SMX East Liveblog: Google’s Gary Illyes Talks HTTPS & the Future of Secure Search; SEO VIPS Share Data/Experiences with HTTPS
ATTN: INSIGHTS FROM GOOGLE, STRAIGHT AHEAD. Googler Gary Illyes, who we can blame for the HTTPS ranking boost, talks about the future of secure search, Google’s thoughts on secure search, passes along a message from John Mueller, and talks about the possible return of keyword data (scroll to Q & A at end). Eric Enge says he’s seen “no material change” in moving to secure search, and Raza Zaidi weighs in on RSS and WordPress in relation to secure search.
- Eric Enge, CEO, Stone Temple Consulting (@stonetemple)
- Gary Illyes, Webmaster Trends Analyst, Google (@methode)
- Raza Zaidi, VP of Product & Technology, Gigaom (@rzaidi)
Gary Illyes: Insights from Google
“You can blame me for the HTTPS ranking boost.”
Humans have basic needs. Maslow came up with the hierarchy of needs:
We have a basic need for security.
Twitter uses HTTPS for all users by default. Facebook uses HTTPS for all users.
At Google, we had really deep discussions about HTTPS. As a ranking signal, it affects less than 1% of queries. It’s a very lightweight symbol. Relevance and high-quality content are much stronger signals.
In 2014, Search Engine Roundtable migrated to HTTPS.
Later, Cloudfare announced they made SSL available for all customers.
Less than 10% of the discovered URLS are HTTPS – this is a crazily low number. Over time, this should reach 100%. 30% of the queries have at least one HTTPS in the results. I want this to increase.
Objections from Webmasters to HTTPS
- It slows things down. Illyes points out that Google is obsessed with speed — “We are obsessed with speed. We care about every single millisecond.” To that end, he asserts that it is entirely possible to implement secure search and maintain speed.
- It’s just not worth it (my site is just a blog, a small news site, etc.). If humans have a basic need for security, how can you possibly say it’s not worth it? It’s a basic need.
- It’s complicated. It’s really not. I have a degree in journalism; I managed to switch my site in four hours — if I can do it, you can do it, too. If you can’t, I’m very sure your hosting company can do it.
We need to think big – we need to implement moonshot thinking. We want to brave things and things that no one has dared to do before.
Google has Been Brainstorming
If you are going to shop on a site would you go through the checkout process on HTTP? You would probably not. Would you give your login credentials to a page that’s not secure? I wouldn’t. A broken certificate means no certificate at all – we might want to start pointing out to our users if they are going to an insecure page, on all browsers, not just Chrome. This is something we’re thinking about.
Message from John Mueller (via Illyes)
“We heard reports that after switching to HTTPS some people’s rankings dropped. We are actively looking into these reports. We don’t see any correlation to migration. HTTPS should be very transparent and not painful at all. For some people it worked brilliantly and I know that for most sites, it has to work because our index will just handle it well.”
- WordPress VIPS’s implementation of HTTPS uses Server Name Indication (SNI)
- Not supported on XP and old version of IE
- Warnings will be present to user resulting in lost traffic
- Also can support HTTP Strict Transport Security HSTS
- This degrades gracefully so no traffic loss
- Using WordPress plugin to forward all HTTP traffic (from bookmarks, old links, etc.) to HTTPS
- Historical users will have subscribed to the HTP version
- The feeds will be broken; users will need to manually resubscribe to the feeds
- Place FAQs prominently on the site
Eric Enge: HTTPS as a Ranking Factor (or Not)
Stone Temple Consulting switched its own site and tracked URLs, looking at the date the HTTPS was switched over by Google.
We found that of 12 pages indexed, there were 6 improved rankings, 5 got worse, and 1 had no change. There was no material change.
Data from SEO Clarity’s study on HTTPS (looking at 218 million sites including GoDaddy) also showed that SEO Clarity went through no material change.
Stone Temple Consulting found that Digicert had provided Stone Temple Consulting with extended validation SSL Certificate by default. This has a stricter level of validation, caused a 2-day delay in the HTTPS switch, and SSLGuru flagged the certificate as an issue.
In Q & A, someone asks Illyes: “If everything is HTTPS can we please get back our keyword data?
Illyes: “We are in talks with our execs about it. That’s all I can say. I can’t make any promises.”