How Google plans to encrypt the web

Google HTTPS

Today Google announced that websites using HTTPS, the secure version of HTTP, will have a better chance of ranking well in Google searches than those that don’t.

In the vernacular, HTTPS is now a ranking signal for SEO (Search Engine Optimisation). It could be an inflection point for web security.

Security is a top priority ... over the past few months we’ve been running tests taking into account whether sites use secure, encrypted connections as a signal in our search ranking algorithms. We've seen positive results, so we're starting to use HTTPS as a ranking signal.

By making HTTPS something that impacts search results Google are applying the stick to an enormous security push that’s been all carrots up to now.

Everywhere you look, from better SSL to the tricky business of end-to-end email security, Google are busy rolling out encryption or giving people ways to encrypt things.

Anyone who doubts the energy and seriousness that Google applies to this kind of thing or the effect that it can have need only wind the clock back five years.

In 2009, Google announced they wanted to make the web faster.

Google HTTPSIt wasn’t a soundbite, a speech, a project or a campaign – it was a sea change.

Since then Google has created, amongst many other things, a fast public DNS service, a faster web protocol, tools to speed up websites, tools to make code smaller, an image format to make images download faster and a global content distribution network for commonly used code.

They even built their own web browser with a very fast javascript engine and spent millions and millions of dollars banging on about how fast it was.

Most importantly of all they made speed a ranking signal for SEO.

Making speed a ranking signal punished slowness. It’s what made organisations care.

To understand why, you need to understand a little of how search engines work and how companies approach getting their websites noticed.

Google uses computer programs (referred to as spiders) to read the world’s web pages and index them. The spiders try to determine the subject and quality of each page by measuring a multitude of different factors, known as signals.

The strength of the signals determines where those pages will rank when somebody types a search into the Google search engine.

Good signals means high rankings, more traffic and more revenue. Poor signals can put you out of business.

There are hundreds of signals but they aren’t all equally important – some have far more impact than others. To prevent people from gaming their system Google is deliberately vague about how many signals it cares about, what they are and how much each one matters.

Thanks to a lot of research and some vague pronouncements from Google we have a pretty good idea of what some of the signals are and some idea of their weighting.

According to their blog, HTTPS will start off as a weak signal:

For now it's only a very lightweight signal — affecting fewer than 1% of global queries, and carrying less weight than other signals such as high-quality content — while we give webmasters time to switch to HTTPS. But over time, we may decide to strengthen it, because we’d like to encourage all website owners to switch from HTTP to HTTPS to keep everyone safe on the web.

In reality, in my experience at least, even low strength signals get plenty of attention.

Because Google is cagey about what signals are worth, because organisations can’t easily test and isolate their website’s signals and because there is intense competition for good Google rankings those that care about SEO will generally act on any ranking factors that are well defined, regardless of how small their effect.

Companies like nothing better than lists with ticks next to them so if a ranking factor comes down to a simple yes or no choice it gets done.

Before Google made site speed a ranking factor I hardly ever had conversations with organisations about how fast their websites were. Now we always talk about it.

From now on they’ll have something else to talk about – a simple binary choice: “Does our website use HTTPS?”

Increasingly the answer will be yes.