Shared publicly  - 
 
Keeping users' data safe is important, and one of the thoughts behind adding HTTPS as a ranking signal in Google's web-search. HTTPS protects the connection to the website through authentication and encryption.  Find out more in our blog post below. 

Edit: Now there's also more in our help center at https://support.google.com/webmasters/answer/6073543
177
90
bou cho's profile photoMarc Gutt's profile photoStan Quinn's profile photoIan Scott's profile photo
150 comments
 
Nice one, seems like a good time to upgrade server and add a certificate.
 
Well does not get more official than that, thanks +John Mueller , the only thing I do not like about SSL is that tracking queries is getting harder for website owners. At least that is what I have witnessed in wmt on a few sites that have adopted ssl site wide.


 
Hey John,
what about sites that already serve HTTP & HTTPS but use HTTP as canonical URL - should we think about switching?

Does this only count for web search or are all verticals (mostly interested in images :)) also effected?

Cheers
Pascal
 
Interesting but can't help wondering why you would advocate SSL for non transactional or anonymous pages? 
 
+Pascal Landau we use the canonical URLs that are indexed, so if you're serving it on both, but selecting HTTP as the canonical, then we wouldn't see that as being indexed using HTTPS. This is across all websearches, globally. 
 
+Ben Fisher regarding referrers in general, the RFC ( http://www.w3.org/Protocols/rfc2616/rfc2616-sec15.html#sec15.1.3 ) mentions "Clients SHOULD NOT include a Referer header field in a (non-secure) HTTP request if the referring page was transferred with a secure protocol." -- so that would only be an issue if a HTTPS site links to a HTTP one. If your site is the one being linked to, and if yours is on HTTPS, then you're all set! 

Regarding queries from Google web-search, the query is generally removed from the referrer regardless of whether the site uses HTTP or HTTPS. 
 
Let me ask the GROUP Here, how many of you have a CMS, maybe Joomla, Wordpress or Drupal ... YOU login to an interface and you have FULL admin access so If I was a BAD BOY I would then easily hack your website... Let alone protecting your Site with 3rd party Scanning Tools for Hackers such as Securi or rsfirewall. 

Most People also forget to protect their websites but just because you don't SELL anything does not mean you don't need an SSL...

Let me ask another question
Do you have an Alarm on your Company incase someone breaks into your Business?
 
+William Rock I don't have a CMS. And even if I had one: using SSL is possible without a cerificate. It just throws security warnings.
I think the question from +Lee Stuart is interessting: Why should non-transactional pages be secured by ssl? Where's the users advantage?
 
+Lee Stuart Copy & pasting from +Pierre Far:
Some webmasters say they have "just a content site", like a blog, and that doesn't need to be secured. That misses out two immediate benefits you get as a site owner:
1. Data integrity: only by serving securely can you guarantee that someone is not altering how your content is received by your users. How many times have you accessed a site on an open network or from a hotel and got unexpected ads? This is a very visible manifestation of the issue, but it can be much more subtle.
2. Authentication: How can users trust that the site is really the one it says it is? Imagine you're a content site that gives financial or medical advice. If I operated such a site, I'd really want to tell my readers that the advice they're reading is genuinely mine and not someone else pretending to be me.
On top of these, your users get obvious (and not-so-obvious) benefits. Myself and fellow Googler and HNer Ilya Grigorik did a talk at Google I/O a few weeks ago that talks about these and a lot more in great detail:
Google I/O 2014 - HTTPS Everywhere
 
+John Mueller : Hi John, I would ask for a clarification. Does "taking into account [...] secure, encrypted connections as a signal in our search ranking algorithms." mean that resources that use HTTPS could get better positions compared to resources that do not use HTTPS?

You know, "taking into account" is a very generic expression and it doesn't exactly explain which resources will benefit from this change in rankings.
 
+Jean Phillips the type of certificate doesn't play a role at the moment. AFAIK new certificates have 2048 bit or more keys anyway. If you have something with a shorter key, I'd recommend replacing that regardless of this. You don't need an EV certificate for this.
 
+Jens Weber so I take it you are a dreamweaver kinda guy? SSL is easy to setup your host should have no issues.. Even if it just basic HTML a good Hacker can bypass anything and really have fun... 
 
+Pierre Far : thanks Pierre. A last clarification: has it been deployed internationally or only on some regional versions of Google?
 
+William Rock No , I am sorry. You're wrong. :-) As Dreamweaver is not running native on Linux OS, I am forced to use bluefish or another code editor. If you have a look, how many servers are still supporting SSL2, it seems not that easy you said :-)
 
+John Mueller : sure, but it's possible to be even more clear, if Google wants.  :-)  For example, knowing "where" the change has been deployed would add an important detail.
 
+John Mueller Thanks for the clarification, surely though the quality of the cert should be took into consideration as anyone can purchase a $29 certificate but an EV SSL requires substantially more thorough checks through lawyers, solicitors and costs much more.
 
Hi +John Mueller , does this mean we have to verify at least 4 websites in webmasters tools from now on ? www. non-www, http & https ?
 
+Rob Maas I'd change "at least" to "at most" assuming it's all the same domain :). But yes, if you want to track the data for those versions separately, verifying them is a good thing to do.
 
+Jean Phillips At the moment, it's a good step to at least have the connection secured with a valid certificate. If we notice that it makes sense to add more requirements (eg at least 2048 bit keys, etc) at some point, we might do that. +Ilya Grigorik might have more insights on EV vs normal TLS certificates. 
 
+John Mueller Regarding doing 301 from http to https site wide. All existing incoming links points to http due to lack of certificate.
When swithcing to https, do all these links distribute less page rank when everything is redirected to https site? I know the benefits with ssl, just curious if this redirect is treated differently when it's basically the same page and url but with different transport protocols.
 
+Jean Phillips it also depends on the level of security needed... for example PCI compliance requires different levels based upon the amount of transactions but for a basic site a basic SSL will work but normally recommend a EV cert for Ecommerce as it normally turns the URL bar GREEN and have found in A/B split testing I get more conversions simply because they trust it more... Its more of a mental thing for visitors
 
Month ago when u said "matt wants ssl in everywhere" I think this will a very strong signal for google and I make all my clients web site to tls now u say yes u are true
thanks john
 
+Stefan Janson Yes, they do. But hopefully the small ranking boost due to the switch to HTTPS will (more than) compensate the slight loss of PageRank due to the added 301 redirects.
 
+Giacomo Pelagatti We don't do it for the RANKING we do it for the Security of OUR online business as well for our Visitors. I did a great hangout on a friend that his wordpress site got hacked just before easter and then we created a HANGOUT talking about this exact topic.  

Watch the Video
Is Your Website Secure?
 
+John Mueller, I have been reading through the article - thanks - we will add some Information to our blog article. I have heard that there are some Certificates Google likes better. Trusted Certifiers and Certificates the owner has to identify - any comments on that or the next (german) Webmaster Forum?
 
+John Mueller Just a quick question. There's no option in GWT when doing a 'moving my site' when the domain stays the same but moving to HTTPS - the HTTPS version is not in my drop-down list. Site is auth'd in GWT under both secure and non-secure. Any idea why it's not in the list of sites to 'move to'? Thanks!
 
+William Rock SSL does not prevent those types of hacks. SSL just prevents 3rd parties from intercepting the data between your sever and the client. Your link even shows that as the answer. 
 
From the article:
"But over time, we may decide to strengthen it, because we’d like to encourage all website owners to switch from HTTP to HTTPS to keep everyone safe on the web."

Why would you increase the strength of a ranking signal to encourage webmasters to adopt a technology. Shouldn't you only increase the strength of a ranking signal because it provides the searcher a better result for their query? Doesn't this contradict Google's stance of, "Don't engineer for Google, just for your users?" Why does Google think that it needs to sweeten the pot (or add a stick depending on how you look at it) to get webmasters to use HTTPS appropriately?
 
+Michael Kohlfürst we currently don't treat certificates differently, I'd just stick to the general recommendations we posted (which AFAIK are covered by all current certificates being sold). If you have older certificates that use <2048 bit keys for example, then I'd update those.
 
+Martin Oxby Unfortunately that's still in work :-/. In the meantime, I'd just use normal 301s. Did you already move things over? I need to get moving too :)
 
+John Mueller this morning you said "we use the canonical URLs that are indexed,, so if you're serving it on both, but selecting HTTP as the canonical, then we wouldn't see that as being indexed using HTTPS"
Can I clarify then - if the same page is available on my site as HTTP if not logged in and HTTPS when logged in, and both are crawl/indexable, would one take priority or would you then start having problems with duplication? Thanks.
 
+Michael Biondi it is just one more level of security I can't access as a hacker and that's good for YOU
 
+John Mueller yeah I've done 301s, Canonical changes, authorised in GWT etc. I'm testing to see a smooth transition for our site and checking no ranking drop by poor implementation on my part. If we can correctly implement on our site then relevant clients can be smoothly moved over too.
 
+John Mueller Hi John, quick question if you've got a minute please? We have already successfully migrated from one domain to another lets say http://www.domainA.com 301 mirrors sitewide to http://www.domainB.com so should we now 301 redirect BOTH http versions of domain A & B to the https version of domain B, or leave the current redirect trail in place going from A to B to https-B?

Many thanks!
 
Time to increase my stock in Verisign.
 
+Jason Meininger I wouldn't rely on this being a clear canonicalization signal on its own. If you have a preferred version that you want indexed, give search engines clear signals (eg rel=canonical, redirects, or both). 
 
+Pete McAllister we follow redirect chains, but I'd always aim to be as direct as possible (try not to chain redirects) -- it's faster for users. 
 
This is bullshit. If your site doesn't capture client data then you don't need SSL. Did someone at Google buy a ton of stock in a CA and this is the half-assed scheme they come up with?

This is like being forced to purchase car insurance if you don't own a car.

Your data integrity and authenticity argument is bullshit as well. Especially seeing that most of the sites on these here interwebs don't give out financial or medical advice. To burden all sites with the same security requirements as YMYL sites, does absolutely nothing to secure the overwhelming majority of users on the overwhelming majority of sites.

Plus if you're running a site that doesn't use a database, the odds of somebody hacking into the root of your site are so slim it's laughable.

So, this is utter bullshit and I'd really like to know what the honest reason for this change is.
 
+John Mueller sorry if I wasn't clear - I read your comment to say that if http has rel= canonical to http and https also has rel=canonical to http, you would not see and credit the https? So if both exist the ideal would be to set http rel= canonical to the https version, and/or redirect to https entirely? Thanks very much!
 
+Julius Muller Google and the rest of the world wants to see secure sites. You don't have to do it. Google is only saying a ranking signal. That does not mean they will rank. So while you this this is BS, you might want to think of your users. If you do not need a secure site then don't do it. But if you want to help make the web more secure then do it. 
 
+Julius Muller is correct. SSL only encrypts data sent between the client and server, it also 'kind of' prevents session hijacking. I absolutely understand the need when sending very sensitive information such as a password, creditcard info and social security number. I always utilize a certificate when I need to, but making it a requirement in the future is kind of pointless. "Ohh thank god this blog is secured". If it becomes more than 2% of your ranking, I guess I'll have to include it as part of our SEO fee and go through the nightmare of setting that up for all of our clients. In my opinion Google needs to worry more about penalizing black-hat SEO. If they feel a site is sending sensitive data unencrypted, then there should be a manual action taken. This should not be part of their algorithm unless they develop it further to detect that the site needs a certificate or not. It is what it is, I don't agree with it, but what am I going to do besides complain about it? Go to Google and yell at them? lol. 
 
Thanks +John Mueller  <sidenote> FYI for everyone whom may want to know this, when you switch a whole site from HTTP to HTTPS  ( with a proper 301 redirect ) +1's from G+ will flow to the new URL. </sidenote>

I must admit, I am a full supporter of a secure web. This is better for the user experience. But, the only downside is for website owners why rely on WMT queries for marketing decisions. My hope, is that marketers will look toward making marketing decisions based on user experience vs just KW queries.

Ping +Joshua Berg 
 
+John Mueller Seems rel canonical from HTTP TO HTTPS vs a 301 makes more sense in instances where a user is on a non secure page and no transaction or user information is used - no harm no foul, or?
 
+Michael Martin I believe for best practice it's good idea to use both. They each provide different functions, as well as some redundancy on forwarding authority.
 
+John Mueller Thanks your your response, I'd also be interested to hear about the impact this could have on backlink authority and anything that might be lost via a 301 (pagerank, anchor text etc) as asked by +francisco leon. I'm trying to weight up benefit vs loss as I've rarely seen a case where some traffic/rankings aren't lost in the short term even when all guidelines are followed.
 
SSL does two things - it secures transmissions and it offers variable levels of authentication as to the identity of the site and it's operators.

Any ecommerce operator abstaining from using SSL on basis of cost under the misguided idea that they don't need site security or identity confirmation can look forward to losing sales.

This is a very good change , and a welcome one.
 
+Ben Fisher the Google search query referrers and the search query data in Webmaster Tools is the same for HTTPS sites as it is for HTTP sites. 
 
+Stefano Gorgoni the SNI extension to TLS enables HTTPS without the requirement for a dedicated IP, and works on all modern environments.
 
The only thing I am concerned with is, why’d an information based website (specifically blogs) have a secure path? It makes sense for Ecommerce models but not everyone out there is asking for online checkouts.
 
Will Google include a step by step guide on how to convert an existing WordPress site to https?
 
+John Mueller Does Websites with https that have existed for years have an added advantage? I believe websites which normally does not have transactions taking place will be spared. As an SEO will be prudent enough to recommend all websites going forward to go for an https secured layer. Thanks
Christy
 
Hi John, thank you for sharing. Just from a dev point of view, why wouldn't you advise against using absolute URLs which have the right protocol and URL format? Surely this combats spider-traps and other various SEO pitfalls? Als you can ensure that every internally linked page will be forced on the https protocol when done right. Cheers, Kevin
 
+Kevin Ellen Not 100% sure I understand your question, but I can tell you that protocol-relative URLs are much easier for development because your local dev machine won't have the right certs installed.
 
Hey +John Mueller I moved my site from http to https last night, and verified both sites in Google Webmaster Tools. The Change of Address does not work, the newly verified https site in GWT doesn't show up in the list, so no change of address is possible.
 
Hey +John Mueller , I have made some tests over https performance and the results shows that the avg load time of a page incresease around 300ms.
On the other hand, I have seen on Webmaster Tools that the days that my webpage loads slower the crawled pages by google decreases, as it logical.
So taking both factors into account would make, in my opinion, little help to SEO as using https would make my page slower and that would decrease the crawled pages by google. Is that true?
 
+Bill Hartzer Those features weren't made for moving from one protocol version to another (but we're looking into improving that), so I'd just use normal 301 redirects (+ rel=canonical, if you want to double that up). 
 
My concerns are that SSL slows pageloads and increases CPU usage, causes backlinks to point to a redirect, requires that the site be re-indexed, requires a dedicated IP + extra server programming, and there are 2 versions of SSL's to choose from.

Anyone can be deceptive in whois so the cheap version of the SSL is pointless. Only the $100 to $400 per year options, the EV's show some promise of company verification.

IMO this is more about authenticity than Google considering security. Most sites don't have secure transactions, just blogs.

I am wondering if a site slammed by Penguin will recover just by this change - I guess not. 2 Years later and hardly anyone has recover from that.
 
I see a huge problem in this.  Last year we moved a site to https only. It took a while for google to reindex all the content under https.  When you do a change like this all of the inbound links you have coming in are pointing to http:// documents.  Now that you're switching to https:// are you not going to lose some of your rankings since your new links will be coming in as https and many of the existing links will be http ...?  What happens if you use a php script to detect if a user is on an http page and redirect them to the same page served https?  Is that safe?
 
+Michael Fever redirecting from http to https is a great idea, if you have your site on https. You can generally set that up in the server control files (eg .htaccess). We do forward the links with the redirects, but as with other site changes / moves, I'd recommend updating the links so that they point to the final, preferred destination where possible.
 
For sure John I understand that but we cannot control the incoming links that other sites link to us.  I mean we can try to get them to update them to https but I'm sure in some cases it would be difficult.  I guess you have to start somewhere right...   So an incoming link to http:// would have no affect on your site that is listed under https://    Does the algorithm account for that somehow?  I have 2 of my sites listed under webmaster tools.  the http:// version has 200 pages indexed while the https:// version has the full 2100 pages indexed.  Any link on another site to the http:// does not help me in terms of ranking up my https:// site.  Am I correct in this thinking?
 
Hi John - will SSL affect only one's organic search ranking or also Adwords performance?
 
+Ohad Hershkovitz The search & ads side are independent, so I can't speak for what might be happening on the ads side. That said, I haven't seen any mention of that for the ads side. 
 
+Michael Fever we forward PageRank through redirects, so if you have those set up properly, for the most part you'd get everything forwarded to your redirect target (which could be your https-URLs, if you have it configured like that). It's great to make sure that links go directly to the final URL, but if you need to handle it with a redirect, that's not the end of the world. If you do use redirects, I'd recommend avoiding chained redirects, and instead just redirecting to the final target directly (it's faster for the user, especially on mobile). 
 
+Maxwell Lamb Do you have a forum thread somewhere where you mention your site? I'm happy to take a look. Protocol changes are pretty harmless in general. 
 
Would moving to HTTPS help with the PENGUIN plunge from 2 years ago? IMO I don't think so. If Google was to say that if a site was Penguin hit, then change to HTTPS, eliminating backlinks, not using 301's, then lift restrictions on that site, this maybe taken seriously. Its no small task changing code on domains and servers to https. This is going to be costly.
 
+Maxwell Lamb there's a manual action on your site, it's not the https part (but the timing looks confusing, so I can see how you might assume that). 

+Graham Ginsberg no, moving from http to https with redirects wouldn't solve webspam issues with links, since they would just get forwarded to the new URLs.
 
Hi +John Mueller We site up our site with https quite some time ago to refer some of our partners. 1 thing I have just noticed is that our website pages work on http or https anyway.  So would we just add both in our site map file and let google compare both or would we bring them in 1 at a time, is it fine to have both within our webmaster tools?

thanks
 
As a CMO of +Atlantic.Net, Inc. it makes me very happy that we are ahead of the curve, with HTTPS in place way before this blog posted. We are the early pioneers of the ISP industry and we have seen this internet evolve to what we see today from the very early days. HTTPS is great for our customers, as we have implemented what Google also acknowledges is best for user experience. Although, we did encounter minor Adwords issues. Also, we are experiencing spikes in traffic, since then. Also the Google Webpage optimizer does not work with https. But overall, we are very confident in our strategy to further enhancing user experience. We are also working hard to make our website faster but some minor challenges due to the switch. Thanks +John Mueller !
 
 
+John Mueller John, how can you find out if there is a manual action on a site?  I have a new site  only about 4 months old and it's using one of the new TLD's.. http://prosports.tips  I'm getting no results.  There was initially some article submissions my partner paid for but they have all been removed now.  Can you take a look?  Do you have a direct email for these kinds of questions or should i just msg through a thread?  I'm in the process of relaunching my websites, many have been offline for 9 months or more.  This is probably a good time to go to https on them all.
 
Everybody is talking about WMT, but what-about the Analytics? Do we need to change anything over there? Especially in tracking code.. the new one obviously. Any thoughts especially from Google would be great!
 
+Maxwell Lamb if you're seeing weird things, and you know there's a manual action, I'd definitely work on cleaning up the manual action first. Get rid of the unknown, so that you can focus on the remaining issues.
 
+William Rock I've watched the whole session as suggested but sorry, nothing found regard to my query! Am I overlooking any hint shared over there?
 
I am sorry maybe it was talked about in the last one not sure. I will see if I can find it today... 
 
+Partha Sarathi Dutta I'd check with the Analytics team (maybe in their help forum) about that. I don't know the specifics there, but I vaguely recall that this wasn't an issue there. 
 
+John Mueller +William Rock May be, we just need to set it as "https://" in place of existing "http://" under "View Settings" in GA "Admin".. but lets wait for expert's opinion! Thanks anyways. :-)
 
+Partha Sarathi Dutta Sorry I was on my Mobile device answering you so I could not post any links easily ...I will get something to you soon
 
+Partha Sarathi Dutta One thing I try to do is to follow the notifications within Google Analytics to keep up with code changes to improve my analytical data needed for Conversion Optimization Analysis to find NEW opportunities. The Cool thing about all these changes in my eyes is that Not Only is Google Teaching Security but Getting it on everyones minds as they have.. Maybe we will have a safer internet because of it... 

Anyhow back to your Question, just as a webmaster would UPDATE and secure a CMS keeping security and content fresh so does Google.. Once I see a Notification from Google talking about a new feature and it develops tools for easy integration such as a simple snippet code that is easy to replace for most. Most of the time these are just to add more ADVANCED Features to Analysts like me, but one thing I enjoy watching is the SECURE Code Changes they UPGRADE for OUR Protection.  Here is a document going further on their BLOG with Secure Sites.

Better data, better decisions: Enhanced Ecommerce boosts shopping analytics
http://analytics.blogspot.com/2014/05/better-data-better-decisions-enhanced.html
 
Hi +John Mueller  Will there be any impact on sites which previously were redirecting (301) https to http to prevent any duplication?  We will basically be reversing this, redirecting all http pages to https.  (Sorry I reposted under correct account)
 
Hello +John Mueller is Google looking for SSL encryption on EVERY page (that's a search target, anyway), or just presence of an SSL certificate on the site somewhere?  As I'm sure you know, images get encrypted/decrypted as well as text (and images tend to be a lot bigger byte-wise than text, unless you're Wikipedia ;-p), so a page like a Pinterest board, for instance, might suffer performance-wise if it's encrypted via SSL.  So, let's say my site has an SSL cert, and it's used just for the login page (and logged-in pages Google won't ever see of course), but I provide the rest of the pages on the site (many of which are good search landing pages) on just http.  Will my non-SSL pages get the ranking boost because Google sees my site has an SSL cert?  Or, do I need to SSL encrypt all pages that are search targets?
 
Thank you +John Mueller for this conversation. I have used information in it in preparing a document on HTTPS for my SEO clients. 
 
Hello +John Mueller, I have two questions :

1- if only few pages of a website are https, and the rest of the website is http, but that these https pages are indexed, the litle https SEO boost will benefit only to these https pages or to the entire http website ?

2- I would be pleased to have a https website, but the main problem for me, and I think for a majority of webmasters, is that it's impossible to change all url of external backlink from http to https, and I don't like 301 redirection to get around this problem. so would it be possible to have in GWT, in the futur, a means to say to google "follow http external url links to my domaine as they were https url" like you already do for external url links with and without www ?

thank you for your answer.
 
Hi +John Mueller, I'm the owner of a Dutch IT magazine (publisher), I investigated if we can move the website to HTTPS, it's possible but not without big consequences. The problem is that advertising is one of our main revenue models, if I change adexchanges like Adsense and Appnexus  to HTTPS we will lose a lot of advertisers. It looks like most advertising material (banners) are still running on non-secure adservers. So Appnexus and Adsense won't serve those anymore, which results in a drop in revenue.

Did Google do research on this department? Or is there a policy change underway that advertisers will be forced to also use HTTPS? Any advice? 
 
+Cliff Ritter That shouldn't have any negative effect, it seems like a natural progression. Technically there's nothing standing in the way of reversing a redirect.
 
+Michael Cottam This is on a per-URL basis. So if just a part of your site uses TLS/HTTLS (SSL is the old version), then just those URLs will be able to profit from this. Simply having a certificate isn't enough.
 
+albert bido Using 301 redirects to allow site moves & changes is a standard operating proceedure and while it's good to minimize such changes, if you feel strongly about making changes to your site's structure, that's what I'd recommend using. HSTS is a mechanism to help discourage users from going to the HTTP version of a site (rewriting the URLs in the browser to HTTPS), but AFAIK for that you'd still need to use redirects as well. 
 
+John Mueller To follow up on previous comments by +Pete McAllister and +francisco leon , I have http and https versions of my site now available. if i force users to the https version, and thereby googlebot's crawl as well, will i lose ranking since all optimization to date was done to the http version?
 
I saw a question awhile back as to whether analytics can handle a change to SSL - the script itself works just fine in both environments .
 
Figures, a week after you were telling all it didn't better. Probably through even you for a loop there. The web is about adapting....
 
Our ecommerce provider Bigcommerce is pushing against this saying it will slow down the site. Is it true most https sites are slower?
 
istlsfastyet.com is useful when it comes to speed questions. Obviously, moving a bigger system to HTTPS is not going to be trivial, so it would be unfair to expect that every site & services switches over instantly. 
 
+John Mueller
Mr. Mueller, can you kindly comment on the following (initially posted by Mr. Ohad Hershkovitz)? :)  "I have http and https versions of my site now available. if i force users to the https version, and thereby googlebot's crawl as well, will i lose ranking since all optimization to date was done to the http version?"  I am in the same boat here and would greatly appreciate your feedback.  Thank you! :)
 
+Rebecca Houser No, you should not lose rankings for a change like this, our systems are pretty good at moving all signals from HTTP to HTTPS. 
 
+John Mueller Wow, thank you so much for your response! And I am most happy with it ;) "Not to fear, Googlebots and John Mueller are here!"
 
Glad to help -- good luck with your site! 
 
Small Bug; switched News website to https, entered new https site in webmaster tools and set preferred domain, old posts began popping up on Google News as 'new stories' but they were old stories. So https switch on 'Google news' may need tweak when first detected.
 
+John Mueller To +Rebecca Houser question -- I completed my switch on 17 Aug, and I have seen a 25% drop in traffic -- keywords have dropped 2-4 places. I am fairly confident that I followed the directions to a tee. A majority of the https site has been indexed now (about 66%), and the http version, according to the site maps, pages are starting to decrease. Based on your response to her, this was not supposed to happen?
 
+John Mueller  Will this be only taking into account whether the page URLs themselves uses SSL, or will it be verifying whether every resource request (scripts, content, XHRs) are also performed via HTTPS? 
 
+John Mueller Do you plan to implement a feature in GWT to handle better the transition between a http a https website? Or do you think 301s redirect are enough to solve the problem? To be honest, I was expecting to have something in GWT, specially if you encourage people to do it. Webmasters would be less scared to see their website rankings' decrease.
 
+Cooper Brislain this is on a per-URL basis at the moment; I wouldn't rule out that it might change in the future (and if you know HTTPS isn't working properly on your site, I'd fix that regardless of anything in search!)
 
+Michel GALIBERT From our point of view, 301s would be enough for us. We discussed adding a feature for that (to help webmasters feel they're doing as much as they can), but felt it would be unfair to add something that doesn't provide any additional value (almost like a placebo). There's definitely work being done to make this transition easier though, and perhaps some of that will end up in Webmaster Tools (or perhaps even in the form of general site-move / site-change functionality) -- it's way too early to make any promises about that though :). If you have ideas for awesome features in that regard, feel free to send them our way so that we can discuss them with the team!
 
Well, the issues I have been experiencing since changing from http to https have been all of my own doing/ignorance. My web site is on shared hosting; I have a dedicated IP and a valid/dedicated SSL certificate. The certificate is for the principal domain, and I have three other domains that still use just the http protocol. Each of my http domains when you access them using the https protocol brings up a duplicate copy of my principal site (the http version is normal) -- Google indexed each of the pages for the section I did not have a canonical link defined which created a ton of duplicate content and a ton of new incoming links to my principal site (not good, not good at all) -- my hosting company is working on the issue as we speak, but the only current fix I have is using the rel="canonical" -- I am not a coder, but was able to ultimately figure out how to place a rel=canonical on each page of that portion of my site (an image gallery). So, the biggest lesson learned that I can pass is DO NOT ignore the suggestion that rel=canonical should be used; do so at your own pearl!

Now that everything appears to be right on my end, I will hope and pray things get back to normal!
 
+John Mueller After i have migrated fully to https, in GWT when I did "Fetch as Google" for my homepage (for testing purpose), its showing 301 redirect. Will this in anyway hamper my indexing on Google. ? Should I delete my older website in GWT and re-submit it ?
 
+John Mueller, there's something I want to bring up, because it's quite a big deal in my case. I run over 200 websites and I don't have a budget to cover all of them with SSL certificates -- even if I pick the cheapest option out there, it would still be too much money -- and I'm on a shared hosting package for which my host won't allow me to add SSL. If I can get to purchase a VPS next year, can I just install openssl and be done with it?
(I worry about my users; a self-hosted certificate would probably make my sites appear as an "Untrusted Connection" message on their browsers... and scare them away.)
 
+Lou SEO with over 200 sites, my first thought is that you're spreading yourself extremely thin, and maybe it would make sense to consolidate those sites into something stronger, that stands on its own (also making maintenance like this easier!). That's independent of this, but something worth thinking about in the long run :). 

If you use self-signed certificates, then your users are going to see certiifcate warnings every time they go to your sites, which I'd try to avoid. This is currently a lightweight ranking factor, so there's no rush to do something half-baked: wait until you can implement it properly, keep it in mind for the next redesign / restructuring. 
 
So true, the Ranking signal is not the reason one should consider implementing, it should be to add that extra level of security for you and the visitor. Another thing to consider when going SSL I would personally take the time for a Security audit especially more for Ecommerce sites but buy fixing server issues, speed as well having a third party monitoring for your site...
Most people secure their company office with crazy alarm systems but forget about their website.. Secure your servers and then focus on the next step .. Conversion analytics think.. Things Not Strings work on your calls to action help google help your business grow.. So much more to think about, and focus on the sites that are priority vs quantity 
 
+John Mueller, this is my case and I would appreciate any help with this.

I run a multi-language online game sites, browser and mobile based. I have user registration, comments, etc. but not critical user data exchange.

I have es.example.com, www.example.com, pt.example.com, it.example.com, fr.example.com wich are the canonical versions of my site in those languages. Then, I have www.example.com, www.example.co.uk, www.example.fr, www.example.com.br (like 20 ccTLDs) as alternate versions, and all of these have as either es.example.com, it.example.com, etc. as canonical versions depending of the language spoken in that particular ccTLD. Finally I am releasing a m.example.com for mobile based.

Also, I have language versions like en.example.ca, fr.example.ca in order to offer also some languages spoken in a country with more than one language.

My question is: If I buy certificates for all of them I'll be spending a lot of money, even if I buy a wildcard for my subdomains, the ccTLDs would need a separated certificate each one, the cheapest option I could found is something like +400 and is still expensive for me :(

So, I was wondering what would be the best practice here, may be only buy a wildcard and then cover all my subdomains (canonical versions), or either use some free options and thus cover everything (ccTLDs, subdomains, etc.)

Thank you so much in advance, I hope I have been clear enough :)
 
+Alvaro Angeloro  One the one hand, this is currently a light-weight signal, so I wouldn't worry about it too much. On the other hand, it feels like you could probably save yourself a bit of maintenance hassle by reducing the number of domains that you're using there, regardless of this change. 
 
It's my feature request hope, +John Mueller that the score be a sliding scale. Take https://www.ssllabs.com/ssltest/ as an example. IT that poorly installs and configures web servers for crypto could get you a grade C or below. Not much use in an SSL if a criminal could break the crypto in 12 hours or more.
 
+John Mueller Thank you for you reply! I will consider reduce the number of domains as you said for those domains where the content is not changing drastically. But I found is good for my users to show local versions of the site where content is targeted to a specific country (they seems to be happy with it) as recommended here: https://support.google.com/webmasters/answer/182192?hl=en&ref_topic=2370587

In resume, even if I reduce the number of domains I'm wondering if certificates would need to be installed in each separate domains or if I install them only in canonical versions would be at least something better than nothing (since local versions "inherit" from my canonical versions)

Sorry for being insistent, but threads like these are really of a big help for webmasters like me trying to improve user experience and make Internet a better place for all of us :)
 
+John Mueller , thanks for your answer and it's interesting to read Alvaro Angeloro's case, too. I already dropped 70 domains since last year, but unless some die out naturally, those sites are all very important for both my business and my personal projects.

Right now, all my sites are hosted on a shared package with no dedicated IP and no chance to install SSL (unless I buy an IP).  Things will hopefully once I move to a VPS, but that won't happen before January/February 2015.

It's OK, John, I'm not concerned about the ranking signal, but about the trust my visitors will put into my site(s). As more and more webmasters install HTTPS, there's a risk that non-HTTPS sites are perceived as too dangerous to visit, so I'm worried about the impact of this factor on UX over the next months, before I move to the VPS.

+Alvaro Angeloro, I'm considering to buy this multi-domain solution by SSL.com: www.ssl.com/certificates/ucc It might turn out useful for you as well, as a multi-domain webmaster. That is, unless we find something better for our needs. Good luck! :)
 
Thanks +John Mueller for this step to make Google works more securely and provide the best user experience.
 
Hi +John Mueller,

We switched our site (https://www.safaribooksonline.com) to https last Wednesday. We setup 301 redirects from http to https URLs. Friday we started to see a traffic decline. As of Sunday our referrals from Organic Search were down 23% from the previous Sunday. Monday looks to be down similar levels. I just checked and we don’t seem to have any manual actions listed in Webmaster Tools. Just wondered if you had any advice to help track down this issue?

Thanks in advance,
Scott
 
+Lou SEO thank you for the tip. There are many multi domain options that are not that expensive.

As for your IP issue, I think you would need to ask for a dedicated IP, since there are certs that could be installed on the same IP for many domains, they would be installed over all domains on that IP. Contact your hosting providers, all of them are taking this into account and providing different solutions.
 
Thanks +Alvaro Angeloro :) Since I'll be moving to a VPS in 6 months, though, I'll postpone SSL certs for now. Not sure if it's a good idea to buy a dedicated IP for just 6 months.
 
+John Mueller  thank you for all your answers here.
Earlier in this thread you said "..so I'd just use normal 301 redirects (+ rel=canonical, if you want to double that up)." I have a few follow-up questions on this (that are not specific to a HTTP/HTTPS migration):
1) Do you mean sending the canonical signal via HTTP header response (in addition to the 301 redirect)? My thought is that a <link rel="canonical"> in the header of an HTML document would never be seen if a 301 is in place.
2) What are the actual benefits of "doubling that up" with both signals? Is the 301 not strong enough to forward authority, PR, equity, etc.?
3) If this double signal is implemented, is there an order of preference within the HTTP header responses? canonical before or after 301 or before final destination, etc.?
Thank you!
 
Installing SSL should be essential not just for eCommerce site owners but also for small business owner to add more secure browsing experience for users or visitors.
 
Hello +John Mueller, I'd like to know if there is a way to migrate Googles' comments from HTTP to HTTPS. I moved my site under HTTPS and I've lost all G_comments :(
Translate
 
+Scott Cipriano There's a pretty large checklist you want to go through when you make a major url change like that.  Are the new pages getting crawled (did you submit them to Webmaster Tools & update the sitemap.xml)?  Did you update the canonical links to show https instead of http?  Did you update all of your internal links to use relative/or https links?  Are you showing mixed content on any of your pages?  A whole lot of things that could go wrong.....
Add a comment...