For some time now, Google have been recommending that websites use the SSL (Secure Sockets Layer) protocol if at all possible. As we discussed earlier in our article entitled “Webmaster Guidelines And SSL,” there are two protocols that websites can run on: Regular unencrypted HTTP, and encrypted HTTPS over SSL.
Briefly, HTTPS or SSL creates an encrypted session between the web server and a browser that is loading a webpage and creates a layer of privacy in between the server and browser. The communication between the web browser and server are encrypted and as a result, anyone trying to “snoop” or that is attempting surveillance cannot read the communications that are being sent or received.
Why Google Thinks SSL Is Important
Google has been a strong advocate of Internet privacy and has been recommending that webmasters, wherever possible, use SSL on their websites. This is especially true for parts of websites that my have forms and be requesting personal information. Over the past many years, most shopping carts have used SSL for their checkout page when critical and sensitive information including credit card information, personal names and addresses are being sent to a webserver. Recently, more and more websites have gone beyond checkout pages running over SSL, but any type of form where personal information is being communicated including email list sign up forms.
Google and others have taken this a step further in their recommendations as https and most searches done on their platform are now encrypted. This means that anyone trying to snoop your network and learn what you are searching in real time are unable to know what you have typed into the Google search box.
Google has taken the position that all browser based traffic should be encrypted and thereby providing an improved layer of privacy for internet users. But there are legitimate concerns on the part of many webmasters for not implementing SSL fully across all of their website content and pages.
Webmaster Concerns About SSL
Let’s look at some of the concerns and objections to enabling SSL sitewide:
1. SSL Requires More Server Resources And Slows Down Websites
SSL does run on a different protocol than “regular” web traffic and requires more processing power. In order for a web server to implement SSL, it needs to have some implementation of it installed on the server, generally speaking OpenSSL is the preferred software. In order to encrypt communication it sends and decrypt information it received, the server that is running SSL will be required to work harder, and in the past, this has meant a loss of website speed. On servers that have smaller processing power available to it, this loss of speed can be significant.
Additionally, Google has stated that site speed is a factor in their search engine rankings and so many webmasters have been hesitant to implement it. Today’s processing power however is such that site speed with SSL enabled websites is not as significant as it was ten years ago. While running a website over SSL will slow down the communications between a browser and the server, it is not nearly as noticeable as it used to be. There are many ways to improve site speed overall, and by implementing those measures where you can, there should be no significant differences today by implementing SSL site wide.
2. SSL Costs Additional Money
When we started in this business back in 1997, there was only one agency that a business could obtain an SSL certificate from that browsers would recognize. This was verisign, and the only SSL certificate that was available was the same as what we refer to today as “Extended Validation” certificates. While it is possible to generate your own self-signed certificate on a web browser, these are pretty much useless when your website will be visited by visitors using browsers that do not recognize your self-signed certificate.
In 1996 and for quite a few years subsequent, in order to obtain an SSL certificate, you would need to send your Certificate Signing Request (CSR) to Verisign, who would conduct an investigation to ensure you really were the business or organization you claimed to be, and this could take several days before they would issue the certificate, signed by Verisign. The fees that Verisign charged for this were in the hundreds of dollars.
Today, there are a number of recognized certificate issuers that are recognized by the most common browsers, and in addition, there are a number of types of certificates including “Domain Validated” certs that can be issued within minutes of sending a CSR. These still offer security and some level of trust to visitors of a website and for many businesses and organizations, are acceptable. Instead of costing hundreds of dollars, these domain level certificates are much less expensive to purchase, but can still take some time and knowledge to figure out what you need to do in order to obtain one. If you are paying someone to do this for you, expect to pay for their time and knowledge, which is probably much less overall than the time you will spend yourself if you don’t know how to do it, and need to read tutorials to figure it out.
But even with paying or the help and guidance of someone else, SSL certs today are really not that expensive relatively speaking to what they used to cost, and do provide your visitors with both trust and a layer of privacy while communicating with your website. Today, you can purchase a domain validated Certificate for around $30.00US that will expire in a year.
3. Implementing SSL Can Be Complicated
Implementing SSL can be complicated, but most of the complicated work is done by your hosting company. Some of it is automated, but in the end, if you do it yourself, you’ll still have to understand some basic concepts. When you want to implement SSL on your website, you will need to generate a “Private Key” for your domain on the server your site is being hosted on, as well as the Certificate Signing Request that is “twinned” to the Private Key. You must keep the Private Key secure and back it up as well.
Once the Private Key and CSR have been generated, you then submit the CSR to the certificate issuing agency and request a public certificate from them. Depending on the validation type you are paying for, once the certificate issuer has validated the information and is satisfied it is sending the certificate to the correct authorized contact, it will email the certificate, which then needs to be installed alongside the Private Key on the server.
There are some other “complications” that also need to be looked after, and these include:
You will likely need your own unique IP address for your website. Hopefully your hosting company has one available that they can assign your website. There is technology available today to get around this requirement, but it is not widely implemented at this point in time, and discussion about that is beyond the scope of this article.
Switching to SSL can take some planning ahead of time to ensure everything works properly on your website. Incorrect configuration can cause a visitor to see SSL errors and warnings. This can take some time both in planning and testing and if you don’t have the time or know what to look for, it might be a good idea to get some help ahead of time. Again, listing all the issues that can occur is beyond the scope of this article, but know ahead of time that complications can occur, but they can also be solved, as well.
4. SSL May Have Effects On Search Engine Optimization and Rankings
And this is where we come to our own case study of the results we found after implementing site-wide SSL on ianscottgroup.com. Many webmasters fear that they will lose Search Engine rankings – and there is a legitimate concern. For one thing, your URL does change. When you implement SSL, the URL prefix of all webpages that you run through it will change from http:// to https://. This has been a major concern of both webmasters and those involved in SEO, as we know that quality back links to your website have a major impact on where you rank. Before you implement SSL, any back links to your website will have the http:// prefix. So will this cause problems?
As well, there are considerations of ensuring https is “forced” when a visitor comes to your site, and ensuring canonical tags are set correctly so search engines do not see “duplicate content” if both versions, http:// and https://, are available to visitors and search engine robots.
There have been a number of reports from some webmasters complaining that their sites tanked in search results after implementing SSL site-wide. We wanted to test this for ourselves, and our test was our own website. We did this knowing that it could hurt if we lost search traffic, but far better for us to lose than for our clients to lose due to bad and untested advice.
Our SSL & SEO Experience:
We had been planning for some time to implement SSL site-wide for some time, and not because it was a recommendation of Google, but because we also believe that Internet privacy is very important. We wish more internet users would understand the importance of privacy in their communications, not only with websites but in all their communications including email. Since about 2000, we’ve been using PGP/GPG in our email communications where possible – it requires the email receiver to also use PGP or GPG in order to decrypt emails, but sadly, most people have not implemented this level of personal security and privacy. But it is still important to us to do what we can, and SSL has been in our sites for some time.
About two months ago, we decided to take the plunge, but we also wanted to test whether or not going SSL would affect our search engine rankings. Our business website is well ranked for some important search terms and phrases related to our business and locality. So it was important that we do our best to not affect that.
But what about other search terms that might not be so important? What about search terms where we did not rank well.. say.. not on the first couple of pages of Google, but ranked poorly on? We’re not talking about search terms where there was no ranking, but for content that might rank on pages three through ten; would those rankings be affected?
So before we started, we created new content based around some keyword search terms and took a baseline after the content was indexed. Then, about two weeks ago, we began to implement a complete site wide switchover to SSL.
We’ve been monitoring the search results ever since, and what follows is our conclusions about how SEO can be affected by SSL.
SSL Did Not Have Any Major Effects On Any Of Our Rankings
Google claims that switching to SSL may give a website a slight boost in the search engine rankings. Our experiment it should be noted, is based on whatever algorithms are being used by Google over the past two weeks and we cannot say or predict what the future might hold. However, we can clearly state that switching to SSL after planning and ensuring it was done correctly, seemed to have zero effect, either positive or negative, on our rankings.
Although we implemented a “force SSL” on our site, ie: if you arrived via http, the server would force and respond with https, Google did not begin to show https:// url’s for a good week in their search results for our website. The first instance of noticing the https:// url was in a search for our business name and it took a week for that to show up. The second instance was in local results – for a search term that we rank highly on in both local (#1) and the organic results (we rank #2), the local results had our https:// url, while the organic results, even though pointing to the very same page of our site, continues to have the http:// url.
One thing we did notice that seemed strange was that within about three or four days of switching over to SSL, there were some search rankings in which some of our pages seemed to completely disappear from the search results for a few hours at a time, but would then later return to where they were previously.
There were some search results where we improved dramatically for the content we added in the month previous to our switch-over. For example, one search term that prior to the switch to SSL where we ranked around position #90, today we are at #12. We can’t say for sure that this boost was the direct result of switching to SSL; there could have been other factors that we don’t know about yet, but most certainly we can say that switching to SSL did no harm to us.
But we did not suddenly jump to #1 where prior to our switch, we were at #2. We remained at #2 and are still there, today.
Our Conclusions About SSL & SEO
Despite Google personnel stating in the past that switching to SSL will not harm a website, there have been many reports from others who claimed their sites did not do as well after the switch.
We can only conclude that probably something went wrong and it was not done properly with planning in the first place, in those cases. If for example, SSL is not forced, we could see that Google might “detect” what it thinks as “duplicate” content when visiting both urls of https:// and http://. In fact, perhaps there may be a slight penalty built in for NOT forcing SSL – why not force it if you are able to use it?
We did not experience any issues as far as search engine rankings by switching over. There were no search terms that we were tracking that had any significant drop (you will always find some movement up or down a few places over time especially on search terms that are fairly deep in the results) on any search terms, saw what may have been a significant increase for some, but we received no major increase or decrease on search terms where we have been ranking well on Page 1 of the search results.
For most website owners, we are going to be recommending that you switch to completely SSL enabled websites, if you can. As reported previously, it is now a part of the Google Webmaster Guidelines to use SSL, and we tend to think that following those guidelines is a smart idea. At the same time, you should plan it out before you do, and probably get some help, especially if you have a large website. There are quite a number of elements that should be tested after you switch over to ensure full functionality and no SSL browser warnings.
From our experience, it’s not going to harm your website in the search rankings if you switch over and do it correctly. You might see a gain in the SERP’s for some search terms, but that gain is not likely on its own to propel you to the top of the SERP’s. But it might give you an edge when combined with other optimizations.
Another advantage you’ll see is that you’ll possibly have more referral information in your website traffic statistics; referrals from https websites to http only show up as non-referrals in the http only website, but when instituting https, you will get more accurate referral information.
And finally, another good reason is that you can be proud of the fact that you are doing your part to help create a more secure, trusted and private internet browsing experience for your visitors!
We Can Help
Undertaking a transfer from http to https can be daunting and scary, especially after reading some of the horror stories that exist. We can help you with it, and reduce your stress and look after the complete transition from helping to obtain the right SSL Certificates, installing them, and then planning the process, while also looking after any “gotchas” that might crop up. We’ve been dealing with E-Commerce and SSL since 1999 and doing it successfully. If you want to obtain an extended validation certificate, we can help you with that as well, letting you know what documents you will need to have ready, and how the process works to ensure a smooth transition for you.
Give us a call if you’re ready to keep ahead and be compliant with Google’s Webmaster Guidelines: (519) 940-3504 or send us an email at [email protected]. You can always visit our contact page, too (and with the peace of mind knowing if you use our form, it’s transmitted securely!).