It can be hard to decipher Google's actual stance on HTTPS these days.
When Google first officially announced HTTPS as a ranking signal in 2014, they referred to it as a “light” signal. Google’s own Gary Illyes would go on to call it a “tiebreaker” ranking factor a few months later, assuring us that “if you don’t do it, it’s perfectly fine.”
Data would suggest that to be true, showing that it helps but isn’t necessarily essential. Moz’s 2015 ranking correlation study found that at the time, even whether or not a website had Google Analytics installed had more of a correlation with rankings than whether it had HTTPS/SSL. Again in 2016, a Backlinko study of 1 million SERPs showed a moderate correlation.
Two years later, has it become a proper ranking game-changer?
Google is so tight-lipped on official ranking factors that anything they confirm as one should be taken at face value. But how much it will affect your own rankings depends on so many other factors that it’s hard to measure its direct impact.
But Google remains committed to its “HTTPS Everywhere” initiative, even identifying all non-secure sites as such in Chrome beginning this month. This increased commitment to prioritizing secure sites surely won’t stop at Chrome features – wouldn’t searchers find it odd if Google were to “recommend” sites in search only to identify the environment as potentially unsafe upon clickthrough?
So we went to the experts and asked them to explain what’s really going on with HTTPS as a ranking factor and why yes, you should get an SSL certificate for your website.
Here’s what they had to say.
Andy Crestodina, CMO of Orbit Media Studios
Google is a data company, so security is their most significant threat. A breach, a hack, an incident – these could cost them billions in a single day in the stock market. It could also erode trust and weaken their cases in European courts.
Just creating the perception that they care deeply about security instills a sense of trust. Trust is the foundation for their brand.
It makes sense that sites with HTTPS/SSL are also the high-ranking websites. Sites without SSL are more likely to be smaller sites with smaller budgets, smaller teams, fewer pages, less content and weaker marketing in general. If you're trying to save $100/year on a digital certificate, you're probably not very serious about other things, including SEO!
Browsers often warn visitors that a website is not secure. Sometimes, this warning is very alarming! It's a dramatic change in the experience for those visitors, making them unlikely to visit the site at all.
A year from now, I don't think we'll find proof that it’s become a powerful ranking factor, but I think there will be a lot more evidence of a correlation.
Itai Sadan, CEO of Duda
HTTPS is more important than ever and will most likely become a significant ranking factor, in a manner of speaking, over the next year or so.
HTTPS is a more secure version of HTTP that most of the industry’s key players see as important for the continued development and improvement of the web. If you can get everyone switched over to HTTPS, you can reduce legacy security issues on websites and provide a better overall web browsing experience.
Also, as long as there are unencrypted websites out there, there will be people willing to exploit their security flaws. Most users are aware of this and are simply more inclined to avoid insecure websites nowadays.
Google’s “HTTPS Everywhere” initiative creates a genuinely better browsing experience for searchers, and at the end of the day, that's what Google wants. They need to keep searchers happy with what they see in a search engine results page, and insecure websites are usually an unwelcome sight.
Currently, there seems to be a carrot-and-stick approach to getting web developers and site owners on board.
For example, to enable progressive web app functionality, you need HTTPS. Most web developers and website owners are going to want the most cutting-edge tech, so it's a pretty good incentive to drive HTTPS adoption.
But Google has also made SSL a ranking factor, and it wouldn't be surprising if, like during Mobilegeddon, Google all of a sudden changed their algorithm to make SSL essentially mandatory. You might not get a boost for having an SSL certificate, but you could lose out on a top spot on the search engine results page without it.
Website visitors expect more functionality than ever before, and a lot of the latest and greatest technologies require HTTPS to be enabled. For example, with progressive web apps, you get a lot of exciting new opportunities for engaging with site visitors, such as the ability to browse a website while offline or launch a site from the home screen like a native app – but they both require HTTPS.
Bill Widmer, Content Marketing, and SEO Consultant
When I was a kid, my grandma would literally mail checks to online companies when I wanted to buy an online game subscription. I still laugh about it!
Today, people are not only entering their credit cards online – they're saving them for easy entry in the future. Who wants to type a 16-digit code every time they buy something? This means data is everywhere and easier to access than ever.
Now, with mega companies like Facebook in hot water for personal data issues and Europe releasing GDP laws, people are becoming much more concerned with where they're entering information.
People care about security, and that's why you need SSL. I think it's more visual than anything. People like seeing that green lock and the word "Secure" in their web browser because it gives them peace of mind.
Honestly, most encryptions aren't that much better than non-encrypted sites. Google employees are smart – they know that. But they also know SSL is what the people want, so even if it's just a visible symbol, they'll gladly enforce it to keep their users trust.
SSL has been and always will be a (slight) ranking factor. Google's main goal is to show the absolute best results for a given search query. Part of that means showing their users secure sites, so they don't have to worry about their personal information being stolen.
Google also recently announced they're trying only to show "secure sites." In fact, their browser (Chrome) has slowly been releasing "Not secure" warnings on all sites that have an input field (such as a contact form, email newsletter, or products for sale). This further punishes sites without SSL.
It's entirely possible Google will only show encrypted sites in the near future. After all, it's a better user experience, and that's what Google is after.
Mordy Oberstein, Marketing Manager of Rank Ranger
I wouldn’t necessarily relate to HTTPS from the “ranking factor” perspective. Meaning, it doesn’t seem to be much of a direct factor.
In a world where site security, or a lack of it, will be brought to the forefront of a user's consciousness, I would venture to say that HTTPS may have a more significant impact on bounce rate than as a factor in its own right. Where the user intends to interact with a site to some degree of data confidentiality, having Chrome label a page as insecure would surely cause such sites to see their bounce rates increase. In the era of machine learning, specifically RankBrain, the increase in bounce rate would communicate the site’s irrelevance to the search engine.
Of course, all of this must be discussed in a very nuanced way. To say that HTTPS is or is not or will be or will not be a significant ranking factor (whether directly or even indirectly) is a site-specific issue. That is, even within niches where HTTPS would presumably have increased importance (i.e., finance, etc.), its actual impact depends both on the type of site and the type of users applicable to it.
That is, if we presuppose that Chrome’s site security labeling will impact bounce rates negatively, we have to consider where this is most likely to happen. What type of personal information does the site pertain to? How is web savvy the site's audience? I would venture to say that inexperienced or un-savvy users would balk at the insecure label no matter the circumstance.
For example, are people just as likely to walk away from ESPN (which is currently not HTTPS) and their fantasy football account as they are to leave an online banking page that also came up as “Not secure”?
There is the potential for a highly toxic environment as more instances of inappropriate data sharing make their way to the public eye. The relationship between personalization and web usage, specifically the illumination of the two in regards to public perception, has created a new market demand for web security. As users, particularly users that do not have any technical background, realize they are being targeted with personalized web content, the way web security is handled will need to change accordingly.
I don’t think this is one of those cases where there are considerable ulterior motives. I think optically, pushing HTTPS looks very good for Google. Keep in mind, Google’s desire to be seen as a sound source of content is ever-increasing. Google’s voice search success, and its ability to make users comfortable with its “one true answer” entirely depends on this optic.
If Google is seen as “unsafe,” many of its most grandiose aspirations will be called into question. Aligning with a push towards HTTPS only bolsters its “safe” image. In other words, offering users site security labeling fosters the association of a search engine that has its users’ best interest in mind, and is built on information “safety.” Which could help alleviate fears of, “Is this device going to record everything I say, and will Google share that with everyone?”
If users don’t seem to care, and if “Not secure” labeling does not cause many sites’ bounce rates to spike, then there is no reason to make an “on SERP” adjustment.
Georgi Todorov, Founder of DigitalNovas
Ecommerce, online banking, online business management – these are just some of the areas that have grown in popularity over the last few years, and we keep using the web for more and more things. Being that wifi is everywhere these days, the data that we have synced in our phones, laptops, tablets, and desktops seems to be everywhere. Within our devices, we have our credit card information, online banking info, personal information (address, phone number, social security number, etc.), and all of these can be misused on, or intercepted from, a website which doesn't use HTTPS.
HTTPS and SSL ensure that we can safely use data on our desired websites through any connection, without exposing our “conversation” with the said website to outside threats.
As with everything related to Google, we’ll just have to wait and see how much of a significant change to HTTPS/SSL as a ranking factor the new “Not secure” label will be.
Google is looking for ways to create a “fully secure web,” but they still have a way to go. With the recent data privacy scandals that include magnates like Facebook, the focus has been even firmer on data security and privacy which is something that HTTPS/SSL covers really well.
The “Not secure” label in the address bar isn’t anything new. These kinds of warnings were already in place for HTTP websites that have web forms. Still, it is a pretty big punch which will impact the click-through rates of many websites mainly due to the respect people have for a Google warning. Furthermore, it seems that the ranking value of HTTPS will remain the same so the final goal for Google here may be to simply raise awareness with users about HTTP websites and their data being under risk.
Another part of the puzzle should definitely be website speed. Modern websites, when accessed through major browsers (Chrome, Mozilla, etc.) perform much better due to the connection speed this protocol provides. Google has always been an advocate of well-performing websites, so this really matches their overall philosophy.
Google has been supporting HTTPS for years now and even incentivized websites to make the switch by claiming that HTTPS is a ranking factor. Still, having a website with HTTPS hasn’t been impacting SERPs or KPIs significantly up until now.
We also need to look beyond the algorithm. Even if they don’t add more ranking value to SSL as a factor, end users who land on non-SSL websites and see the warning may increasingly strive to distance themselves from those websites, and you better believe that this will impact the ranking of these websites.