Webmaster Guidelines And SSL
A couple of days ago about January 27th, 2016, Google made some big changes to it’s Webmaster Guidelines. Google has published guidelines for many years and once in awhile, has made some minor updates to them. This latest revision is perhaps the biggest since it first came out with guidelines for webmasters.
There’s actually quite a few interesting changes, but for now we’ll look at one that we’ve been mentioning to clients for some time – and that’s to consider an SSL certificate with a secure connection. It wasn’t in the Google Webmaster Guidelines previously, but various Google staff including Matt Cutts have been discussing it for a couple of years or more now. Sometime ago, Cutts even told us that running a website over SSL instead of the regular http protocol on port 80 would have the effect of giving sites a slight SEO boost.
But until now, this recommendation was not in Google’s guidelines. Now that it is in the guidelines, all webmasters and site owners should take notice. Why would Google recommend websites use SSL? There are a couple of reasons:
- SSL with a valid certificate gives a higher level of trust
- Security during transmission of data between website and browser.
What Is SSL
Before we explain what SSL (which stands for “Secure Sockets Layer”) is, let’s first look at what happens during a non-SSL connection. When you click on a link or type in a URL into your browser, assuming it is not an https link or URL, a lot of things happen in miliseconds. But ultimately, your browser connects to a webpage which is being served up by a web server. Servers run on different “ports,” and the common http port is 80. Over this port, all data that is transferred from the website to your browser, and from your browser back to the website is not encrypted. It is quite possible that someone who has access to a router or a device between your browser and the website you are visiting can view the data that is being transferred.
This includes any personal information that you are sending to the website. It’s one of the reasons that the majority of e-commerce sites do not (or should not) have order forms that include requesting your credit card information on a non-SSL connection. Anyone who can “snoop” the network can view the sensitive information in plain text.
SSL add an encrypted layer to transmissions of data, which is done at port 443 on the server side. Your browser and the web server “connect” at a layer in which all data including that from the website and anything your browser sends, is encrypted. If the transmission is intercepted, it cannot be read by anyone snooping. In this way, SSL is considered “secure.”
Many security experts believe that if you are sending information to a website, even information that does not include financial information, but you are only providing your name and email address, that it’s best to have that sent over SSL. The majority of websites do not do that today, although Google has been recommending it for some time.
SSL And Trust
SSL provides a layer of trust to your visitors, if you are running a website over SSL and have a certificate from a trusted Certificate Authority (CA). Certificate Authorities usually have several levels of “trust” certificates available, including domain level authentication to more advanced (as well as expensive and time consuming) “extended validation,” also referred to as “EV.”
You don’t need to have a digital certificate from a trusted CA to run a website over SSL, but if you don’t, a modern browser will produce large warnings when you visit that site. A certificate from a certificate authority that the browser recognizes will “pass” and when you visit the site, you won’t get any warnings (generally speaking – some elements of a webpage such as images may be un-encrypted when SSL is not correctly implemented) and you will see at the very least, a green padlock in the URL bar in Chrome, Firefox, or whatever browser you are using.
Before an SSL certificate is issued, there is at bare minimum, some checks done by the Certificate Authority to ensure it is issuing a certificate to the correct officials or representatives of the domain. Before this occurs, the server the website resides on needs to create a private SSL key along with a CSR, or Certificate Signing Request that is matched to the private key.
The CSR is then sent to a trusted Certificate Authority, which depending on the level of certificate requested, will do some validation tests to ensure that the certificate, or public key, that they issue will be sent to a valid representative of the domain. Once the certificate or public key has been sent, it can be installed on the server along with the private key, and at that point, the web server can be configured to listen on port 443 for the domain name in question, providing encrypted communication.
What this does is provide a level of trust to website visitors that they are really receiving and transmitting encrypted data from and to the actual domain and not a domain that has been spoofed.
Some Myths – What SSL Does Not Guarantee
SSL has often been touted as being a secure method of transmitting or receiving data, and this is true. However, just because a website uses SSL does not necessarily mean that all of the personal data is totally secure. It is only secure with SSL during transmission. The data, once it is received, may reside upon the server in plain text. This has been a major problem for some very large websites that, while have used SSL, have still had data breaches. The data resided on the server in an non-encrypted format, and sometimes hackers who have taken advantage of some other vulnerability, have been able to compromise a server and view the plain text data.
There are other security considerations and best practices that decrease or eliminate that risk, but that is beyond the scope of this article. Suffice to say that SSL, when implemented correctly, only provides security during the transmission of data.
SSL and Search Engine Optimization
Will having a website that is completely SSL enabled increase your search engine optimization? We don’t really know. Google has come out and said that SSL enabled websites do get a small little bump in search engine rankings – but at the same time, we’ve heard of some webmasters complaining that after enabling SSL site wide, rankings dropped.
The drop in rankings could be for poor implementation of SSL, however. It’s not a small job to convert a site completely over to SSL. There is still some discussion as to whether or not “link juice” is passed on to sites when the url changes from the prefix of http:// to https://.
In our opinion, it’s unlikely, if implemented correctly, that you will see a loss of search engine rankings. We recently implemented SSL on our domain, site-wide, and are monitoring for any changes. So far, we’ve seen a very slight increase in search rankings for some keywords and have not seen any loss of rankings to speak of. But we’ll be sure to update this if anything changes.
I Need Help With SSL!
If you want to implement the security of SSL and you have a fairly large website, it can be time consuming to make sure you get things right. There will be quite a number of things you’ll need to think about, and forgetting about a few of them could cause some headaches.
And yes, the whole idea of public/private key encryption, what needs to be done, and how to implement it can not only be confusing, but can take up time.
We’re here to help you with that. We’ve been dealing with SSL since 1999, when we developed our first e-commerce project for a client. Back in those days, choices were extremely limited; there was only one Certificate Authority – Verisign -and they were very expensive!
SSL certificates are issued for a minimum of a one year period and have to be renewed before they expire. Today, there are a number of different options available to you, and the costs are quite varied. We can help you select the right one for your business, and look after all of it for you.
If your website is important to your business (which it should be), then it’s probably wise to seriously consider Google’s new Webmaster Guidelines and start running your site over SSL. If you don’t run your entire site with SSL, then at least consider running pages that have forms where you are asking for information from your visitors, over the secure protocol. Contact us today and we can help you out.
There were some other interesting changes in Google’s Guidelines and we’ll discuss those changes shortly!