Google announced plans to improve security across the entire web at their I/O conference in June 2014. As well as introducing resources to help webmasters recover from hacks, they emphasized the need for every website online to be encrypted.
This was solidified later that year with new webmaster guidelines clearly stating that websites using HTTPS would enjoy improved rankings.
Almost three years on, how is Google’s security project shaping up? How many sites are actually using HTTPS and are they enjoying the promised rewards?
We’ll look at the data and consider what Google’s next move might be.
But first, a quick reminder.
What is HTTPS?
HTTPS, standing for HyperText Transfer Protocol Secure, is the internet standard for secure communication via web browser.
Whereas any data transferred by HTTP is open for anyone to see, HTTPS uses a security layer called SSL (Secure Sockets Layer) to add end-to-end encryption, meaning only your computer and the web server you’re contacting can decipher the data.
This has three security benefits:
- Privacy: Encryption means that no third party can “listen” to your conversations, track your activities, or steal your information.
- Data integrity: Modifying or corrupting data during transfer will cause an error in decryption, meaning no changes can be made without detection.
- Authentication: Successful decryption proves that you are communicating with the genuine site, preventing “man-in-the-middle attacks” and building user trust.
Why Does It Matter?
HTTPS is Google’s vision for a secure web – but why should you bother if you haven’t yet?
As de facto rulers of everything online, Google has decided to “soft launch” their plan by adding HTTPS as a ranking signal. Think of it as the “carrot” approach.
Exactly how much of a boost will you get? Google webmaster guidelines from 2014 state:
“For now it’s only a very lightweight signal — affecting fewer than 1 percent of global queries, and carrying less weight than other signals such as high-quality content — while we give webmasters time to switch to HTTPS.”
The upshot of this is that although switching to HTTPS isn’t going to shoot you straight to the top of Page 1, in instances where you are closely competing for a keyword, adding HTTPS is likely to give that page the nudge it needs to outrank its non-secure counterpart.
With a few years of data behind us, there’s actual proof of this. In an analysis of 1 million search results, Backlinko found that HTTPS has a reasonably strong correlation with first page Google rankings.
What’s the Adoption Rate?
The carrot has been dangled – but how many donkeys have made the chase?
Due to reports of underwhelming results from first adopters, the number of sites migrating to HTTPS was low at first, with a study showing only 1 percentage point increase in secure Page 1 results after one week. However, most likely due to Google’s sustained security PR campaign, in June 2016 over a third of results on page one were using HTTPS.
This being said, another study conducted by Ahrefs found that a huge 65 percent of sites had either no HTTPS or errors in their setup, showing that a minority of sites are enjoying the full benefits of making the switch.
Ostensibly, this means that adopting HTTPS tomorrow may put you ahead of the competition for some time to come. But that doesn’t necessarily mean you should do it!
Issues with Migration
There are three main issues with migrating to HTTPS:
- Time: It’s important to realize that on well-established sites a site-wide migration is no small task and takes a substantial amount of engineering hours. As such, many smaller sites have weighed up the pros and cons and decided their precious DevOps hours are better spent elsewhere.
- Cost: This includes man hours, hardware, software, and additional purchases. You’ll need to purchase an SSL certificate which can greatly vary in cost. Although many providers now offer multiple tiers of SSL certificates to match consumer necessities, this can cost as much as $ 1,500 a year. Further, especially for larger sites, the amount of bandwidth and computing power required to facilitate encryption may amount to a substantial sum.
- Impact on rankings. Any change in site structure has potential SEO consequences. Last year Wired migrated a section of their site and reported warning signs that could indicate a drop in search result clicks and search engine referrals. This was largely due to incorrect implementation.
The Big Question: Should You Do It?
Looking at the state of play today it’s easy to see why many sites are wary to make the move to HTTPS. Although benefits are reported, they seem to be outweighed by the negatives, making it hard for IT leaders to make a sound business case for migration.
Beware though that what Google wants it generally gets and, whichever way you look at it, a 100 percent secure web seems almost inevitable.
With the carrot approach perhaps not working out quite as well as Google would like, there’s evidence they’re reaching for the stick.
In September 2016 they announced plans to start marking non-HTTPS sites as insecure in the Chrome browser as of 2017. This will roll out over time until eventually all HTTP pages will be marked as non-secure with a red warning triangle.
What’s more, although there’s been no official word from Google, it seems likely that a further algorithm update may be coming to push adoption beyond the 50 percent mark. Indeed, Google stated in their original 2014 guidelines:
[O]ver time, we may decide to strengthen [the ranking signal], because we’d like to encourage all website owners to switch from HTTP to HTTPS to keep everyone safe on the web.
On balance it seems that although migration may result in lost profits, moving sooner rather than later may allow sites to leverage what small benefits are on offer, somewhat reducing the impact on the bottom line.
If you do decide to take the plunge, make sure to study Google’s best practice guidelines for migration in order to minimize potential issues. You can also check out this guide to a pain-free HTTPS migration.
More HTTPS Resources Here:
In-Post Photo: Google Security Blog