Http vs Https – What’s the Difference? (How it Affects Your SEO)

Bryan Conte SEO Analyst

At the end of July we published a blog post that discussed the impact of SSL on SEO. We frequently discussed that topic because we’ve converted many client sites to HTTPS.

Based on our experiences and available data, we concluded that it did indeed affect SEO. We also knew that a move to HTTPS sitewide might indirectly affect other ranking signals. Ultimately, we predicted that HTTPS would eventually be a ranking signal.

Six days after our initial blog post, Google announced that HTTPS would be a ranking signal in order to keep users safe.

“We’ve seen positive results, so we’re starting to use HTTPS as a ranking signal.”

— Google

The timeframe of their tests is important because it coincides with our own experience — more on that in a moment.

Google says that HTTPS will be a very small signal, and it will affect fewer than 1% of queries globally. However, Google’s statement indicates that HTTPS may become a more important signal in the future.

It’s not often that Google decides to hand out a definitive answer about a ranking signal. Therefore SEOs should take notice of this instance.

How Much does HTTP vs HTTPS Affect SEO?

It’s hard to isolate the impact a site will see if they switch to HTTPS vs HTTP because TLS (Transport Layer Security protocol) and SSL (Secure Sockets Layer) provide many indirect benefits that support other ranking signals.

Recently, Terakeet converted one of our own websites from HTTP to HTTPS. We monitored keyword rankings and traffic throughout the process to determine the impact of a full sitewide transition.

Initial reports failed to show any signs of change because of how the transition process works, which requires a sitewide 301 redirect for all of the existing permalinks to the new ones. This lag in results was to be expected.

We had to wait for Google to crawl the new urls, and we knew the 301 redirects would cause a slight dip in authority and PageRank. However, traffic increased steadily after the switch, time on page improved with a reduction in bounce rate, and user engagement went up substantially.

However, as we mentioned, HTTPS provides other benefits that could impact rankings. For example, users can identify the secure icon (below) which increases trust. That could lead to other ranking signal improvements, such as decreased bounce rates, better user engagement, increase in pages per visit, and more conversions.

http vs https example

The Future of HTTPS/TLS on the Web

Google’s use of HTTPS as a ranking signal raises many questions. Among them:

What Drawbacks are there to TLS?

  • Does it make sense for most websites that don’t collect sensitive data (e.g. credit card information) to make the switch and incur greater overhead costs?
  • Will we see an influx of websites using HTTPS/TLS to appear more trustworthy than they really are?
  • How will that play out if Google intends to increase the weight of this signal, since anyone can simply purchase an SSL certificate and make the switch?
  • For those that don’t collect sensitive data, is TLS/SSL anything more than a permalink change and a new trustworthy icon?

Site owners and webmasters still have some concerns about switching to TLS. One potential drawback is a slower page load because of how HTTPS works, and site speed is a known ranking signal.

Although encryption adds a layer of complexity and load time, modern CPUs make most of those concerns obsolete. (In fact, Google was just assigned a patent to speed up SSL and other security protocols.)

A second drawback is that sitewide migrations require time and money. However, in most cases, it’s worth the trade to use HTTPS vs HTTP.

Need more information? Check out Google’s guide to secure your site with HTTPS. Here’s another resource from Google about how to handle url changes.

HTTPS and Security Certificates

High-profile data theft has prompted some concern about the future of SSL/TLS security certificates. As adoption rates of security certificates increase, hackers have turned their focus to https. That places a lot of trust in the hands of SSL certificate authorities.

Right now we know that SSL security encryption works. Successful attacks are rare, and there is no need for extra software because SSL is widely used and follows an encrypted direct handshake model. This is not to say that this model will always be the way website data security plays out in the future.

Other security models

  • Convergence allows you to download a Firefox add-on and then only browse sites that you trust. The tool is lightweight and runs unnoticed in the background. Its drawback, however, is that it relies on the end user and the notion that attackers target users close to a server or end point (WiFi location).
  • The OpenPGP and web of trust (WoT) movement allows everyone to act as a certificate authority because it leverages the TLS and SSL communication with your web browser. But it lacks widespread support and adoption which it needs in order to be successful. Those behind this movement are more concerned with private web browsing. You can read more about this alternative here.
  • DNSSEC, or Domain Name System Security Extension, may be the most plausible option for the future. It secures certain kinds of information provided by the Domain Name System (DNS). Signatures are signed digitally (using public-key cryptography) when a DNS lookup record occurs, while authenticating the data that comes back from the DNS. Website owners can add their own keys to their sites through their DNS settings from the location where they registered their domain. DNSSEC allows for IP address protection, and also all kinds of other data that is communicated with DNS, all the way to TLS and even text files. However, the DNSSEC process prevents DNS from authenticating with a website’s server.

What about websites that don’t need high security?

Most websites do not need the level of security that HTTPS provides. Does that give an unfair advantage to those who use it sitewide? The majority of websites on the web run on either free hosting or low budget hosting that can’t afford to purchase an SSL certificate.

Since the announcement, some companies have offered free SSL certificates to their customers. We hope more continue to do the same. Two companies worth mentioning so far are Gandi, and CloudFlare.

A second option would be to forego the adoption and instead focus on the other technical SEO elements that you can control (e.g. title tags, quality content, user experience, internal linking, and information architecture).

A third option would be to only adopt HTTPS on certain pages. You can’t avoid the extra cost of obtaining a certificate unless you get one for free, but it will be less complicated.

For example, say you run a food website. You may have many pages, such as everyday blog and recipe articles, that have no reason to adopt SSL encryption, since they collect no personal or sensitive information. However, a store on the same domain that sells products should adopt HTTPS.

Google evaluates HTTPS on a URL to URL basis rather than a sitewide basis. Therefore, you could choose which pages you’d want to provide this lightweight ranking boost, and forego the others that wouldn’t make much sense. You’ll need to choose a 2048-bit key certificate and ensure proper 301 and canonicalization use in making the switch on this page. However, you could run into security issues when you link between secure and nonsecure pages on your site.

Interpreting Google’s Search Algorithm and HTTPS

Will websites adopt HTTPS just to increase SEO traffic? There will undoubtedly be webmasters who abuse the security protocol and use it to convey trust when their site provides minimal value to visitors. Google’s web spam team will certainly need to keep an eye on this practice and make adjustments accordingly.

For example, Google could interpret a url to understand what type of page it is. Does the page contain information only, or does the page collect sensitive user information that could become compromised? If the page only serves information, then the signal boost of HTTPS could be adjusted accordingly.

Google likely interprets and ranks websites differently according to keyword search intent. For example, “buy cookbook” has a very different search intent than “best meatloaf recipe.”

A site that puts profits above visitor value probably uses affiliate links. Therefore, Google might decrease the HTTPS ranking signal boost if it detects a high number of outbound affiliate links.

The takeaway here is that over time Google will need to re-evaluate how this change affects website trust. In the near future, it’s likely that the majority of website owners will not care about such a small boost, and will ignore HTTPS completely.

A safer web is important, but as we mentioned above, there are still some threats of data theft even with HTTPS. Don’t expect widespread adoption anytime soon.