HTTPS: Guardians Of The Google Galaxy
August 13th, 2014 by
Last week, Google published a blog post stating unequivocally that encryption will be a ranking factor for websites. They said, “We’re starting to use https as a ranking signal.” They did downplay that message slightly by adding the impact would be a small amount of rankings trust: Here is a pretty important takeaway from the Google published blog post (the emphasis is mine).
“For now, it’s only a very lightweight signal … But over time, we may decide to strengthen it, because we’d like to encourage all website owners to switch from http to https to keep everyone safe on the web.”
Which I interpret as “You don’t have to frantically get encryption on any of your websites today, but as you perform regular maintenance on any websites you own, you may want to consider adding SSL (Secure Sockets Layer).”
In the Spring, Matt Cutts hinted strongly that the need for encryption was coming, and at the time we took a “wait and see” approach, knowing that it was not an urgent matter, and we could look at it again when it did become “a thing.” Now, it is officially a thing.
Over the years, Search Influence has had a small percentage of clients with encryption. It has always been on websites where it makes sense: banks, credit unions, any online loan application sites, e commerce (of course) — basically, sites where you submit your personal and financial information. Historically speaking, plumbers, catering services, charter fishing, and dog walkers, would not normally need this level of security because those businesses don’t normally ask consumers for their personal info.
As we watch the behaviors of secure vs non-secure websites, we will be better able to make informed decisions on the “ to-secure-or-not-to-secure” front.
For now, MaAnna Stephenson says in this post, “Do it Because it’s Right For You … don’t make this change because of the ranking factor bump alone.“ I tend to agree with her at this point. Google could evolve this into a more significant factor as they suggest in the announcement, or like, other experiments, it could lose importance.
What Does Encryption do?
Encryption does very little to protect a website; it serves to protect any data exchange between a website visitor and the hosting server. This announcement by Google illustrates that they want a safe search experience for consumers. The ultimate goal is the consumer experience, and the consumer wants security.
Without encryption, when you fill out a form or provide any information on a website that gets sent back to the business, this data is sent as plain text. Plain text is bad for personal information and financial information because plain text is easily taken by hackers.
What encryption does — it encodes any data going through the website, and only the website owner can decode that data. The concept is the same as using codes to exchange secret messages. You can only decode the message if you have the decoding key.
These 5 bullets are a great distillation of what happens. I have quoted these straight from from DigiCert:
1. Browser connects to a web server (website) secured with SSL (https). Browser requests that the server identify itself.
2. Server sends a copy of its SSL Certificate, including the server’s public key.
3. Browser checks the certificate root against a list of trusted CAs and that the certificate is unexpired, unrevoked, and that its common name is valid for the website that it is connecting to. If the browser trusts the certificate, it creates, encrypts, and sends back a symmetric session key using the server’s public key.
4. Server decrypts the symmetric session key using its private key and sends back an acknowledgement encrypted with the session key to start the encrypted session.
5. Server and Browser now encrypt all transmitted data with the session key.
For existing websites, there are some considerations when deciding to implement encryption. Most of these will cost the website owner money, time, and effort.
1) Prepare to get an SSL certificate.
Before you get an SSL certificate, there are several things you need beforehand:
- Unique IP
- Certified signing request
- Accurate WHOIS record
- Business valuation documentation
Hopefully, you have a developer who will manage this checklist for you.
2) Get the SSL certificate.
The website owner has to decide what kind of SSL certificate he/she needs. Leigh Aucoin, Web Development Team Lead here at Search Influence, comments, “Most hosts or domain registrars offer SSL certificates, and there are some companies that specialize in this in particular.”
Single Domain Cert
Prices may vary (usually expect upwards of $70/year) for a single domain.
If a single domain SSL cert is setup, it’s important to establish a “canonical” domain (as we tend to do) of www or non-www, and set the certificate to that one. Otherwise, you’ll need to purchase another certificate either for the www subdomain or just the raw hostname.
Having a “wildcard” SSL certificate that will match all subdomains is approximately 3x the price. This may be good for certain sites, but most clients don’t have subdomains beyond www.
Also, a website owner needs to understand that the SSL certificate, maintenance, and annual renewal will cost money and effort every year. Peter Rigney at Annunciation Interactive offers his input, “My practical experience is that, for clients who ‘just want the website to work’, keeping an SSL cert up to date can be somewhat logistically painful. The annual renewals involve some work, charges, and client authorization processes that aren’t particularly fun for anyone. Particularly when it’s a ‘hands-off’ or over-taxed client…”
This is work for a professional, unless you are a business owner with a lot of technical knowledge.
3) Get it installed on your server.
Leigh suggests that your hosting company should be able to provide you or your developer with guidance on how to do this, and it may vary per host. Per this FAQ, “Installing a certificate involves a process that’s specific to each individual web server. Certification Authorities publish instructions for generating the Certificate Signing Request (CSR) and installing the certificate.”
4) Make sure your SEO is impacted as little as possible.
Per Google Webmasters support, changing from http to https is considered a URL change, and as with all URL changes, it very likely could have a ranking decline after launch.
Moving from http to https is considered a site move, all of your URLs are changing and all precaution and planning needs to be considered. Redirects, new sitemaps… This costs a small business owner money in paying the developer to do this work. The web developer has to gather all of the site’s existing information, plan a thorough strategy, implement everything along with the SSL certificates, and monitor the results in the weeks after.
5) Plan for accurate data.
When you launch, you will want to make sure you see your website data accurately. In Webmaster Tools, make sure you verify all existing variations of your site (www., non-www., https, subdirectories, subdomains). Don’t forget about the settings for your preferred domains and canonical URLs.
6) Know that site speed can be decreased.
Your site speed could be impacted because encryption slows things down. All the data gets encrypted and then decrypted by the website visitor and then again on the hosting server. This takes a little more time than sending straight text data. The SSL also encrypts the page content, the style sheets, and all of the other features on the page such as images and videos. If your site is already old and clunky, you may want to consider an upgrade. While upgrading you should strongly consider a mobile or a responsive site to go along with your potential encryption.
Not a Snap Decision
Deciding to add encryption to a website is not a decision that can be made quickly. The certificate itself — not to mention hosting and domain renewals — costs money. Relatively speaking, they don’t cost a lot of money, but the overhead is something that needs to be considered.
The average small business owner would likely have to pay a developer to manage the process and installation. You also will likely have to pay the developer to maintain that security every year with renewal. Find a developer with some experience with SSL certificates. A trusted, knowledgeable developer is a valuable investment.
There may be some opportunity costs if the site loses some ranking in the first few weeks after launch. This is a very real scenario and is especially a concern for ecommerce sites. If your developer isn’t experienced with setting up redirects and submitting sitemaps, talk to your SEO team to coordinate with the developer.
If you are already planning a site redesign, or converting to a responsive site, or some other investment in your domain, it would make sense to go ahead and add in encryption. Just plan ahead and be thorough.
This blog post is intended to give a small business owner some talking points when having a discussion with his developer. I’m sure there are many small considerations not included here, but if you have a valuable tip for an SMB, please comment!