Google confirms it's giving HTTPS sites higher search rankings

Google confirms it's giving HTTPS sites higher search rankings

Summary: For the moment, websites that use secure comms protocol HTTPS are gaining only a small advantage in Google internet searches but the company says that could be changing.

TOPICS: Security, CXO, Google

Google says it's already rewarding sites that use HTTPS with a slightly higher ranking in internet searches — but it may be cranking up that weighting to stimulate further adoption of the secure comms protocol.

The company has been running trials over the past few months to test the use of secure, encrypted connections as a signal in search ranking algorithms.

"We've seen positive results, so we're starting to use HTTPS as a ranking signal," Google webmaster trends analysts Zineb Ait Bahajji and Gary Illyes wrote in a blog.

"For now it's only a very lightweight signal — affecting fewer than one percent of global queries, and carrying less weight than other signals such as high-quality content — while we give webmasters time to switch to HTTPS.

"But over time, we may decide to strengthen it, because we'd like to encourage all website owners to switch from HTTP to HTTPS to keep everyone safe on the web."

Google said it will be publishing detailed best practices in the next few weeks to avoid common mistakes and make it easier to implement HTTPS, also known as HTTP over TLS, which stands for the Transport Layer Security cryptographic protocol.

Bahajji and Illyes listed seven tips to help websites make the transition to HTTPS. Advice includes choosing between a single, multi-domain, or wildcard certificate, using 2,048-bit key certificates, employing relative URLs for resources that reside on the same secure domain, and protocol-relative URLs for all other domains.

They also suggest allowing indexing of the sites' pages by search engines where possible, and avoiding the noindex robots meta tag and any block on your HTTPS site from crawling using robots.txt.

Websites that are already serving on HTTPS can test their security level and configuration with the Qualys Lab tool, according to the Google blogpost.

The signs that Google is making a concerted effort to encourage HTTPS uptake have been evident for several years. In January 2010 it announced default HTTPS access for Gmail, and in November 2011 it enabled forward secrecy by default.

In April, reports suggested Google was considering giving a boost in its search-engine results to websites that use encryption, but the company said it had nothing to announce at that time.

Then at the Google I/O 2014 conference in June, Google web performance engineer and developer advocate Ilya Grigorik and webmaster trends analyst Pierre Far delivered a session entitled 'HTTPS everywhere'.

More on Google

Topics: Security, CXO, Google

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.


Log in or register to join the discussion
  • It would be interesting

    It would be interesting to calculate the increased power consumption if all sites went to SSL for all content.
    Buster Friendly
    • No............. wouldn't be interesting at all, not even a little bit interesting, in fact I'm already bored with the idea - yawn.
  • Meh...

    While I agree that sites need better encryption (especially when offering products or services and payment methods for such things), I disagree vehemently with this because small business owners can be adversely impacted, since they are most likely to go with the web service they can afford.
  • Right move

    This is the right move and a good direction toward a more secure web. Good CAs now provide fast response times for web performance and plenty of tools and customer support to help SMBs get their SSL ordered and installed quickly and correctly.
    • Wasteful in a lot cases

      For example why should a news site like this encrypt the public contents? There's a significant extra cost in hardware and electricity.
      Buster Friendly
      • OMG... significant? Have you finished that calculation yet?

        Maybe you can present the energy increase in "Hiroshima Atomic Bombs" worth of energy, or "Al Gore private jet hours" worth of energy.

        There's plenty of energy, the efficiency of & performance of processors is improving all the time - stop fretting. Or if it really bothers you just turn your computer off.
  • Encrypted Traffic is slower to view

    No to mention that encrypted sites are slower to load. While people who are lucky to have super fast internet may not notice it, people who are forced to use DSL or Dial-Up will. The higher the encryption the slower it will load as there will be more data to load.
    • It's the ends

      It's not the middle network that's the issue. SSL requires more CPU on the web server and on your system which makes it slower.
      Buster Friendly
      • Nah...

        .... I just tried downloading a secure site and a normal site and they both took 0 seconds.

        I did it scientifically by closing my eyes for about a second as I clicked and when I opened my eyes the page was there. Less than 1 second = zero seconds.

        So it is no slower and that's a scientific fact.
  • Not to worry, HTTP to HTTPS conversions are straightforward

    Not to worry those with bog standard websites, I can upgrade you to HTTPS with the following service:
    • Spam

      Buster Friendly
  • Waste of IP space

    This is inane. Can't imagine there's too much overhead for electricity, particularly as low powered chips are becoming the norm in server farms. The real issue here is that just a few months ago ARIN entered into Phase 4 of IPv4 depletion. Under current tech, the vast majority of web sites operate by sharing IP addresses through name based hosting. Also under current tech, running your site with an ssl certificate requires a unique IP address. As others have pointed out, for any "public" sites there is simply no need to use ssl.

    This is a horrific waste of a rapidly depleting finite resource. Plenty of applications do require a unique IP. To fabricate a need to convert millions of sites to using more IPs is ridiculous. This will be less of an issue when IPv6 is 'fully' deployed, but that is not in the near future and still is no excuse for poor policy.
  • Right move?

    Not really. Google is playing favoritism. They should be impartial whether or not a site has SSL. If they want to distinguish them with an icon like they do with the icon for mostly scamming web sites.
  • GoOgle

    If I used GoOgle products I would have a concern, but considering I'm on a super-fast computer and broadband I won't give it a second thought. Even though, I do know that it does take a little longer (sometimes a lot) to load pages over HTTPS connections, and not by using the "Close your eyes and click link" method, but a plug-in for Firefox that measures the time it takes to load a page. HTTPS ALWAYS takes longer, there's all that extra data to trasmit & receive and CPU time to decipher the encryption....