
Google Has Given HTTPS a Huge Boost - cleverjake
http://blog.httpwatch.com/2014/07/07/google-has-given-https-a-huge-boost
======
pierrefar
I work at Google in web search. It's great to see another example of a site
indexed under HTTPS as it's a common question we see. Sadly, for such an
important topic, there are many myths.

I didn't dig into this particular example, so a couple of things about the
topic of this post:

1\. As much as I'd personally would love to see it happen, we currently don't
give any ranking boost or demotion based on whether the site is HTTPS or HTTP.
Regardless, it's a good thing to do for your users anyway, so please do it if
you can.

2\. Fellow Googler Ilya Grigorik, who's also on HN, and myself gave a talk
about HTTPS two weeks ago at I/O. We covered a lot of topics about how to
deploy HTTPS in a secure and fast way, and also how to get Google's indexing
algos favor the secure site. It's here:

[http://www.youtube.com/watch?v=cBhZ6S0PFCY](http://www.youtube.com/watch?v=cBhZ6S0PFCY)

Happy to answer any questions here.

~~~
tootie
I had this debate on my last project: Does Google consider http and https on
the same host to be separate sites? Assuming
[http://www.example.com/home](http://www.example.com/home) and
[https://www.example.com/home](https://www.example.com/home) return the same
content, are they considered one page or two?

~~~
pierrefar
Hi tootie

These are two sites. In reality, most secure sites have four variants:

[http://www.example.com](http://www.example.com)

[http://example.com](http://example.com)

[https://www.example.com](https://www.example.com)

[https://example.com](https://example.com)

You should watch the I/O video about what to do here for optimal indexing.
Briefly, redirect all variants to just the one, but there is a lot more you
need to watch out for. It's all in the video.

~~~
tootie
But why?

------
httpwatch
It looks like some people are getting carried away with the SEO implications
of this.

We're not implying that your site will get ranked higher than other sites if
you have HTTPS. What we're saying is that if your site has both HTTP and HTTPS
versions of the same content that Google will now return an HTTPS link. The
biggest implication is that if you support HTTPS most of traffic will now be
using HTTPS rather than HTTP.

------
bithush
Am I the only one who finds it a little funny that the link in this post is to
http and not https ? :)

[https://blog.httpwatch.com/2014/07/07/google-has-given-
https...](https://blog.httpwatch.com/2014/07/07/google-has-given-https-a-huge-
boost/)

------
jtrtoo
I just went through this with some of my sites. Some of my URLs were showing
up in searches with HTTP URLs, while others were showing up with HTTPS URLs.
Digging deeper also showed both HTTP and HTTPS being indexed.

This isn't an HTTPS preference on Google's part. It's (effectively) a mis-
configuration on the web site operator's part.

HttpWatch (and many other folks with web sites) should either be using 301
Redirects or, in many cases where that's not compatible with other things
being done, using the Canonical link element to indicate with https content is
just a copy of http content.

So: Try setting your ‘canonical’ line properly in your web pages. Then this
won’t happen.

Right now HttpWatch's http pages report their http as canonical. Their https
pages report https as canonical. They effectively are listing their site twice
with Google (and probably splitting/hurting SEO, but that's another story.)

[https://support.google.com/webmasters/answer/139066?hl=en](https://support.google.com/webmasters/answer/139066?hl=en)

[http://en.wikipedia.org/wiki/Canonical_link_element](http://en.wikipedia.org/wiki/Canonical_link_element)

[http://googlewebmastercentral.blogspot.com/2013/04/5-common-...](http://googlewebmastercentral.blogspot.com/2013/04/5-common-
mistakes-with-relcanonical.html)

[http://www.mattcutts.com/blog/canonical-link-
tag/](http://www.mattcutts.com/blog/canonical-link-tag/)

------
drzaiusapelord
Is google really favoring https sites? This could have unintended consequences
like SEO guys suddenly demanding a public IP for their customer sites (many of
which have no need for encryption I imagine) and causing a heavier IPv4 drain
than expected. IPv6 just isn't here yet. Must be nice to be an SSL seller
right now.

I find that if there is a https site, google will just send me there, which is
nice, but if they're changing their search algorithm for https that kinda
sucks. I want my search terms to match up with the best content, not used as a
reward system for implementing SSL everywhere.

The article is pretty short on facts. I don't think its favoring anything. It
just uses SSL if you have it. On the downside, I have noticed that connecting
to sites has been slower than usual lately. The SSL handshake is still slow.
Whatever happened to making all of this run faster?

Anyone else enjoy the irony of HN linking to the plain-text version of the
httpwatch site?

~~~
mikecb
Why would they need a dedicated ip? Wouldn't they just need SNI?

~~~
sp332
WinXP marketshare is still around 25%. And the default browser on XP doesn't
support SNI.

~~~
dm2
I'm guessing the default browser is IE7 (maybe even IE6?) for Windows XP.

The stats that matter are what browser they are using, which is less than 1%
for IE7, and possibly near zero depending on your target market.

Edit: I see, it's a Windows XP issue rather than an IE issue.

[http://serverfault.com/questions/389806/redirect-to-ssl-
only...](http://serverfault.com/questions/389806/redirect-to-ssl-only-if-
browser-supports-sni)

~~~
Someone1234
That doesn't matter at all. XP doesn't support SNI, therefore every
application which uses XP's SSPI libraries doesn't either. So IE6-8 and Safari
on XP all don't support SNI.

Chrome on XP does support SNI but that is because they don't use XP's SSPI
library for SSL connections (they use Mozilla's library NSS).

------
mike-cardwell
Duckduckgo does something similar. They use the rulesets provided by HTTPS-
Everywhere. Not sure how Google is doing it. Maybe if a site redirects to
https, and also has HSTS configured, it would be pretty safe to return HTTPS
links instead of HTTP ones as search results.

~~~
anon1385
Yesterday I noticed that DDG was no longer taking me to the https version of
youtube and I'm fairly sure it did before. It looks like Google search results
don't take you to https youtube either.

~~~
sp332
Not sure if it's related, but there's something weird going on with YouTube
only supporting RC4.
[https://productforums.google.com/forum/#!topic/youtube/hf7SD...](https://productforums.google.com/forum/#!topic/youtube/hf7SDRTmwdg)

------
ehPReth
Is this mirrored anywhere? I'm having a hard time connecting to this site

~~~
Irene
text-only version:
[http://webcache.googleusercontent.com/search?q=cache:NotzT67...](http://webcache.googleusercontent.com/search?q=cache:NotzT671SLkJ:https://blog.httpwatch.com/2014/07/07/google-
has-given-https-a-huge-boost/&hl=en&gl=us&strip=1)

the image:

[https://blog.httpwatch.com/wp-
content/uploads/2014/07/chart....](https://blog.httpwatch.com/wp-
content/uploads/2014/07/chart.png)

~~~
ehPReth
Thanks!

------
httpwatch
Sorry, for the poor response of the blog. We still had a connection monitoring
tool running that got swamped by the hacker news link.

The link should work fine now.

~~~
diafygi
Quick question. Why don't you redirect to https for the blog?

~~~
httpwatch
We originally setup HTTPS on the Wordpress blog just to demonstrate how it
could be done without mixed content warnings. However, we never setup an SSL
CDN so all the content is served directly for HTTPS but uses a CDN for some
content over HTTP.

Looks like this will have to change now that all traffic from Google searches
is going to come in over HTTPS.

------
wslh
On a separate note: the www.ycombinator.com certificate is issued to
cloudfront...

~~~
sp332
That's a pretty common thing that happens with CDNs.
[https://npr.org/](https://npr.org/) has a certificate for Akamai, for
example.

~~~
theg2
Can you go into why that is? I've never fully understood it myself.

~~~
shawnz
The CDN's servers provide the encryption, so it would make sense that the
certificate is in their name. You can't do the encryption on the origin
server, because the CDN needs access to the data to be able to cache it.

~~~
wslh
But it completely breaks the certificate meaning. Imagine the bad guy giving
you a fake certificate called: cdn.badguy.com and explaining that because the
CDN does the encryption you can trust this domain...

------
chrisblackwell
Ironically the link to this article is over http not https

------
notastartup
should I buy the SSL from cloudflare? Are there any other places that lets you
put SSL on your website?

