SSL encryption has always been essential for e-commerce sites and any sites that process sensitive personal information. Google’s recent announcement that SSL improves search ranking gives website owners one more reason to adopt it.
The focus on SSL (which enables the secure “HTTPS” protocol in browsers) is part of a larger campaign by Google to improve security across the Web. As Mashable reported in July, Google has also introduced a new program called Project Zero. Project Zero will be a new subdivision of the company, populated by hackers who will work full-time to enhance security throughout the Web. It is an attempt to reduce the extent to which companies and independent users are vulnerable to malicious attempts and software bugs.
HTTPS Everywhere (also called SSL Everywhere, or AOSSL for Always On SSL) has been a rallying cry from the SSL certificate community for years; however, for certificate authorities (CA’s) such as Symantec and DigiCert, blanketing the Internet with SSL is tied to a profit motive. That’s why Google’s announcement was such a game-changer. To be clear, SSL everywhere is not just about having standardized encryption (which itself is virtually hacker-proof) on more sites. It’s about having it, well, everywhere – on every page of a site, rather than just pages where people fill in passwords or payment data.
Project Zero and Google’s newfound commitment to HTTPS everywhere are part of a continuing response by the Internet infrastructural elite to the discovery of the Heartbleed bug earlier this year. Heartbleed is a major vulnerability in OpenSSL, a tool that had been trusted as a core protection for sensitive user data on major websites including Facebook, Netflix, and Google (yes, that’s right, Google… hmmm, is it possible this renewed focus on security is a form of penance?).
Heartbleed allowed any Internet user to retrieve a portion of the memory from servers on which OpenSSL was installed. Although there was confusion at first related to the cryptographic keys themselves, security and content delivery powerhouse Cloudflare demonstrated in April (through its Heartbleed Challenge) that the keys could be stolen as well, giving intruders unlimited access to ingoing and outgoing data.
SSL now improves SEO
As you can imagine, once Google announced its commitment to the AOSSL concept, two activities quickly began:
- Impromptu parties at all of the SSL CA’s and resellers;
- debate over whether it had been built into the algorithm as a ranking factor, or not.
Fast-forward from April to August 6, and the second activity ended (although the first one grew more boisterous): Google announced on its Webmaster Central blog that the company was going live with HTTPS as a factor in search engine rank. Since April, the tech giant had completed a series of tests to determine SSL encryption through its Web-crawling spider. The tests were successful, and given wider concern among industry professionals in 2014 for security, Google moved forward with inclusion of SSL.
Don’t worry if you do not yet have SSL on your website, though. Google mentioned that the factor is “lightweight” at the outset, impacting under 1 out of every 100 searches worldwide. Content remains a much stronger element than security at this point, so that website administrators have a reasonable opportunity to install SSL rather than being caught off-guard by the new policy.
Samantha Murphy Kelly of Mashable noted that preparation is, in many cases, less involved: SSL is currently installed on more than half of sites Internet-wide – 56%. Now all those sites need to do is distribute the HTTPS protocol throughout all pages, making it adherent to the SSL everywhere movement.
Sales Dominance & EV SSL
SSL has been a recognized standard to protect customers for many years. Numerous case studies have been completed by certificate authorities showing the value of SSL, usually with emphasis on the high-end extended validation (EV) certificates. The EV certificate, which marks most Internet browsers as green – for “go” – in the address bar, is a thorough domain and organization validation protocol. It was developed by the Certificate Authority & Browser Forum, to allow companies (after going through a more rigorous vetting process) to show off their credibility directly within the browser.
Various certificate authorities have published case studies of the extent to which extended validation increases conversions. For example, GeoTrust claims their EV SSL certificate improves sales 20%, while a VeriSign (now called Norton Secured – which, like GeoTrust, is a Symantec brand) EV case study revealed 30% higher conversions.
Google Best Practices
Following the announcement that Google was including SSL in its algorithm, Search Engine Land summarized the company’s best practices for SSL adoption:
- Figure out what type of certificate is best for your site: single (which covers one domain or subdomain), wildcard (which covers all subdomains), or multi-domain (which covers numerous sites under one umbrella).
- Choose the highest available encryption rate of 2048 bits.
- Relative URLs should be used for any files within one HTTPS domain.
- Protocol relative URLs should be used for any additional domains.
- Switch your site to the secure protocol, with instructions by Google.
- Make sure your site does not prevent crawling with robots.txt.
- Make it possible for Google to index your pages, noting that the noindex robots tag makes a page invisible to the search engine.
Needless to say, security is not the only concern for building and maintaining online prominence. You need a web hosting solution that is affordable, while delivering content reliably and lightning-fast (also a ranking signal). Why choose Superb Internet? In business since 1996, we take confusion out of the cloud. Compare our hosting plans now.
By Kent Roberts
Image credit: Praxis Web Design