Shared publicly  - 
SEO implications of entire-SSL site

It's been said that the whole web should be SSL [1,2]. However, website owners care a lot about SEO and there's a potential SEO penalty to SSL. Not certain, but it's a risk and maybe one Google could mitigate with a more explicit policy.

There are at least two reasons search engines may penalise https URLs: (a) they may consider it more likely to be a private URL and/or a misconfiguration by a hapless webmaster just asking to be taken down a notch; (b) if it's a migration from http to https, http forwarding is necessary and there might be a duplicate link penalty. +Matt Cutts addresses the second situation here, and is frankly tentative at best.

(And to the contrary, it's possible some search engines will consider SSL sites to be upstanding citizens deserving of a juice bump, similar to fast loading sites. OTOH SSL is still a potential performance hit, albeit much smaller these days, so performance might be another, indirect, reason for penalty.)

Whether (a), (b), neither, or both apply to Google or any other search engine is hard to say, because secrecy. It's a risk of unknown unknowns. I hope to take the plunge soon with

1. by +Mike West 
2. by +Tim Bray
Andy Gambles's profile photoArthur Guy's profile photoNazario Saravia D.'s profile photoJeremy Murphree's profile photo
HTTPS-only sites are fine, there's absolutely no need to shy away from that if you implement it properly. There's certainly no penalty involved with running your site on HTTPS-only when done right. A few of the things that come to mind are (definitely incomplete, just from the top of my head):
- don't forget the http->https redirect & other canonicalization things
- look into HSTS
- list the https site separately in webmaster tools (it's a different site)
- make sure the infrastructure can handle the higher load (SSL, caching, etc)
- check out the differences wrt. caching
(none of this is probably new to you though, hah :))
Thanks +John Mueller. Is there any penalty risk though of migrating an existing site to go all-HTTPS (with redirects from the old HTTP)?
No, no penalty. Essentially, it's the same as any other site-move in that it can take a bit of time to be processed (depending on the site), and that you might see fluctuations while it's moving all of the signals over to the new URLs. 
Why should static information-type websites be HTTPS? Web apps should definitely be HTTPS, like everything with a login page; but why would my restaurant's website be HTTPS-only?
+Dor Kleiman that's sometimes advocated for increased privacy, though I was thinking more about hybrid sites here (ie with public pages that can be logged into).
PS ssl for a public site also helps to ensure integrity of the content. e.g. your friendly neighborhood ISP can't dump in javascript ads. 
Put yourself in Googles shoes, by using SSL you show the search engine that you're a real verifiable entity who is taking care of privacy and security, something a spammer wouldn't easily demonstrate with all their throw away random spam domains.  At the end of the day, SSL is just a protocol, if it has an affect, it would be tiny compared to good quality content.

As for SSL being needed for general pages, sadly today with ISPs doing strange network activity (adding ad-links, concatenating JavaScript (O2)), governments with over-powering laws for monitoring and censorship, and for people discovering just how easy it is to intercept HTTP traffic across a network, SSL is a small price to pay to help protect against all that.
To be clear, just as there is no inherent disadvantage, there is also no ranking-advantage from using SSL in web-search, so I wouldn't use it in the vague hope that Google's algorithms will value the website more. There are good reasons to use it (and maybe soon it'll be something that's just default & expected from the start), but that isn't one of them. I'd love to see more sites using SSL, but as with whether or not the HTML is valid on a site (to pick one other similar thought), this doesn't seem like something which automatically makes a site more relevant to a user's query. 
I don't think the small rise of cost for enabling SSL is a problem here. The loading speed might be something to consider
We run 100% HTTPS websites and have done for a number of years. The main advantage is that our e-commerce sites gained a very big boost in conversions and a reduction in bounce rates. This is likely down to running an EV certificate (Green Address Bar). Something I think will help SEO. I briefly discussed it here -

*Disclosure: I sell SSL Certificates.
@John Mueller I have two questions. According to RFC2616 safe clients  do not include the referer header field in a non-secure http request if the referring page was transferred with https. If a user browse e.g. https secure Google search the non-secure landing page will see all traffic as direct traffic. 1.) Does google have or is planning to have differentiated result for users prefer to use https and provides https results on pages that have ssl inserted rather than (the same) non-secure one?  2.) If there is a webserver which has HSTS setup, for the aim of defending users against SSLstrip, does the Google Crawler consider this header switching over ssl or ignores it?
+Alexander A. Mandl I believe we're now using the meta-referrer "origin" in our search results (at least in Chrome, where it's supported - I'm not sure about the other browsers). According to this will set the HTTP referer header to the site's origin. 

At the moment, when given the choice between a HTTP and a HTTPS URL, we don't give preference to the HTTPS URL when choosing a canonical to show in search. HSTS can give a pretty strong signal in that regard, so it's possible that it might change over time (the webmaster could also just use a rel=canonical, which works for many search engines). 
+John Mueller I have an issue related to https that has me questioning everything in this post. We re-launched a site last month migrating from http to https. We added https to Webmaster Tools. Immediately we started receiving messages via GWT that there were errors reaching robots.txt on the http site. The https site was starting to be indexed then someone decided to "remove" the http site from the index. On the same day both http & https pages were removed and are no longer available. One thing that confuses this more is that we have some specific content within https://no-www. that are being indexed, but we have nothing in the index for https://www. Any thoughts you have on this would be helpful.
+Scot Powers URL removals affect all canonicals (http/https/www/non-www). If you cancel the old site-removal request, you should be back within a few hours.
You don't have to remove http Scot, Let say you use hsts, so clients browser will prefer https over http, then set canonical url to https. both will exist to google, but https will be the preferred. This simple meta tag will avoid the duplicated content issue. Same thing applies for www and no-www. Use canonical and done, it is as simple as that.
+Alexander A. Mandl, thank you but my issue is not duplicate content related. I know how to use canonical tags and implement them regularly. This is completely different.

I have 3 sites essentially http: https://www & https://no-www.

The only one in the index is https://no-www -- there is absolutely NO duplicate content. I want all my https pages to index and rank, but it's only the no-www. the canonical will force it to one or the other which is NOT what I want. I need both to live.

At this point, I'm thinking cancelling the removal is the best course of action. Thanks.
Yes, the first thing is to cancel the url removals. Do you have and parallel, and the document root is different? Do you have and existing and they both have different root pages? I saw once a website when did not have the / root document only the subfolders and pages there and that had issues getting indexed, even these pages were linked from the main domain's pages.
There is more to it than meets the eye, Google out of nowhere saying that moving over to #HTTPS will give a ranking boost in the SERPs sounds a bit unfair to me. Many people might rush to getting #SSL installed on their websites. But most might not know that moving over to HTTPS is complicated, it might cause harm if you do not follow entire guidelines. 

And also this seems like a business move by Google to increase their profits than to make internet more secure, more on that here:
+Fahad Rafiq I can't buy that (no pun intended). No way on this green earth Google would mess around with search algorithms to sell some certs (especially when it's not even a major seller, so far).It's valid to question if search has conflict of interest with advertising, but messing with the golden goose to support a drop in the ocean? No.
+Fahad Rafiq the whole internet e-commerce, media are unfair to the non-competitive offline local shops, printed media. So blaming the need on safety over MIM attacks etc., which was not expected when www was built,is pointless. You can have a cheap alpha or positive ssl on vps or get a shared hosting provider with chained certs for a little more. Complicated? Even using windows 95 was complicated to those who never used it and they hated it like many will do with ssl. Remember there were luddites in the 19th century with no success on stopping technical evolution. 10 years old kids don't find hard to learn programming languages nowadays, soon they will fill the void.
This is absolutely causing unnecessary disagreements with my web clients. Google should give the same boost for displaying a SSL enabled badge.
"If I’d asked people what they wanted, they would have asked for a better horse"
Add a comment...