On August 6th of the year 2014, Google made an announcement that some felt was a long time coming. In an effort to increase the overall data security level of the internet, help combat phishing and scam sites, and to push people to upgrade their perceptions of security, Google announced that they would count the use of SSL as a search ranking factor.
This came just a few months after Google’s talk at Google I/O, where they called for an eventual HTTPS Everywhere concept for the web. Like I said; it’s been a long time in coming.
Many webmasters now understand that using SSL on their sites will increase their Google search ranking, but there’s a lot of nuance to the situation that many don’t quite understand. Let’s dig in.
How HTTPS Works
HTTPS is the regular, run of the mill HTTP protocol the internet uses everywhere, with an added layer of SSL encryption. Essentially, there’s a handshake prior to any communication, where the browser and the web server verify their security.
This happens in three phases.
- Hello: This is the first phase, where the client – that’s your web browser – sends out a hello message to the server. It contains all the information necessary to make a connection, including what versions of SSL your browser supports and what cipher suites it can use. The server then responds with a similar hello, which determines which level of SSL the server and client can use together. Basically, your browser says “hey I want to make a connection, I have security protocols A, B, and C,” and the server responds with “hey let’s make a connection, I can use protocols A and B; since B is stronger, let’s use that.”
- Certification: This is the second phase. At this point, the client is still suspicious. There’s no data yet to verify that the server is actually who it claims to be. The client then asks the server to prove its identity. It’s a bit like border control asking to see your passport. The client asks for the SSL certificate, and the server provides it if they have it. The certificate is a package of data that includes information like the name of the server domain and its owner, the public key, and digital signage to prove that it was issued in trust. The client then performs a check against known certificate authorities and verifies that the certificate is trustworthy.It’s noteworthy here that the certificate authority needs to be a trustworthy entity in and of itself. This will be important in our discussions later.
- Key exchange: This third phase is where the client and server now trust each other and have verified that they both have the right cipher keys to encrypt and decrypt each message sent. Both parties have agreed on a key to use, so messages sent are encrypted before they’re sent and are decrypted when they arrive.
All of this happens in a very short amount of time, unless something goes wrong. The end result is that traffic between your browser and your server is verified to be encrypted. Anyone in the middle – one of the servers ferrying data along the way, for example – will be unable to read the data. It’d be like if your mailman was opening letters between your work and your home; you and work decide on a cipher key and encrypt the data so your mailman, even if he opens it, can’t read the data inside.
The key to all of this is that the security certificates are issued by a trustworthy authority that verifies data about a site before issuing the certificate. Otherwise, anyone could come up with a certificate they issue to themselves and pretend it’s trustworthy.
There are actually different levels of SSL certificate, ranging from a minimal-validation free SSL certificate to high assurance SSL. Lower-validation SSL certificates can be obtained simply through email verification, which is no more secure than the verification on a new web forum account. Anyone with access to your email inbox can potentially obtain this level of SSL. Meanwhile, the higher levels of security for SSL might need specific documents to be verified, or other points of contact.
Every web browser comes preloaded with a list of certificate authorities that can sign a certificate as valid. Certificates that are signed by someone on that list of authorities are valid, while certificates signed by other entities may or may not be valid. Typically, a browser will send up a warning when you’re going to visit such an invalid certificate. You can read about all of this in much greater detail here.
It’s also worth noting that a SSL certificate that is self-signed or signed in a fraudulent way will generally be added to a global list of compromised and revoked SSL certificates. This famously happened with the certificate for Lavabit, the email provider Edward Snowden used. Browsers will generally update their list of revoked certificates regularly, but there’s always a delay between revocation and updating the list, so there’s a small gap of trust where trust shouldn’t exist.
Why Google is Pushing SSL
SSL is a measure of security and trust that can help anyone looking to do some kind of ecommerce on the web. It helps verify the identity of a site. SSL certificates are only issued to sites if those sites can prove that they are trustworthy, and only if the site is verified to be no malicious.
For example, if I made a site with malware that is downloaded on a time delay after the user lands, I would not be able to get a SSL certificate because they won’t add security to malware. If I tried to register bankfoamerica.com (or some other typo) to clone the BoA site to steal user information, I wouldn’t be able to get a security certificate because I would not be able to prove that I’m actually Bank of America.
So, SSL allows Google to help prevent fraud online, and keep people safe while they browse the web. It encourages trust and helps prevent future issues with data snooping. It’s also a subtle or not-so-subtle jab at global governments that want to obtain Google’s data; if Google doesn’t have the data in an unencrypted form, it can’t provide that data.
Concerns with SSL
Switching to SSL on your site usually benefits your SEO, but in rare cases, it could actually be a detriment. It’s a very minor ranking factor; just something Google has done to encourage adoption, not something that warped the very face of search forever.
Most importantly, switching from an HTTP to an HTTPS URL is a change of URL, and since Google search results rely on the URL as the unique identifier of the page, you can lose some search ranking if you don’t properly redirect your old URLs.
You can read our post about the concerns of switching to SSL here.
One of the largest concerns for smaller sites and blogs, though, is the cost of SSL. SSL certificates can be free, but they can also range all the way up to $1,500 per year. It all depends on what level of security you want, what issuer is giving you the certificate, whether you need a multi-domain or wildcard certificate, if you’re securing a blog or an ecommerce platform, and what level of encryption you want.
For a small blog, the prospect of paying hundreds of dollars every year for something that isn’t tangibly increasing your search ranking and isn’t providing any real useful security – since a blog doesn’t need a members portal and comments generally use their own secure logins – is obnoxious. That’s why people turn to free SSL certificates.
The Issues with Free SSL
There are three major issues with free SSL certificates.
- They might not come from a globally trusted certificate authority.
- They might not be very well encrypted.
- They might have a higher rate of certificates being revoked.
Let’s cover each of these issues one at a time.
The first one is that the certificate authority that issues a free SSL certificate might not be all that trustworthy. If you’re getting a certificate from someone like GoDaddy, VeriSign, Thawte, or GeoTrust, you can be pretty certain that your certificate will be listed in pretty much every web browser. These are older companies with a lot of power, a lot of protections in place to avoid giving SSL to bad sites, and a high chance that their SSL certificate won’t be revoked.
On the other hand, if you get a certificate from Bob’s Security Shack (in Partnership with Bob’s SEO Shack), what are the chances that every web browser lists them as a secure and trusted certificate authority? Some browsers might not list them at all, or they might not update their list very frequently. You might get SSL, but it won’t be trusted and will throw errors at any user who tries to access the site via secure, encrypted browsing.
Even Google has a sliding scale of trust in various SSL certificates. Depending on the issuer of the certificate and the level of encryption, Google might or might not actually trust the certificate at all. Adding that SSL certificate to your site could do nothing to your SEO, or it could hurt your site when those errors start popping up.
The second possible issue is one of technical details. SSL comes in various flavors and strengths. Weaker encryption is generally cheaper, and it’s faster and less resource-intensive on clients and servers, but it’s easier to crack. Powerful supercomputers can crack weak encryption fairly easily. Individual hackers won’t have access to that kind of power, but state actors, the government, and larger hacking groups with a botnet might be able to pull it off.
You can bet that any free SSL certificate is going to be about the weakest possible encryption that you can get without being worse than no security at all. In fact, free SSL was generally only meant for the absolute most basic security; logins for forums, logins for blog comments, simple membership portals and the like. Anything that uses actually sensitive data, like credit card numbers, needs better security.
The third issue is the security of the security. Free SSL certificates are not issued to one specific agency; they’re generally shared amongst many domains and servers. There are a lot more potential points of failure, and as such your free SSL could be compromised by an attack on a completely different website. It would be like hackers stealing the master key to an entire apartment building; you kept your doors locked, but it doesn’t matter if the landlord didn’t.
Should You Consider Free SSL?
Honestly, no. I would generally never recommend a free SSL certificate for any business that wants to take SSL seriously.
Free SSL can, potentially, be fine for very basic security. If you have a membership portal on your site that gates extra blog posts, you want SSL of some kind. You absolutely need a better SSL certificate for your payment processing, but your login portal doesn’t need more than the basics.
There are simply too many risks associated with free shared SSL certificates for me to feel comfortable telling you to use one. Instead, just aim for one of the cheaper existing options. Comodo’s essential SSL package is under $30 per year, and other SSL certificate authorities have similar cheap products for people looking to add basic security to their sites. You don’t need one of the $1,500 certificates.
In fact, paying for such a high-cost certificate is overkill for all but the most sensitive sites. I’m talking government sites that handle personal information like SSNs and tax documents. I’m talking about banking websites. These kinds of sites need their expensive, high-end SSL. For the rest of us, with simple e-commerce platforms or blogs with basic membership portals, the cheaper versions of SSL will do. You can get decent security for a relatively low price, so there’s no reason not to do it. Just make sure you implement your SSL properly, to avoid the common SEO pitfalls.