Google to Increase Search Ranking for Sites Using HTTPS Encryption

A few months ago, there were some rumors that Google was considering using HTTPS site encryption as a ranking algorithm in its search engine in the same way it uses site loading speed or social media strength as signals for its ranking algorithm. Google also hinted at Google I/O that it's going to do this, with a session called "HTTPS Everywhere."

Today, Google announced that it's going to do exactly that and will count HTTPS support towards ranking power for websites. That means websites that have HTTPS enabled by default will receive slightly higher rank over sites that use the unencrypted HTTP protocol.

Google says that for now this change will only affect 1 percent of global queries and will, of course, be nowhere near as strong of a signal as the quality of the content on those pages or sites. Google will, however, strengthen it over time. The reason it's pushing this change in the first place is because it wants the web to be a safer place for all, and that can only happen if webmasters have enough incentives to do it.

Google has been pushing the use of encryption on its websites for the past few years, when it enabled HTTPS by default on Google search and in Gmail, but the Snowden revelations from the past year seem to have increased its focus on security lately.

Google offers these tips for webmasters to get started:

  • Decide the kind of certificate you need: single, multi-domain, or wildcard certificate
  • Use 2048-bit key certificates
  • Use relative URLs for resources that reside on the same secure domain
  • Use protocol relative URLs for all other domains
  • Check out this Site move article for more guidelines on how to change your website's address
  • Don't block your HTTPS site from crawling using robots.txt
  • Allow indexing of your pages by search engines where possible. Avoid the noindex robots meta tag.

If you're a webmaster, Google also recommends using SSLlabs.com to check the SSL configuration and level of security for your website, and the Is TLS Fast Yet tool for performance questions.

If webmasters are worried about the overhead of TLS encryption (which is what HTTPS uses), they shouldn't be. According to Google's Adam Langley, who works on Google's own HTTPS infrastructure, using HTTPS affects CPU load by only 1 percent and the network load by only 2 percent. Considering the benefits of encrypting all of a website's traffic for its users, that doesn't seem like a big trade-off to make.

The bigger trade-off may be in the fact that HTTPS/TLS certificates aren't usually free, which has historically impacted adoption of HTTPS encryption. The good news is that there already is a certificate provider that gives free certificates at StartSSL.com, and CloudFlare has also promised to enable HTTPS for all of its members soon, for free. With fewer and fewer excuses for not enabling HTTPS for websites, we will hopefully see a lot more websites adopt traffic encryption soon.

Follow us @tomshardware, on Facebook and on Google+.

Lucian Armasu
Lucian Armasu is a Contributing Writer for Tom's Hardware US. He covers software news and the issues surrounding privacy and security.
  • Achoo22
    And when sites like Tom's have lots of surrogate bits (advertising providers, statistics spies, backbone CRM hosted banners, etc) buried in their pages, how much does it matter if the site itself is served up with https?
    Reply
  • Heironious
    I started using HTTPS Everywhere last night https://www.eff.org/https-everywhere I do not notice any slowdowns. I guess it's a good thing just like my anti virus and anti malware find nothing.
    Reply
  • Someone Somewhere
    So, when is Tom's going to get on the bandwagon?
    Reply
  • gm0n3y
    I guess this is a good idea and will make and serious sites consider using SSL by default. For most sites it seems like any sensitive areas use SSL (login screens, user profile, checkout process, etc) and plain HTTP for display regular content. For example, there should be no reason that this page needs to be secure.
    Reply