (including libraries, restaurants, stores, and hotels — all popular with “free WiFi” users).
    Man-in-the-Middle attacks will not go away even if everyone switches over to HTTPS. Google and Apple both suffered massive MitM attacks recently despite using HTTPS protocols for their users.
    Although more inexpensive solutions are being proposed to help Websites convert to HTTPS these days, the lack of security and the fact that many sites are still published on shared IP addresses mean that HTTPS is really not a feasible option for most Websites at the present time.

  2. My usual view is quite hard nosed – if you don’t like what Google is doing; there are plenty of other traffic sources out there (plus I believe that its very risky to put all your eggs in one basket/traffic source as many people do) but the I do think this is a strange one. If I’m reading a blog then i don’t care about https but if im giving details to an ecom site then i do. Why should that blog be penalised over the ecom site for providing the same relevant content….whether it does….only time will tell.

  3. Google has also said that the impact of the change may increase over time, so you could hedge your bets now and get the jump on the competition if HTTPS becomes a bigger factor in the future.

  4. Great article you’ve shared here.
    I just noticed that the link seems to be broken because of the excess symbol of ” (double-quote) for the word “rankings boost to sites setup with SSL”
    Upon reading this, I remember my question as to why, Majestic SEO removed the term seo in their URL and changed to HTTPS. Maybe this is one of the reasons.
    Thanks for sharing Eric.

  5. Ok, ranking is not affected that much right now. But what if the big G+ announces in a few years from now, that HTTPS is a must and all the webpages should be secure?!!
    Google rules with an iron fist and we all might seem indifferent but truth is we are so eager to be the first to find out the new rules we shall follow and the new updates of their algorithm!
    That’s why European Union is trying to break up Google right now!

  6. I think rather than looking at the benefit of any SEO boost from putting your site in SSL mode permanently, it’s rather more of a “trust” factor from prospective customers.
    With any site that deals with online shopping – or in our case affiliate aggregation, it definitely helps convince people that you’re a good website. People can be very wary about using sites they’ve not heard of before, so overcoming that initial fear can be extremely important.

  7. Good information Michael. It sounds like you would recommend dedicated IP addresses, which is something we also recommend for all our clients – what other measures do you take to prevent attacks?

  8. The only thing I recommend is that people not change their sites to HTTPS. It’s stupid and pointless. Google is proposing that we temporarily encrypt Web page transmissions on sites that don’t require users to login or pass their private information to the sites.
    Meanwhile, recent disclosures suggest that the NSA broke HTTPS encryption years ago (making all this paranoia even more nonsensical than it was last year), McAfee says that mobile apps connected with HTTPS Websites improperly implement HTTPS, Google itself says that half of all HTTPS Websites implement it incorrectly and they may flag or demote those sites in the future as “unsafe”, and even though specifications showing that HTTPS slows down your Websites were published on the Web years ago Google’s Gary Illyes is telling people it doesn’t slow down your sites.
    Add to that the fact that browser vendors have yet to figure out how to handle mixed-content Websites (which most HTTPS sites are) and you have a very unstable, unsafe HTTPS environment out there.

  9. Eric, I think Google has been very open about its concerns. They have lost a great deal of credibility in the wake of the Edward Snowden revelations and they claim (plausibly, in my opinion) that they have lost or may lose business outside the US because people don’t trust American technology companies as they once did. To rebuild that trust Google has championed specious security causes because, frankly, most people don’t know any better any way.
    But there is also a great deal of naivete on Googlers’ parts; either that or they are just a bunch of blatant liars and propagandists. They rarely acknowledge the huge Man-in-the-Middle attacks that affect millions of their supposedly secure user accounts. Gary Illyes seems to be unaware that HTTPS’ impact on Website speed has been carefully documented multiple times (see this case study from 2010 for an example: http://www.semicomplete.com/blog/geekery/ssl-latency.html), and you never hear the Googlers talk about the complicated problems that user-agent (browser) vendors struggle with to move the Web toward using HTTPS. Mixed-content sites (and most of them are) present a security nightmare. You might as well not even convert a site to HTTPS if your only goal is to keep communications with the user “private”. Or else just publish a static HTML site that doesn’t use any cross-site scripting (widgets, images, advertising, fonts, etc.).
    This is not a trivial issue. Nor is it one where the Web marketing consulting industry should be supporting these transitions with such casual disregard for the very real problems the transitions create. Gary says 50% of sites have improperly implemented HTTPS and now Google (he, maybe?) is thinking about downgrading or posting warnings on those sites in the SERPs? That’s just wrong.
    HTTPS uses a mix of encryption layers that only protect your data for microseconds. Some of those layers have been compromised and most users have no idea or any means of NOT using those layers. Furthermore, Website owners do not owe any obligation to the paranoid nut-cases who think that their surfing will be anonymous if they only visit HTTPS-capable Websites (all the packet envelopes are UNencrypted so almost anyone can still track WHERE you go).
    I don’t care what Google’s motives are in this. Their story is simply not compelling enough to make me do this. When all the user-agents have finishing converting their browsers to implement new security protocols they will probably have to start all over anyway. Technology does not wait for “correct” procedures. The Web will never be secured by HTTPS. It’s a clunky, convoluted, poorly thought-out system that does absolutely nothing to protect user data from hackers who are more interested in stealing the databases than in sitting around the local coffee shop hoping to sniff random logins.

  10. This is beyond my expertise to verify or debunk, but Michael seems to bring up some important points. Eric, what is your team’s take on this?
    My team is too small to run this kind of research ourselves, and being up is a very high priority for us so we rely on trusted sites like this. Thanks to both of you for your time here!

  11. Interesting stuff Michael, is there a secure future that will work?
    I believe (word of mouth) in SMX Sydney Gary Illyes said the https ranking signal is currently a tie breaker. I.e. it only comes into play when two results are evenly matched. Thus making it quite a small signal.

  12. Is there a secure future that will work? Probably not. HTTPS has already been rendered obsolete by a new class of malware that infects wireless routers and copies your login credentials even when they are passed through legitimate encrypted connections.

  13. There are a few misunderstandings of HTTPS here. HTTPS does protect against man in the middle attacks – in fact that is its main feature. HTTPS proxies can not read or modify what is transmitted via HTTPS. HTTPS prevents this in two ways: by encrypting data, so that proxies and other network eavesdroppers can’t read or modify the content, and by certificate validation so that impostors cannot impersonate the genuine site. As long as the certificate store on the client is not compromised, and the private key on the server is not compromised, the certificate validation can prove the client is communicating with the genuine site and not being intercepted by any middle man.
    The point about it only protecting against network attacks and not hardening the server itself is valid however, though this is because that is not HTTPS’ purpose. Hardening a server against attacks is another field of security. It is indeed dangerous to think of HTTPS as a total solution to server security.

  14. The following is quote from Google’s Webmasters Blog in 2014: https://webmasters.googleblog.com/2014/08/https-as-ranking-signal.html
    “Security is a top priority for Google. We invest a lot in making sure that our services use industry-leading security, like strong HTTPS encryption by default. That means that people using Search, Gmail and Google Drive, for example, automatically have a secure connection to Google.
    Beyond our own stuff, we’re also working to make the Internet safer more broadly. A big part of that is making sure that websites people access from Google are secure. For instance, we have created resources to help webmasters prevent and fix security breaches on their sites.
    We want to go even further. At Google I/O a few months ago, we called for “HTTPS everywhere” on the web.
    We’ve also seen more and more webmasters adopting HTTPS (also known as HTTP over TLS, or Transport Layer Security), on their website, which is encouraging.
    For these reasons, over the past few months we’ve been running tests taking into account whether sites use secure, encrypted connections as a signal in our search ranking algorithms. We’ve seen positive results, so we’re starting to use HTTPS as a ranking signal. For now it’s only a very lightweight signal — affecting fewer than 1% of global queries, and carrying less weight than other signals such as high-quality content — while we give webmasters time to switch to HTTPS. But over time, we may decide to strengthen it, because we’d like to encourage all website owners to switch from HTTP to HTTPS to keep everyone safe on the web.”

  15. We all know that search engine is the best source to drive targeted traffic and customers. Right?
    Search engines like Google plays a major role in delivering potential customers and readers.
    To become a succeessful business man, We have must high traffic from Google but nowadays I have noticed that It is being harder and harder to get ranked in Google.
    Due to the rise of spammers, Google is improving their algorithms and removing spammers from their SERPs.
    The ranking factors which you have mentioned above are very much important and It can help us to get ranked better in SERPs.
    I only believe that We should must have indepth and detailed content which can help readers. If We have such types of content then We can easily drive huge organic traffic without making more efforts.
    I am glad that you have shared such a wonderful article with us. 😀

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Eric Enge

Eric Enge is part of the Digital Marketing practice at Perficient. He designs studies and produces industry-related research to help prove, debunk, or evolve assumptions about digital marketing practices and their value. Eric is a writer, blogger, researcher, teacher, and keynote speaker and panelist at major industry conferences. Partnering with several other experts, Eric served as the lead author of The Art of SEO.

More from this Author

Categories
Follow Us
TwitterLinkedinFacebookYoutubeInstagram