On August 6 2014, Google announced that it is starting to use HTTPS as a ranking signal within the search results.

While on the face of it, this might not seem like big news, it's another instance of Google using its influence to put pressure on websites to conform to what it considers best practice.

Google has said that right now HTTPS is a very lightweight signal which will affect less than 1% of search queries globally, but it has stated that this may change over time as Google encourages all site owners to switch from HTTP to HTTPS.

As a result of this, we anticipate that secure and encrypted connections will become the norm for all websites in the future.

The S in HTTPS stands for Secure, so this change essentially means that any websites using secure and encrypted connections across their domains will benefit from this ranking update.

This formal announcement follows comments from Matt Cutts (Head of Web Spam at Google) at SMX West in March, where he said that he would like Google to make HTTPS a signal within the search rankings.

Read on for more information about the implications of this change, and for further insight into other ranking factors download Econsultancy's Search Engine Optimization (SEO) Best Practice Guide.

Why has Google made this change?

Google doesn’t control the web, but increasingly we are seeing Google use its influence to put pressure on websites to conform to what it considers best practice. Google coerces website owners by penalising websites which don’t use the standards it considers as best practice and Google has done this before with site speed and mobile design.

In 2010, Google announced that site speed was a ranking signal and in 2013, Google confirmed that sites which are not mobile friendly would not rank well.

As a result of Google penalising websites which were slow and not mobile-optimised, sites were forced to address these issues in order to avoid losing visibility within the search results.

Since 2010, Google has been experimenting with encrypting search results and over the last 12 months it has made strides towards encrypting all its services. In September 2013, Google confirmed the rollout of encrypted search to all users and in April 2014 it expanded secure search to all clicks made on paid ads.

Other search engine providers including Bing and Yahoo have also embraced the move to encrypting search results and consequently the vast majority of search queries made today are now encrypted.

What are the implications?

As a result of this change, we anticipate that secure and encrypted connections will become the norm for all websites in the future rather than being limited to, as it is currently, primarily ecommerce websites.

Google has clarified that right now HTTPS is a very lightweight signal which will affect less than 1% of search queries globally, but this may change over time.

Ultimately this is good news for users on the web as sites using HTTPS encrypt the data between the browser and the site, thereby protecting the security and privacy of what a user chooses to do on that site.

What could this look like in the future?

Since July 2014, Google has alerted mobile users when a site is likely not to be compatible with their device. Sites using incompatible technologies like Flash have lost significant click share as a result of this change.

In the future, and it likely won’t be before many months, it’s possible that Google could alert users when the site does not use HTTPS.

Now: Google alert users about Flash on mobile devices:

 Google warning users website not mobile friendly

Future: Google could alert users that a site may not be secure:

Google warning users website not secure with HTTPS

What does this mean for businesses now?

All businesses with a website should consider using HTTPS for all the content on their websites as this will likely become the global standard and in addition, there will be a small marginal benefit within the Google search results from doing this in the short term.

For businesses with websites already using HTTPS, they need to check whether this is being used across the whole domain or just on specific pages where sensitive data is transmitted. Google has been clear in this announcement that it wants websites to use HTTPS across all the content on the website, not just checkout or login pages.

How should HTTPS be setup?

The main items that will need to be addressed are the following:

  • Appropriate choice of single-domain, multi-domain, or wildcard certificate.
  • Use of 2048-bit key certificate.
  • Use of a web server that supports HTTP Strict Transport Security.
  • Use of relative URLs for resources that reside on the same secure domain.

What do you think?

Do you agree that this move from Google will mean that secure and encrypted connections will become the norm for all websites in the future?

David Towers

Published 11 August, 2014 by David Towers

David Towers is Director Search and Digital Projects, EMEA at MEC and a contributor to Econsultancy.

6 more posts from this author

You might be interested in

Comments (10)

Save or Cancel
Pete Austin

Pete Austin, Founder and Author at Fresh Relevance

HTTPS is not the same as Secure.

For example, when Heartbleed (a major bug in the code implementing HTTPS) was announced, my company patched within a day and most major sites patched within a week. But a lot of sites still haven't bothered, months later:

"When the Heartbleed vulnerability was announced, we found 600k systems vulnerable. A month later, we found that half had been patched, and only 300k were vulnerable. Last night, now slightly over two months after Heartbleed, we scanned again, and found 300k (309,197) still vulnerable. This is done by simply scanning on port 443, I haven't check other ports. This indicates people have stopped even trying to patch."

I predict:
(a) Google will have add vulnerability scanning, if it's serious about using HTTPS support as a valid signal
(a) There will be an increase in sites using cheap SSL certificates of dubious security value - not because of the technology but because of potential attacks on the providers - and hence SSL will be somewhat weaker.

about 4 years ago

David Towers

David Towers, ‎Digital Partner & Head of Search, EMEA at GroupM

Great insights, thanks for sharing Pete. Yes you're right in that HTTPS doesn't mean secure, but it should do if done properly. It's shocking how many sites are still vulnerable post heartbleed.


about 4 years ago

Daniel Phillips

Daniel Phillips, E-Commerce Manager at HJ Hall

Going to be interesting to see many sites (not really talking about large ecommerce entities) struggling to get to grips with SSL.

Some of the free certificates have issues on some devices and platforms (but usually older ones) and then there are issues with third-party code (such as social sharing code, analytics code, embedded content, etc.) as well as issues with CDN and caching implementation.

All of these are doable, but there's going to be some blooded noses on the way. Also going to be some confusion for users who will be faced with countless error and warning messages on lots of sites.

All for a small, and possibly unnoticeable benefit on Google (although potentially a major factor in the future?).

about 4 years ago

David Towers

David Towers, ‎Digital Partner & Head of Search, EMEA at GroupM

Hi Daniel,

Yes you're right, moving to SSL will definitely cause a headache for smaller sites and there will be some difficulties along the way like getting external plugins to work.

I still think it'll happen that in a few years time we'll look back in surprise at the number of sites that weren't on HTTPS!


about 4 years ago


Robert Moore

What about link juice from the http:??? will it count?

Presumably we will have to put in 301 redirects?

almost 4 years ago

David Towers

David Towers, ‎Digital Partner & Head of Search, EMEA at GroupM

Hi Robert,

Yes with 301s in place, the link juice should flow over from HTTP to HTTPS.


almost 4 years ago



Apart from confidentiality and integrity of data transferred over SSL, the server certificate provides some degree of identity assurance, and it has been this that has encouraged some organisations to adopt SSL more widely than just for authentication, profile and checkout/payment pages.

All administrative web sites (e.g. CMS) ought to be SSL only already, because you really do want to protect that data in transit, and be certain which website you are logging into.

If you use HTTP cookies for session management of logged in customers, and those are ever sent without using SSL, you have undermined almost all the benefit of using SSL for logging in. The session can be hijacked.

I have recently helped with a number of organisations who in the end self-selected to go "SSL only", just because it was easier to do than try to offer the same customer experience in mixed mode. They both set up 301 permanent redirects between the previous non-SSL and new SSL URLs. The feedback was generally nothing. No-one noticed any problems. The processing overhead on the customer browser and on the host termination point is generally never ever a problem nowadays. And you don't need to think "free" certificate; there are plenty of low-cost options that are reasonable for most purposes; the time to acquire and install the certificate will be much higher than the purchase cost.

@David I really liked that you mentioned the HTTP Strict Transport Security header in your section "How should HTTPS be setup". A couple of other lesser points might be "Consider EV certificate" and "Consider only using SHA-2 signed certificates".

And yes, as other people say SSL doesn't mean "secure website". There are plenty of other things to do, and get right.

Clerkendweller (HTTPS on .UK)

almost 4 years ago

David Towers

David Towers, ‎Digital Partner & Head of Search, EMEA at GroupM

Thanks Clerkendweller for your input, great to have your perspective on this.


almost 4 years ago



Today, I buy positive ssl from comodo and i have change all of my links from http to https (incl. sitemap, add a new https://www.xxxx.com in my google web tools) then i use 301 to https in my htaccess. and after few hours(means now). my ranking from 3 drops to nowhere.... please explain is it only temporary? because all of my backlinks is pointing out my http link,

Do i need to building link from "zero" again for my https?


almost 4 years ago

Osvaldo Spadano

Osvaldo Spadano, Founder and CEO at Akoova

In this blog is my analysis: "Why Google’s advice on HTTPS will screw your Magento site" (although this refers to Magento, most of the content is relevant to any website) - http://www.elastera.com/blog/why-google-advice-on-https-will-screw-your-magento-site/:

* Why HTTPS is bad for Magento Enterprise
* Why HTTPS increases Page Load time
* Why HTTPS on CDN can be expensive
* How secure connections can actually reduce Page Load time
* The challenge ahead


almost 4 years ago

Save or Cancel

Enjoying this article?

Get more just like this, delivered to your inbox.

Keep up to date with the latest analysis, inspiration and learning from the Econsultancy blog with our free Digital Pulse newsletter. You will receive a hand-picked digest of the latest and greatest articles, as well as snippets of new market data, best practice guides and trends research.