“We want to convince you that all communications should be secure by default.”
Those were the words uttered by Webmaster Trends Analyst Pierre Far at the Google I/O event this summer, when he and a Google colleague talked “HTTPS everywhere.” And this week, Google Search is taking a very convincing stance on the matter: HTTPS is now a ranking signal in its algorithm.
From Google’s announcement:
Over the past few months we’ve been running tests taking into account whether sites use secure, encrypted connections as a signal in our search ranking algorithms. We've seen positive results, so we're starting to use HTTPS as a ranking signal. For now it's only a very lightweight signal — affecting fewer than 1% of global queries and carrying less weight than other signals such as high-quality content — while we give webmasters time to switch to HTTPS. But over time, we may decide to strengthen it, because we’d like to encourage all website owners to switch from HTTP to HTTPS to keep everyone safe on the web.
On Google+, Webmaster Trends Analyst John Mueller answered questions from the community, like, "What if you have an informational site – does it apply to you, too?"
Mueller said this:
Some webmasters say they have "just a content site," like a blog, and that doesn't need to be secured. That misses out two immediate benefits you get as a site owner:
1. Data integrity: only by serving securely can you guarantee that someone is not altering how your content is received by your users. How many times have you accessed a site on an open network or from a hotel and got unexpected ads? This is a very visible manifestation of the issue, but it can be much more subtle.
2. Authentication: How can users trust that the site is really the one it says it is? Imagine you're a content site that gives financial or medical advice. If I operated such a site, I'd really want to tell my readers that the advice they're reading is genuinely mine and not someone else pretending to be me.
On top of these, your users get obvious (and not-so-obvious) benefits.
Moving a site from HTTP to HTTPS could have technical problems if not implemented carefully. Google gives tips on how to handle the move here.
And, in its help files, it also talks about best practices for setting up HTTPS, which include helping the search engines see the site as secure by following these tips (more details exist on the help page itself):
Redirect your users and search engines to the HTTPS page or resource with server-side 301 HTTP redirects.
Use relative URLs for resources that reside on the same secure domain.
Use protocol relative URLs for all other domains or update your site links to link directly to the HTTPS resource.
Use a web server that supports HTTP Strict Transport Security (HSTS) and make sure it's enabled.
If you have questions or concerns, Google is directing people to the Webmaster Help Forums. For example, this search for “HTTPS” in the forums pulls up several conversations already happening on the matter. The announcement said that in the coming weeks, Google would be publishing detailed best practices on this issue.