“SSL Everywhere” is one of Google’s focuses. With that in mind, in February we looked at SSL/TLS and how it affects your website Search Engine Optimization (SEO). Websites use TLS to secure all communications between the web host server and the user’s web browser.
When you visit a secure website your browser will alert you with a green padlock in the address bar and change the protocol component of the URL from HTTP to HTTPS.
Secure Sockets Layer, aka SSL, has been around a while. Netscape brought it to life in the early 90’s. Out of SSL version 3.0 came Transport Layer Security (TLS) v1.0 which has progressed all the way to v1.2 (2008). Note the repeated use of the word layer in the name. Think OSI model for all you propeller-heads.
Even though SSL v3.0 was deprecated in June 2015, the mechanism is still commonly referred to as SSL. You can define SSL as being the Cryptographic protocol that provides communications security over a network. In everyday use, it provides protection from eavesdropping and tampering. Think WiFi in a public place, say Giant Foods cafe, or Starbucks, or the airport.
When referring to SSL Certificates and website applications, we really mean TLS 1.2. For today’s purposes, we’ll continue to refer to the protocol as SSL.
Alright, so what does this have to do with Google, and SEO?
In August 2014 Google published a blog post on its Webmaster Central Blog with a hint of what was to come.
… we’re starting to use HTTPS as a ranking signal
… for now it’s only a very lightweight signal
… we may strengthen it [ … ] to encourage all website owners to switch from HTTP to HTTPS
Then in December 2015, Google dug in a little deeper stating that HTTPS was going to influence page rank.
[We are] adjusting indexing system to look for […] HTTPS pages
When two URLs from the same domain […] are served over different protocol schemes, [Google will] typically choose to index the HTTPS URL
As a website owner or developer, what can you do?
- Move your sites to HTTPS
- Free Let’s Encrypt SSL certificates
- Purchase one at GoDaddy
- Use protocol relative URL’s for known insecure resources outside your domain
- Use relative URLs for resources in your domain
- Check out Google’s Site Move Article for guidelines
Best practices for dealing with HTTPS
- Decide the kind of certificate you need: single, multi-domain, or wildcard certificate (Ref: dnsimple.com)
- Use 2048-bit key certificates (current default)
- Don’t block your HTTPS site from crawling using robots.txt
- Allow indexing of your pages by search engines
- Test the security of your existing HTTPS site with Qualys Lab tool
- Force HTTPS using .htaccess file
Resources
- Wikipedia article on TLS
- Google Webmaster Central Blog post – August 2014
- Google Webmaster Central Blog – December 2015
- SSL Server Test
- Inmotion Hosting Excellent primer on using .htaccess to force HTTPS on your site
We had a lively discussion about the topic. I expect that we will dedicate a portion of the March meeting to address questions that came up.
Ideas for Upcoming Meetings?
Feel free to ask questions, offer feedback, or suggest topics for an upcoming meeting via the form below.