The truth about SSL and SEO
To keep this blog ad-free, this post may contain affiliate links and/or paid placement. Click here to read our full disclosure.
Ever since Google announced that SSL-enabled web sites may see a small boost in search result rankings, the blogging community has gelled over getting their web sites "secure". In the midst of the raucous, misinformation about SSL and the true impact it has to blogs floods the discourse. Here's the truth.
Several years ago, Google began to experiment with using the presence of a Secure Socket Layer (SSL) certificate as a rankings signal. In other words, web sites that contain an SSL cert may be ranked higher than those without SSL. Google officially began including SSL as a rankings signal in 2014.
According to Google, this ranking signal affects less than 1% of global search queries.
As I began to consider buying a certificate for ThinkSaveRetire.com, I discovered that the jury is still out on any real SEO benefit to using SSL, and quite a number of assumptions about SSL are flat out wrong. It may not be worth the effort, especially after 2.5 years of running a fairly successful blog.
For instance, this Quora thread seems to suggest that SSL is integral to securing your site and preventing it from getting hacked, and will improve your Google search rankings.
Largely, it's not true.
How SSL works
SSL encrypts communication between the web server and the user (you). That's it. In practice, this prevents a malicious user from intercepting and reading packets of information sent between the server and the user. Retailers and other web sites that handle sensitive information need to support SSL to prevent customer information from being stolen.
Here's the process at a high level:
- You access an SSL-enabled web site (ie: https://www.amazon.com)
- Your browser requests a copy of the web server's SSL certificate
- The web server sends your browser a copy of its certificate
- If the SSL certificate is trusted, the web server will send a digitally signed acknowledgement and begin two-way encryption between the web server and the browser
Because all data in an SSL session is encrypted, it cannot be stolen and read by a third party. This helps to protect usernames and passwords, credit card numbers and other sensitive information from theft during transmission. All financial institutions and online store fronts support SSL.
However, SSL certificates do very little to "secure" your web site.
They do NOT prevent your web site from being hacked. It does not prevent denial of service attacks either, which happen when a collection of web servers flood your web site with requests in a focused and coordinated attack, forcing the server to collapse. I would even argue against the notion that SSL protects our privacy to any large degree.
SSL-enabled web sites are not necessarily "safe". Many phishing scams, for example, support ssl-enabled web sites. It also does not mean that your personal information is being stored safely behind the web server (ie: in encrypted or safe database). SSL only protects data in transmission.
In short, SSL provides a very, very small security benefit in the overall picture of online security.
What about trust? A certificate from a trusted certificate authority "proves" that the web site is owned by a real person with some personal credentials and a credit card. This trust component could make an impact for some web sites, but I would argue that - especially for blogs that only serve up content, the trust benefit with a certificate is hit-and-miss...at best.
Do YOU look for the "https" when you're browsing personal finance blogs?
Does SSL actually improve SEO?
After countless hours of research, I can only conclude that the answer to this question is: inconclusive. Here is an SEO study of 10,000 domains, and the answer they came up with was...somewhat less than data-centered: "Yes, because Google says so".
Not yet convinced? Me either. Here's another study that found a "moderate" increase in SEO ranking, but also warns bloggers not to install an SSL certificate solely for the ranking benefits. If you're thinking about starting a new web site, go ahead and use SSL. Otherwise, it ain't a big deal.
A Moz study found a very low correlation between higher rankings and SSL.
Where does this leave us? It means that any benefit to SEO that a certificate has is minimal, and even those benefits are tough to quantify.
Does SSL negatively affect Adsense revenue?
Recently, I discovered that bloggers saw a significant hit to their Adsense revenue after switching over to SSL. This is because Adsense requires that SSL web sites also support SSL-compliant ads. Google maintains that most ads are compliant, but users across the Internet have reported widespread reductions to Adsense revenue.
Financial Samurai reported on this issue earlier in January: "I spoke to the folks at Adthrive, and they said they’ve seen publishers experience a 30% to 90% decline in ad revenue." Ouch.
This used to be an issue in the past. I have no hard data that indicates one way or another whether this problem continues to exist.
My personal beef with the SSL rankings signal
I vehemently oppose using SSL as a rankings signal, for several key reasons:
- It seems arbitrary. To reward or penalize a web site based on unrelated qualifiers to the search query and content quality seems wrong.
- I reject the notion that SSL makes web sites safer. Like I mentioned in this blog post, SSL only encrypts data in transmission from Point A to Point B, which is a relatively tiny element of overall web site security. Developing secure web sites is a blindingly complex and sophisticated subject and cannot possibly be solved by slapping a certificate on to a web site. If only it were that easy.
- It makes bloggers spend money for no practical benefit. Trusted SSL certificates are not free. Prices range from around $60 a year to hundreds of dollars (or thousands!) depending on the certificate's capabilities. For bloggers who don't transfer sensitive information, this is completely wasted money on a capability that provides very little benefit.
- Encryption and SSL isn't automatically "better". I find it curious that many resources flatly state that SSL is nearly always better than non-SSL. Why? Because data is encrypted. Okay, so what? The vast majority of blogs do not require encryption and the overhead necessary to provide it. Whether this article was encrypted before it was sent to YOU is of very little concern to either of us!
- Encryption takes CPU resources. Although the impact has been minimized with the influx of inexpensive high-powered computer hardware, SSL web sites require additional processing power to support encryption. For blogs that don't need encryption, these are wasted resources.
Moreover, I find it shocking that people find it shocking that the large majority of web sites do not support SSL. The majority of web sites don't support SSL because the majority of web sites simply do not need it, and the additional CPU resources it takes to establish and maintain the encrypted pathway for data that does not need encryption is simply not worth the price of admission.
My recommendation: Do blogs need SSL?
Unless you are transferring sensitive information, blogs do NOT need to support SSL for any technical reason. Blogs, like this one, primarily transfer plain-text data in the form of words and paragraphs. Encryption provides almost no security benefit for most blogs.
But Steve, what if my blog already supports SSL?
No problem. SSL won't hurt anything if you already support it (except for Adsense revenue?). And, according to Google, you might see a tiny advantage in search rankings if you happen to be one of the 1% of global queries that are affected by the ranking signal.
Should I buy an SSL certificate for my blog?
I cannot answer this question for you because only YOU know what is best for your blog. Personally, I believe that the only good reason to purchase an SSL certificate for a blog is because you think that Google will increase the significance of the SSL ranking signal in the future. Otherwise, I would pass.
Besides, migrating an existing blog over to SSL is not a straightforward task, as Untemplator found out recently.
Save your money and focus on writing high-quality content. Quality content is a much more important ranking signal that will always result in better search rankings for your blog.
I have no plans to purchase a certificate for ThinkSaveRetire.com any time soon.