Security and SEO: Why 50% of You Should Read This

security-seo.jpg

Although it might not always seem like it, the internet has rules of etiquette. For businesses, it’s quickly becoming more and more dangerous to operate outside these rules of etiquette. We recently wrote about how black-hat SEO tactics are now penalized by Google, showing that in 2018, it’s Google’s way, or the highway.

And it’s no different with website security.

For a while now, SEO enthusiasts have been aware that Google rewards secure sites - i.e., those with installed SSL certificates and “HTTPS” in the URL - in a few ways.

  1. HTTPS sites are faster, and Google’s ranking algorithm gives a boost to sites that answer people’s queries the fastest.

  2. Google prioritizes HTTPS sites over their unsecured counterparts (HTTP), and they have been since 2015. (I.e., having a secured site is a major tie-breaking factor when your content goes up against content of similar quality in Google’s ranking algorithm.)

And as of January 2017, Google began visibly distinguishing unsecured sites.  

  1. Chrome now marks HTTP pages as “Not secure” if the site contains password or credit card input fields.

  2. As of October 2017, Chrome began showing a “Not secure” warning in two additional situations: when users enter data on an HTTP page, and on all HTTP pages visited in Incognito mode.

For any website that collects personal information (email address, password, birthdate, etc), this is a big red flag to users that any data they input is vulnerable.

 
  Source:  Google

Source: Google

 

In 2017, over 50% of page 1 organic search results used HTTPS. This was up from 42% in 2016.  The takeaway? Those who play by Google’s rules reap the benefits. Conversely, those who don’t will see their competitors consistently rank above them in search results, and their customers turn to secured sites to conduct their online business.  

So, what is the difference between HTTPS and HTTP, anyway?

Let’s check out Google.com. In the address bar, you’ll find a green padlock icon next to the website’s URL, which will begin with HTTPS. This stands for Hyper Text Transfer Protocol Secure. You’ll notice this on most banking, retail and/or social media sites.

Screen Shot 2018-04-17 at 11.31.50 AM.png

HTTP has an older, sketchier, brother known as HTTP. If a site hasn’t implemented an SSL certificate, typically, you’ll see either “HTTP” or a small “i” icon in place of the lock symbol to indicate your connection is not secure.

Not Secure.png

How does HTTPS work?

When you browse the internet, your computer is exchanging information over a network with another computer. HTTPS (the ‘s’ stands for secure) is the way you know this information is private). This includes everything from your credit card information to comments on YouTube to your email. To explain how it works, we’ll use every web developer’s favourite analogy: mail delivery.

Let’s say you’re expecting to receive a package from your friend. We’ll call him Jeff. The mailman (aka your browser/internet) collects the package from your friend and walks it over to your house (or, server). You receive your package with no issue - everything’s there just as it should be. This is how sending information from one computer to another typically works.

But what if you had a jealous neighbour? We’ll call him Rick. Rick sees you receiving packages from Jeff and wants to know what’s in them. What’s preventing him from running up to the mailman and performing some malicious activity? He could steal the package, put something dangerous into the package or even take out the mailman and pretend to be him.

A secured connection is what prevents this. Through a multi step process, HTTPS technologies certify that the packages you’re sending back and forth are in locked boxes. It’s also ensuring that the mailman is who he says he is. It’s also important to recognize vulnerable packages can be affected in ways other than theft. Sites can be injected with malicious code to target advertisements or track user habits.


 

While banks and e-commerce sites typically implement HTTPS straight away, many small businesses and personal sites have been slow to adopt a secured connection. In reality, HTTP has been dead since Google and Mozilla declared their intention to depreciate HTTP in 2015. Aside from preventing malicious attacks and leaking user data from an exchange, it’s well worth it for these small businesses to be implementing HTTPS for the SEO benefits alone.

In a nutshell, if your website is still unsecured, not only have you missed the boat and the backup boat, but you’re dangerously close to being left on an island with everyone else who’s unsecured (and dealing with the negative stigma that comes along with it).

Michael YuongComment