Two years ago, Google announced that they would start using "Always on SSL" as a minor page ranking signal. Since then we have seen signs following a similar pattern in the lead-up to Google making "Mobile Friendly" a major ranking signal last April and anticipate that they are about to do the same thing with Always on SSL. Our expectatoin is that in the next 6-12 months Always on SSL will become a more substantial page ranking factor and have taken steps to ensure our platform can accommodate this easily. We are recommending that all clients begin the process of having their site use HTTPS/SSL by default.
- SSL stands for "Secure Socket Layer", which allows encrypted communication between a website and web server. In layman's terms, it's the green padlock when going to a secure site.
- SSL is common for shopping sites, but not for content sites.
- Google has pushed for the concept of "Always on SSL", which is the idea that every site should be SSL in order to create a safer web environment, especially in mobile where routers can be easily spoofed and "man in the middle" attacks are exceedingly easy
- Google has already begun to use SSL as a page ranking indicator
- They have not announced that they will penalize sites without SSL, but this follows the same pattern as their "mobile friendly" mandate from April 2015
- We expect that Google will follow suit and start dramatically penalizing sites without SSL within the next 6-12 months.
- We have already begun the process of making all the sites we host always SSL. It's a big task, but by the time Google actually does it, the impact to our clients will be zero.
HTTP (Hypertext Transfer Protocol) is how web pages are transmitted to your computer. Unfortunately, it's an insecure protocol and can be intercepted easily by bad people or entities on the web.
HTTPS (Hypertext Transfer Protocol Secure) is the secure version of HTTP and is a standard for when you're sending sensitive information over the web such as credit card or personal information via a checkout process.
SSL (Secure Socket Layer) is how a computer establishes a secure and encrypted connection between a web server and a person's browser (or email program).
Alway on SSL is the concept of always using SSL regardless of the type of content. Always on SSL is also sometimes called "HTTPS Everywhere." Always on SSL seems to be the more popular term, so we'll use that for this article, but they mean the same thing.
HTTPS is visually displayed in browsers (and most apps) as a padlock. This is what it looks like in several popular web browsers:
Problems with HTTPS/SSL
Back in the day, there were problems with HTTPS/SSL that made it impractical for content-oriented websites. Most of those roadblocks are no longer an issue.
- It used to be that HTTPS made websites slower because browsers and computers were not as powerful as they are today. The encryption -> transmission -> decryption process back and forth repeatedly caused a perceptible lag in page load times.
- These days there is not much concern about lag or latency because it is generally imperceptible by a human and the upside benefit far outweighs a few millisecond delay.
- That meant that MOST content-oriented sites did not (and still do not) use SSL because there was no perceived reason to do so.
- These days SSL Certificates are relatively inexpensive (under $75/year).
- Because of the cost reduction and increased security risk (or perhaps more importantly stated: increased awareness of the security risk), many sites are starting to use HTTPS/SSL all the time, not just in ecommerce or form data.
- Mixing secure and insecure content on a page will throw an error to the browser stating that there is a mix of secure and insecure content on the page -- this warning will probably alarm a visitor .
- Now many more third party platforms offer their scripts and tools using HTTPS/SSL, which remove the mixed content problem.
Why SSL matters
The web is a much scarier place than most of us would really like to admit.
It's easy for bad guys to intercept web traffic and even seemingly benign browsing can expose a tremendous amount of information about an individual user. Without much effort, normal browsing on an open wireless network can divulge information such as name, location, email address, content of email, web pages visited, current or planned activity, who you're communicating with, their information, etc.
This allows the bad guy to build up a personal profile of you and sometimes of those you communicate with. Add in social media and it gets even more dicey because with a name and a location, one could likely get a picture and potentially information about activities, habits, preferences, family, etc.
There is a really good summary of what can be casually gathered by a third party "listening on the wire" in the NPR podcast, Planet Money, Episode #548: Project Eavesdrop, which is about 15 minutes long. Go ahead and take a listen. After you pick your jaw back up off the floor, keep reading.
Privacy and Trust
In short: after Edward Snowden showed the world that lots of folks have access to lots of data, security and privacy became a much higher priority in the minds of both consumers and businesses alike. In a recent PEW Research poll, 93% of adults say that being in control of who can get information about them is important. In the same poll, many people have taken steps to help ensure their own online privacy.
Some of the more common activities include:
- Clearing cookies or browser history (59% have done this).
- Refusing to provide information about themselves that wasn’t relevant to a transaction (57% have done this).
- Using a temporary username or email address (25% have done this).
- Giving inaccurate or misleading information about themselves (24% have done this).
- Deciding not to use a website because they asked for a real name (23% have done this).
So security and privacy ARE on your website visitors' minds. Making sure SSL is used at all times on your site is an obvious and simple first step you can take to help instill a sense of trust by demonstrating that you're concerned about their security and privacy through the simple act of encrypting your website.
But back to the subject at hand...
Google and Always on SSL
Always on SSL is viewed by most experts as a good thing, because if the communication is encrypted, then your activity cannot be read or tracked, even if the transmission is intercepted -- this leaves both the website visitor and owner more protected.
Google has openly stated that it thinks Always on SSL is a good thing and has started to incentivize individual website owners to adopt HTTPS/SSL by using it as a ranking signal. That means if all other things are equal between two websites, the website that is delivered via HTTPS will have a higher page rank than the website that uses simple HTTP.
This form of technical/social/behavioral engineering is not uncommon for Google who flexes their juggernaut stature from time to time. In April 2014, they did the same thing with their Mobile Friendly initiative by making the fact that your website was mobile friendly or not a major ranking signal when searching from a mobile device. Given that over 50% of Google searches are performed from a mobile device, guess what: many more sites are now mobile friendly.
But before they dropped the mobile friendly bomb, they used mobile friendly as a minor ranking signal for a couple years and gradually increased its weight over time.
We feel Always on SSL is at the same point. It's a minor signal now, but if they stay true to form, it will be a major ranking signal as more sites become SSL and they want to push it toward critical mass.
Our best guess is 6-12 months (February - August 2017). Let's see if we're right!
Right or not, we're not waiting around.
We've been proactively informing our clients of this trend and working hard to make our infrastructure easy to deploy SSL on and more secure in other ways as well.
In many cases, it's not as easy as simply installing a certificate because many of the older sites have old style http calls to third party scripts, which have to be updated to use https calls. As we said, these are usually available but not always, in which case we will find an alternative or rewrite the functionality using the updated standard.
Another potential complication comes into play when multiple sub-hosts are used (www.domain.com, mail.domain.com, rssfeed.domain.com) because then a wildcard certificate is needed in order to cover all the sub hosts. Covering one domain (www.domain.com) is inexpensive, but wildcard certificates can be a lot more $300-1,000/year.
To help solve this, we've been consolidating many of our peripheral services (such as our streaming media services, PDF services, Web to MS Word, etc.) under the animusrex.com domain and offering that as an alternative way to connect (so "media.animusrex.com/client/content" vs. "media.clientdomain.com/content"). This way we can take on the cost of the wildcard domain and spread that over our entire client base so everyone pays a lot less for the same protection (we're good like that).
We are currently developing all websites with the intent of launching as Always on SSL and are strongly recommending this approach to all new clients. We are recommending to everyone that they at least have the conversation within their organization and think investing in SSL is a small cost with a lot of potential upside for instilling trust and maintaining or increasing page rank relevancy.
We've just scratched the surface, but that's the upshot. Hope it's helpful.
Be well (and be safe out there)!
If you have any comments, questions or just want to say hi, please email me at firstname.lastname@example.org.
Sources and Additional Exploration
Original Google Announcement about SSL as a page ranking signal:
Good primer by Symantec, a leading SSL Certificate Authority
A slightly scary podcast about security and what can be detected by casual web browsing
Another good framing of the Google SSL page rank announcement
An article that explores any potential downside to SSL (upshot: there is none)
The White House went Always on SSL and you should too!
Interesting study by PEW about public privacy perceptions after Snowden
Another good study by PEW about American attitudes surrounding privacy, security and surveillance
Harvard Business Review on handling consumer data with transparency and trust as a central tenant