I wonder if this has ANYTHING to do with fighting spam? Surely spammers wont buy certificates for their churn and burn sites?

There are a few providers giving free trials of SSL certs for 90 days. For most churn-and-burn sites 90 days is good enough time period to start and then if the site survives in SERPs beyond 90 days, one can always upgrade to a paid cert for 1 year or more. So churn-and-burn crowd may not be losing their sleep over this move.

Assuming fighting spam is the real motive behind this move, I suspect people using cheapest SSL certs that do only the domain validation may not benefit much. More expensive SSL certs that do organization validation may help in rankings for the obvious reasons. But google has not clarified what kind of certs they would like people to use.

So I'm tempted to wait for more details to emerge in near future or should I just get cracking and buy a bunch of cheap SSL certs? That is the dilemma.

@JD_Toims: OK, its should have been "who" not "you". Particularly bad typo even for me. Getting to the point, I disagreed with three of your eight points. I think two do not matter (nofollow links and disavow files, because they only affect search engines), one I rather like (making ads a bit less obtrusive). The other two are, I agree, valid.

I was a Joeant editor for a short while: I gave up when the rejected a link to the Berkshire Hathaway web site (Warren Buffet's company) as "low quality"!

Directories of web sites are dead and useless, their last gasp was for SEO.

Getting back on topic, I think the consensus here is that we should wait and see? Superclown2 is quite right: there will be a lot of people trying to sell IP addresses and certificates on the back of this. Lets not panic: it will become cheaper (in another six months most of us will be happy to use SNI), and it will becomes clearer which sites are significantly affected by it.

Someone told me that if website WHOIS info has @gmail.com account associated with domain it could be a negative signal because spammers also use @gmail.com accounts to send spam. So webmasters using cheap or free email accounts may be at risk because spammers work on the same platform. But I don't know whom to believe any more..

Too much panic, too many conspiracy theories.

Google has said that HTTPS is be a "lightweight" ranking factor, at least for now, and it will affect fewer than 99% of search queries. So, if you're uncomfortable with the idea of migrating to HTTPS or you're skeptical of its benefits (whether to you or to users), why get your thong in a twist? Wait until there's a greater incentive, until it's easier to do, and/or until Google has more to say on the topic.

Directories of web sites are dead and useless, their last gasp was for SEO.

Tell that to ThomasNet.

There are a few providers giving free trials of SSL certs for 90 days. For most churn-and-burn sites 90 days is good enough time period to start and then if the site survives in SERPs beyond 90 days, one can always upgrade to a paid cert for 1 year or more. So churn-and-burn crowd may not be losing their sleep over this move.

Yes, but those cheap certs require a dedicated IP or using SNI/TLS which doesn't have full browser compatibility.

Assuming fighting spam is the real motive behind this move, I suspect people using cheapest SSL certs that do only the domain validation may not benefit much. More expensive SSL certs that do organization validation may help in rankings for the obvious reasons. But google has not clarified what kind of certs they would like people to use.

Personally I think NSA snooping is what triggered a lot of this. They probably realized that the simplest way to stop the NSA was to promote SSL Everywhere. Then they realized that SSL sites were higher in trust, so they've made it a ranking signal. Which supports the SSL Everywhere initiative. I think I heard somewhere that they may bring keyword data back for sites with SSL. Which would also support the SSL Everywhere initiative.

But realize, browsers (and hence Google) can't tell the difference between a domain validated (DV) cert and an organizationally validated (OV) cert. Apparently there is now something that distinguishes them, but it's relatively new and not fully implemented/supported. You can really only tell the difference with an EV cert. So an OV cert probably won't be any better with Google than a DV cert. Google has said nothing to encourage EV certs. Until they do, I'm just getting DV certs. Interestingly, of the major social media sites Twitter seems to be the only one with an EV cert. Google is using DV/OV - so I can't see them requiring something that they can't be bothered to use themselves.

Google has said nothing to encourage EV certs.

Looking at the big brands in my vertical, here in the UK, hardly any of them use EVSSL. The major selling point that the certificate providers claim is that the green bar encourages users to trust the site but the overwhelming majority of people over here haven't a clue what SSL is, let alone what a green bar signifies. Waste of money in most cases IMO, unless you are running a financial site with savvy visitors.

But realize, browsers (and hence Google) can't tell the difference between a domain validated (DV) cert and an organizationally validated (OV) cert. Apparently there is now something that distinguishes them, but it's relatively new and not fully implemented/supported. You can really only tell the difference with an EV cert. So an OV cert probably won't be any better with Google than a DV cert. Google has said nothing to encourage EV certs. Until they do, I'm just getting DV certs. Interestingly, of the major social media sites Twitter seems to be the only one with an EV cert. Google is using DV/OV - so I can't see them requiring something that they can't be bothered to use themselves.

As you're aware, there's a difference between a regular cert and an EV cert.

The EV cert is different for two reasons. First, authentication requires an independent org (the people that issue the certs) to do the work required to actually validate the existence of your business. Secondly, the url bar turns green.

The url bar turning green is simply for visitors. One can debate how much difference that makes, but it must make some difference to some visitors.

From Google's perspective, and all their focus on local seo and verifying business identities, it seems like an EV cert should make a difference - it further independently validates the location and existence of the business. Does it? Who knows - but given that it's arguably 'good for visitors' and seems to fit well with Google's quest for independent verification of one's identity, it's a small chance.

The EV certs are like a couple hundred bucks. Any 'serious' business earning any amount of income shouldn't be held back by the difference between the two costs. It's a couple hundred bucks, no downside, potential upside, so roll the dice and spend the money.

I used to have a non-ev cert years ago. Let it lapse because 'who cares?'. But I'm installing an EV certificate as we speak. It's Google nonsense, but looks enough like something a typical business might do that I'm prepared to do it anyway.

Oh, I forgot to speculate further - the EV cert indicates your town/state. No reason Google couldn't use that to verify your location and plus size your rankings as a result. They could probably use those certs instead of the postcards they mail out.

Again, Google's push to SSL certs is bogus for consumer purposes. Still, I think they may be thinking about other stuff in the future - so start preparing.

Good point wheel, worth remembering before making hasty decisions to switch.

The url bar turning green is simply for visitors. One can debate how much difference that makes, but it must make some difference to some visitors.

I did some investigation before buying some EC certs the other day. Turns out people may actually feel less secure with EV certs in cases where the business name doesn't match exactly with the domain name. They see a mismatch and think something is wrong.

[theroiteam.com...]

jay5r That is an interesting observation with Chrome. However, clicking on the site information icon does not give encouraging information. For e.g.it says "...does not have public audit records.

I did some investigation before buying some EC certs the other day. Turns out people may actually feel less secure with EV certs in cases where the business name doesn't match exactly with the domain name. They see a mismatch and think something is wrong.

lol. I incorporated under my keyword rich domain name. i.e. keywordkeyword.com, LLC.

So I got that going for me.

These days if you're looking for rankings, you should probably have your main site on your companyname.com anyway. PRomote nike.com, not redsneakers.net.

If I were Google I'd use secure certs as a method of stopping spam. If you're a valid site, you can get a valid cert.

To that end, I think Google telling us it's just a 'ranking signal' today will encourage the masses of legit sites to get certs. When the volume of sites running HTTPS reaches the tipping point they'll simply push all sites without HTTPS down to the bottom of the index.

Spammers getting sites penalized and dropped all the time or shut down for other reasons would find required certs a real problem to get and maintain.

Eventually someone abusing the web all the time wouldn't be able to get a new cert, out of business, done.

It's a great move as I've advocated required SSL for email for the same reason but people keep playing around with other silly schemes that simply don't work.

SSL all the way baby!

When the volume of sites running HTTPS reaches the tipping point they'll simply push all sites without HTTPS down to the bottom of the index.

That may work for the more competitive search terms, but it won't work for things like [Solomon's Pork Pies Akron] - it's unlikely really small business will ever have SSL. Or, if some hosting provider does offer the service of buying an EC cert for each IP/server and then adding/dropping names from the cert as part of their shared hosting plan, then the spammers will just use that service along with the small businesses, and SSL will become a meaningless signal. Or, it will only be a factor when all the names in the cert are owned by the same entity.

But I can see it for search terms that touch on the "your money or your life" concept that Google is so fond of. Ditto for community sites with lots of user input - privacy is a concern on sites like that. (When will Webmaster World migrate to SSL?) Those are types of things that probably make up the 1% of affected search terms. It'll grow, but never to things like [Solomon's Pork Pies Akron].

but it won't work for things like [Solomon's Pork Pies Akron]

Low organic relevance == more ad clicks.

It's really naive for anyone to think that this is going to stop spammers.

@superclown2

Google has stated that there are a plethora of ranking signals, and this will be just one more. Getting an installation just right is not a job for a beginner and an imperfect job can have disastrous consequences as I first found out for myself more than a decade ago.

So why ignore any of them? Surely you're fighting against the wind for no reason?

The major selling point that the certificate providers claim is that the green bar encourages users to trust the site but the overwhelming majority of people over here haven't a clue what SSL is, let alone what a green bar signifies.

Have you any data / research to justify this statement?

Finally, (and this will probably make you laugh as I've singled your comments out) I have transferred a 9 month old site over to SSL and the positions achieved to date have been completely destroyed!

Perhaps it will come back but I'm currently thinking; big mistake.

@incrediBill

My worry about sites with SSL getting pushed down is the effect on hobby sites and blogs: they are often what I want when I do a search. What about anonymity for people in countries with less than free speech? Paying for a cert leaves a trail.

Its probably good for e-commerce searches, but not so good for informational ones.

Eventually someone abusing the web all the time wouldn't be able to get a new cert, out of business, done.

Possibly, but there are a LOT of certificate authorities.

It's a great move as I've advocated required SSL for email for the same reason but people keep playing around with other silly schemes that simply don't work.

SSL certainly. Ideally emails should be signed as well: but any transition is going to be difficult, and most people still seem unaware of how little privacy or security email has.

Have you any data / research to justify this statement?

Most of the people I have spoken to don't even know that the results at the top are paid ads, even though they are now labelled. I spoke to a load of senior business people earlier this year and most of them didn't know that there were other search engines than Google. It doesn't do to overestimate the knowledge there is out there amongst the non-techies.

I have transferred a 9 month old site over to SSL and the positions achieved to date have been completely destroyed!

Sorry to read that. It does underline, though, the point I made that this should be handled very carefully, if at all.

it's unlikely really small business will ever have SSL.

Actually I expect that eventually it'll come by default with webhosting (and maybe hosting goes up a tad to cover it) It'll be the standard.

While it's been less than 24 hr when I've switched one site to https and it's way to early to make any conclusion I can definitely report some positive movement in terms of referrals from the big G. Quick look also suggests that almost all of more than 400k indexed pages have been re-indexed and now starts with https. Interesting

Does switching an http site to https mean 301 redirecting every valid http request to https?

It'll be the standard.

My thought as well and I do not have a problem so long as we all are given plenty of time to implement it, say by Dec 31st 2015?

THIS IS ABSOLUTELY POINTLESS

THIS IS ABSOLUTELY POINTLESS

Sure, just like lower-case letters. :-)

Does switching an http site to https mean 301 redirecting every valid http request to https?

Yes.

I think it can have a minor effect on rankings if a site has better SEO factors like complete optimized in terms of on page and off page seo and has quality backlinks but not implemented https then the site can still perform better than those sites having https but missing on page and off page elements

THIS IS ABSOLUTELY POINTLESS

No it's not.

Google claims they're doing this 'for the children'. If you believe that's a pointless reason, and maybe it is, then look deeper. What potential future benefit does Google derive from SSL? It's an easy ranking signal because it increases barriers to entry on webhosting. And EV certs fix a very big problem for Google - guaranteeing the authenticity of a website. With all the brands ranking, seems like a pretty natural progression to add in 'guaranteed authenticity' as a ranking signal, and maybe a big one.

You should expect the same feature creep we saw with the nofollow tags. This was sold to you as being for your benefit, to make the web a land of unicorns and rainbows, yet now it's an overseer's whip. You'll be getting an EV SSL cert soon enough, or dealing with the consequences.

As to why it's pointless for you as a webmaster, you're taking the wrong approach. The goal is to rank and make money, not argue with Google. Google says get an SSL cert and it'll help your ranking, do it to rank. That's not pointless.

It's one of the easiest and clearest things Google's disclosed in a long, long time.

In fact, they could've left this silent and not told us and just used it as a ranking signal. The fact that they've told us this also tells us something - they want it for more than a ranking signal or they want to strengthen it as a ranking signal. They haven't disclosed the other couple hundred ranking signals, have they.

Does switching an http site to https mean 301 redirecting every valid http request to https?

Yes.

Kind of scary for a site that already ranks well. Should this be done incrementally?