The truth about SSL and SEO

Published February 6, 2017   Posted in Blogging

Ever since Google announced that SSL-enabled web sites may see a small boost in search result rankings, the blogging community has gelled over getting their web sites “secure”. In the midst of the raucous, misinformation about SSL and the true impact it has to blogs floods the discourse. Here’s the truth.

Several years ago, Google began to experiment with using the presence of a Secure Socket Layer (SSL) certificate as a rankings signal. In other words, web sites that contain an SSL cert may be ranked higher than those without SSL. Google officially began including SSL as a rankings signal in 2014.

According to Google, this ranking signal affects less than 1% of global search queries.

As I began to consider buying a certificate for ThinkSaveRetire.com, I discovered that the jury is still out on any real SEO benefit to using SSL, and quite a number of assumptions about SSL are flat out wrong. It may not be worth the effort, especially after 2.5 years of running a fairly successful blog.

For instance, this Quora thread seems to suggest that SSL is integral to securing your site and preventing it from getting hacked, and will improve your Google search rankings.

Largely, it’s not true.

How SSL works

SSL encrypts communication between the web server and the user (you). That’s it. In practice, this prevents a malicious user from intercepting and reading packets of information sent between the server and the user. Retailers and other web sites that handle sensitive information need to support SSL to prevent customer information from being stolen.

Here’s the process at a high level:

  1. You access an SSL-enabled web site (ie: https://www.amazon.com)
  2. Your browser requests a copy of the web server’s SSL certificate
  3. The web server sends your browser a copy of its certificate
  4. If the SSL certificate is trusted, the web server will send a digitally signed acknowledgement and begin two-way encryption between the web server and the browser

Because all data in an SSL session is encrypted, it cannot be stolen and read by a third party. This helps to protect usernames and passwords, credit card numbers and other sensitive information from theft during transmission. All financial institutions and online store fronts support SSL.

However, SSL certificates do very little to “secure” your web site. 

They do NOT prevent your web site from being hacked. It does not prevent denial of service attacks either, which happen when a collection of web servers flood your web site with requests in a focused and coordinated attack, forcing the server to collapse. I would even argue against the notion that SSL protects our privacy to any large degree.

SSL-enabled web sites are not necessarily “safe”. Many phishing scams, for example, support ssl-enabled web sites. It also does not mean that your personal information is being stored safely behind the web server (ie: in encrypted or safe database). SSL only protects data in transmission.

In short, SSL provides a very, very small security benefit in the overall picture of online security.

What about trust? A certificate from a trusted certificate authority “proves” that the web site is owned by a real person with some personal credentials and a credit card. This trust component could make an impact for some web sites, but I would argue that – especially for blogs that only serve up content, the trust benefit with a certificate is hit-and-miss…at best.

Do YOU look for the “https” when you’re browsing personal finance blogs?

Does SSL actually improve SEO?

After countless hours of research, I can only conclude that the answer to this question is: inconclusive. Here is an SEO study of 10,000 domains, and the answer they came up with was…somewhat less than data-centered: “Yes, because Google says so”.

Not yet convinced? Me either. Here’s another study that found a “moderate” increase in SEO ranking, but also warns bloggers not to install an SSL certificate solely for the ranking benefits. If you’re thinking about starting a new web site, go ahead and use SSL. Otherwise, it ain’t a big deal.

A Moz study found a very low correlation between higher rankings and SSL.

Impact of https in SEO | Source: moz.com

Where does this leave us? It means that any benefit to SEO that a certificate has is minimal, and even those benefits are tough to quantify.

Does SSL negatively affect Adsense revenue?

Recently, I discovered that bloggers saw a significant hit to their Adsense revenue after switching over to SSL. This is because Adsense requires that SSL web sites also support SSL-compliant ads. Google maintains that most ads are compliant, but users across the Internet have reported widespread reductions to Adsense revenue.

Financial Samurai reported on this issue earlier in January: “I spoke to the folks at Adthrive, and they said they’ve seen publishers experience a 30% to 90% decline in ad revenue.” Ouch.

This used to be an issue in the past. I have no hard data that indicates one way or another whether this problem continues to exist.

My personal beef with the SSL rankings signal

I vehemently oppose using SSL as a rankings signal, for several key reasons:

  1. It seems arbitrary. To reward or penalize a web site based on unrelated qualifiers to the search query and content quality seems wrong.
  2. I reject the notion that SSL makes web sites safer. Like I mentioned in this blog post, SSL only encrypts data in transmission from Point A to Point B, which is a relatively tiny element of overall web site security. Developing secure web sites is a blindingly complex and sophisticated subject and cannot possibly be solved by slapping a certificate on to a web site. If only it were that easy.
  3. It makes bloggers spend money for no practical benefit. Trusted SSL certificates are not free. Prices range from around $60 a year to hundreds of dollars (or thousands!) depending on the certificate’s capabilities. For bloggers who don’t transfer sensitive information, this is completely wasted money on a capability that provides very little benefit.
  4. Encryption and SSL isn’t automatically “better”. I find it curious that many resources flatly state that SSL is nearly always better than non-SSL. Why? Because data is encrypted. Okay, so what? The vast majority of blogs do not require encryption and the overhead necessary to provide it. Whether this article was encrypted before it was sent to YOU is of very little concern to either of us!
  5. Encryption takes CPU resources. Although the impact has been minimized with the influx of inexpensive high-powered computer hardware, SSL web sites require additional processing power to support encryption. For blogs that don’t need encryption, these are wasted resources.

Moreover, I find it shocking that people find it shocking that the large majority of web sites do not support SSL. The majority of web sites don’t support SSL because the majority of web sites simply do not need it, and the additional CPU resources it takes to establish and maintain the encrypted pathway for data that does not need encryption is simply not worth the price of admission.

My recommendation: Do blogs need SSL?

Unless you are transferring sensitive information, blogs do NOT need to support SSL for any technical reason. Blogs, like this one, primarily transfer plain-text data in the form of words and paragraphs. Encryption provides almost no security benefit for most blogs.

But Steve, what if my blog already supports SSL?

No problem. SSL won’t hurt anything if you already support it (except for Adsense revenue?). And, according to Google, you might see a tiny advantage in search rankings if you happen to be one of the 1% of global queries that are affected by the ranking signal.

Should I buy an SSL certificate for my blog?

I cannot answer this question for you because only YOU know what is best for your blog. Personally, I believe that the only good reason to purchase an SSL certificate for a blog is because you think that Google will increase the significance of the SSL ranking signal in the future. Otherwise, I would pass.

Besides, migrating an existing blog over to SSL is not a straightforward task, as Untemplator found out recently.

Save your money and focus on writing high-quality content. Quality content is a much more important ranking signal that will always result in better search rankings for your blog.

I have no plans to purchase a certificate for ThinkSaveRetire.com any time soon.

We track our net worth using Personal Capital



Comments

45 responses to “The truth about SSL and SEO”

  1. My site currently uses a Let’s Encrypt free SSL certificate. I’m not sure if it’s dissuaded anyone from visiting my site as I’ve yet to hear about it being a non-trusted site.

    However, regardless of SSL or how secure a blog is, I agree with you that content is key and should be the main focus when trying to grow a site.

  2. That was quite an explanation. It hasn’t been something that I spent too much time thinking about before reading this post, but knowledge is power. I’m sure I’ll be hearing and reading more about it in the future, and I’m glad you laid out a trusted assessment! Thanks for this.

    Mrs. Mad Money Monster

  3. I only can think of one place on a typical blog I might place SSL, the admins login page. That’s about keeping a hacker from sniffing your user name and password when you the owner login to WordPress. I don’t think that risk is worth the five dollars a month or so for a certificate though. There are after all easier ways for hackers to get in then sniffing the admin password.

    • Steve says:

      Yeah, the admin page does require the username and password, but I agree, there are other ways that hackers typically use to gain access to the admin console or the database itself!

  4. Apathy Ends says:

    Thanks for writing this up Steve – just saved me some time and research (and more than likely a few headaches).

  5. Good. Because like the terrible blogger that I am, I had plans to do none of that. It would be different if my blog did something besides accept comments, though 🙂 I really appreciate these posts, Steve!

  6. Chad Carson says:

    That makes my decision for me. On to the other 500 things on my blog to do list! Thanks for the thorough post, Steve.

  7. Great breakdown, Steve. I appreciate you doing the research so I don’t have to. I’ll just keep doing what I’ve been doing. HTTP:// is good enough for me.

    Cheers!
    -PoF

  8. Very informative post, Steve! You and I have already talked outside of your site, but I think you pretty much nailed it. I switched my site over a number of months ago, but that’s because I had nothing to really lose at the time since my site’s still relatively new. In other words, if it affected Adsense, I really didn’t notice.

    Personally, I do think that eventually the Internet will be all SSL. The reason for it’s importance being the encryption and the ability to keep “conversations” between clients and servers from being snooped. This is obviously most important for forms or any place where private data is going to be transmitted. Although this usually isn’t something bloggers need to worry about as much as financial institutions, for instance, I still think it’s going to grow and become the de facto over time.

    However, I don’t know how long that time will be. I would imagine that we’ll start to see more web host providers making this available through projects like Let’s Encrypt and possibly starting to make SSL the default over time.

    But you made probably the most important point that a lot of people probably don’t understand – setting up SSL does basically nothing to protect your site from being hacked. That’s the big thing that people need to understand.

    Great post!

    — Jim

    • Steve says:

      I think you might be right, Jim – but, my feeling is encryption will eventually be a “built-in” kind of thing, where the need for SSL certs will be a thing of the past. Meaning, if an encrypted means of communication is THAT important, there probably won’t be a way for people to simply “opt-out”.

      I’m looking forward to the day where SSL certs are “soooooooo last decade”. 🙂

      • David says:

        SSL/TLS is already transparent from the client-side; however, for it to be transparent from the bloggers perspective, web hosts will need to supply them by default.

        SSL/TLS certificates provide two main components: identity and encryption. A certificate’s digital signature verifies that the website you are visiting is what you asked for. After your browser verifies the website’s identify, it then contains enough information to create an encrypted session, usually using RSA (sometimes Diffie-Hellman which is actually more secure).

        This type of system will most likely ever go away. We’ll have to deal with certificates for a long time. Honesty, they aren’t particularly complicated, just something you pay for to look more legitimate. As more sites use encryption, the need to use it on yours will also increase, regardless of the static or dynamic content your website displays, and the impact to SEO or AdSense revenue

        • Steve says:

          Thanks for your thoughts – we will see how things trend out. I’m not all that convinced yet that SSL is the wave of the future, but hey, you never know…and I have been wrong before.

  9. Thanks for the rundown on this Steve. I’ve been wondering myself if it was worth it. That doesn’t seem to be the case.

    Saved me a bunch of time researching the issue myself! Thanks!

    For now, I’ll probably skip https.

  10. Thank you for this! It’s on my long list of blog to-dos. I hadn’t done much research, just read here and there that ssl is recommended for SEO, but after reading this, I’m going to mark it off the list until there’s more conclusive evidence. Thanks again!

  11. Mrs. BITA says:

    Thank you for making this important and not obvious to most people point: SSL does nothing to protect the data at rest of your website. Before you think about SSL you should have your backup and restore story nailed. That is much more likely to be of use to your blog. The idea of encrypting blog pages and comments is just seems silly.

  12. THANK YOU for addressing this. I, too, got swept away in the panic once the announcement came out. Luckily SEO is part of my day job so I quickly realized it’s kiiiiinda BS.

    At the end of the day, you shouldn’t aim to “trick” search engines with tick-marked to-dos like adding an SSL. It’s about the actual user experience and your content.

    I completely agree: unless your blog contains sensitive information (like a payment portal), you don’t need an SSL. Don’t waste your money trying to play Google’s games. <3

  13. Steve, thanks for the very informative post. I’m not up to speed on some of the technical aspects of blogging such as this. Very helpful to know.

  14. This was a very nice write up. I had seen the SSL notification but hadn’t researched it fully. That is a shame about the adsense revenue fluctuations. Hopefully that gets straightened out if it hasn’t already. Thanks for the great read!

    • Steve says:

      You’re welcome! It is possible that the AdSense is no longer an issue, but I’m not sure. If it IS still an issue, then I’d think anyone who monetizes their site with AdSense would be hard-pressed to go the SSL route.

  15. Steve,

    This is a great article on SSL and SEO. Being new to blogging world, SEO, Adsense, etc., are all concepts I am currently learning about. I had zero idea about SSL affecting those. Thank you very much for doing that research.

    I presume you would agree with me that being vigilant of phishing attacks and strong passwords are exponentially more important to cyber security than SSL. More often than not, most sites that get hacked are due to user error and/or deceptive tactics used by the attacker.

    Unfortunately, social engineers like to prey on the uninformed and utilize the human weakness of wanting to trust others to access important information rather than traditional “hacking” techniques.

    Strong, unique passwords (passphrases preferably) and education of scamming/phishing techniques, to me, are more vital than any other cyber security tools.

    All the security in the world does not matter if the bad guys have a key to the front door.

    • Steve says:

      Very true, IH! Security really does start with us. The foundation is important to master before we begin looking into enhancements to that foundation.

  16. ambertree says:

    Thx for sharing your opinion. Just today at work I insisted that our new public site would be a SSL one… Needed? Maybe not.

    As the overall offering contains transfers of personal data, we need it at some point t anyway.

    For my blog, I go with whatever WordPress will do. As you said, blogs In general do not transfer sensitive data and security is so much more

    • Steve says:

      In the end, I think we all need to do what’s best for our individual web sites. Nothing wrong with going the SSL route – even if it doesn’t *need* SSL – especially for a company with lots of resources. 🙂

  17. Thanks for clearing up the issue which in my opinion was muddled. Based on your recommendation I’ll be staying put. Thanks for the great advice!!!

  18. This is great Steve! I use SSL on my blog because I was able to get it set up for free through cloudflare. I’m also hosting an app with login credentials and logging your financial transactions though, so SSL actually makes sense for me. For the rest of the blogosphere though, you just saved a whole bunch of money and headaches!

  19. Biglaw Investor says:

    Thanks for the breakdown Steve. I’m quite convinced and have no plans to “upgrade” to SSL. What are your thoughts about Chrome eventually moving over to shaming all HTTP sites with a big red “Not Secure” logo.

    https://www.wordfence.com/blog/2017/01/chrome-56-ssl-https-wordpress/

    • Steve says:

      I’ve read about that, but truthfully, that doesn’t bother me. The majority of users won’t know what that means anyway, just less care whether or not a blog is “secure”. The large majority of the time, users aren’t logging in to our blogs anyway, so most users probably won’t even notice. 🙂

  20. So far, there’s been NO ominous warnings from Google Chrome’s latest after many warnings by “SEO experts.”

    Wait it out folks!

  21. Dan says:

    Great blog, but I think you are off the mark on this one. It’s fine if you decide not do get a certificate yourself, but to proclaim that its not important for most blogs is taking it a bit far.

    – As others have mentioned there are plenty of free ways to get certificates like letsencrypt and cloudflare. Even if you were to buy it they can easily be obtained starting at about $9 (https://www.namecheap.com/security/ssl-certificates/comodo/positivessl.aspx), so claiming $60 is the going rate is not accurate. Price is really not a concern here, the main obstacle is probably getting it configured depending on your hosting setup can be a range of complexity from point and click, to chatting with hosting support.
    – Not having ssl on the admin page of your blog is definitely a security risk for intercepting your admin login info
    – SSL helps verify the identify of your site and prevents random scripts from getting injected into it
    – You do collect peoples email address and you also have a search function on your site, so those are two pieces of personal info that are common to many blogs and can be intercepted when you’re not using https

    Claiming that https doesn’t prevent hacking is true, but proponents of https aren’t suggesting it does that either so I think it’s a decision that requires much more consideration than is being suggested here.

    • Steve says:

      Appreciate your thoughts, Dan! When a web site doesn’t encrypt communication, a lot of things are “possible”. I think it’s up to us, as bloggers, to determine whether or not those things are worth the risk or not. Nice insight!

  22. Dan says:

    Just one further point 😀

    “One common misconception about HTTPS is that the only websites that need HTTPS are those that handle sensitive communications. Every unprotected HTTP request can potentially reveal information about the behaviors and identities of your users. Although a single visit to one of your unprotected websites may seem benign, some intruders look at the aggregate browsing activities of your users to make inferences about their behaviors and intentions, and to de-anonymize their identities. For example, employees might inadvertently disclose sensitive health conditions to their employers just by reading unprotected medical articles.”

    https://developers.google.com/web/fundamentals/security/encrypt-in-transit/why-https

Leave a Reply