A couple months ago, amidst some of the strongest controversy over privacy to date, social activists organized Reset the Net. The goal was simple; if the government wouldn’t take action to protect the online privacy of citizens, citizens would take action to protect themselves. A wide variety of businesses and websites joined in to secure their sites with encryption, including Mozilla, WordPress, Google, CloudFlare and Dropbox.
The goal was to promote security and awareness for both businesses and users, to make it more difficult for organizations like the NSA to spy on either one. Websites added full-site SSL, while users were encouraged to use applications to encrypt their phone and desktop communications.
What does any of this have to do with marketing or SEO?
A few weeks ago, Google came right out to say it; a secure site is a search benefit. To summarize their points: security is a top priority and secure sites earn more trust from their users. Therefore, Google has started to encourage SSL use on sites by making it a ranking factor.
A secure site is a beneficial search signal, but as yet it’s a very minor one. If you had two sites with identical hosts, content, link profiles and everything else, fighting neck and neck for traffic, the site with HTTPS would win. In every other circumstance, SSL is a minor enough factor that it won’t make much of a difference. Still, it’s not a bad move to make, all things considered. Chances are, if you’re a web store selling any kind of product, you’re already using SSL on part of your site. All you have to do is extend it to the rest of your site.
Making the SSL Migration
The first thing to know is that this mandate from Google is in regards to site-wide SSL, not just SSL on your checkout pages. This means, among other things, transitioning your site to a new URL: the HTTPS version instead of the HTTP version. You’re going to need to use Google’s site move tool and/or a mix of 301 redirects to make sure your SEO benefit passes from the old URL to the new, even though it’s just one letter.
Google gave out some recommendations for using HTTPS properly:
• Pick the right certificate; you don’t need a multi-domain certificate for only one site.
• Use 2048-bit encryption.
• Use relative rather than absolute URLs.
• Make sure you aren’t blocking the Googlebot after the migration.
• Make sure your redirects are correct and that you aren’t using rel=”canonical” to flag the wrong version of pages.
Some webmasters have some valid complaints, which will be addressed either by Google or by their fellow webmasters around the net. Some are covered below.
The Benefits of Site-Wide SSL
Security: The first and most obvious benefit of site-wide SSL is pure security. All traffic to and from your webpage is encrypted, meaning nothing the user does can be snooped on by a third party. This extends from your product conversion pages to your contact page, your live chat and your newsletter sign-ups.
This is doubly important for e-commerce security. Most of the time, when an e-commerce site is compromised, it was through a loophole in the unsecured parts of the site. If no part of your site is left unsecured, you’re going to be much safer against intrusion. That’s not to say it’s completely impossible – nothing can provide that guarantee – but it’s much less likely you’ll be compromised.
If you use site cookies or a site-wide login profile, site-wide SSL can make sure everything there is secure. Secure cookies are not retrievable by a third party, making them more protected. With site-wide logins, full SSL ensures even their username is sent through an encrypted channel, rather than in a plaintext way where it can be sniffed and logged.
The Drawbacks of SSL
Connection speed: Polling the SSL certificate every time a user connects to a new page slows down your site a bit. In the unlikely event that the security check fails, it causes a page to fail to load or display an error message. Of course this is all highly variable; a fast site with SSL will still be faster than a slow site without it.
Price: SSL certificates are not precisely inexpensive. Larger businesses or users owning multiple domains will need to get more expensive, expansive SSL certificates. It can be a complex task to identify the best place to buy the right kind of certificate for your needs.
SSL also throws a wrench into certain forms of third party content. If, for example, you have your images or scripts served up by a third party, there can be issues with those loading on fully secured websites. Additionally, some advertisers and ad networks restrict your ability to use their ads when your site is completely secure.
Alternatives to SSL
Some webmasters are wary about using SSL, with a few of the issues it has had over the last few years – Heartbleed in particular – and the issues it can cause with CDNs and latency. With all of the power of SSL lying in the hands of the certificate authorities, those authorities become primary targets, and a single compromise can ruin thousands of sites.
Unfortunately, there’s no singular viable alternative to a solid SSL implementation. Even though such compromises are hugely visible when they happen, they’re extremely rare. The alternative security options are generally not as widespread or as adopted, meaning you lose out on some significant traffic by not having them. Plus, they don’t give you the search boost that SSL does, as per Google’s announcement.
At the moment, it’s a good idea to either ignore SSL completely and keep your site up to date, or to implement site-wide SSL. Using SSL for nothing more than submission boxes and product checkouts is viable, but the push towards site-wide SSL is growing in momentum. Sooner or later, you’re going to want to adopt.