An HTTPS Update
Image courtesy of Google
Don’t switch your website over just yet. Although last week it was announced HTTPS encrypted websites will become a ranking signal, it’s now coming to light that many of Google’s own websites like Trusted Stores and Google AdSense are not HTTPS friendly at the moment and are still operating on HTTP. The Trusted Stores program is supposed to allow you to shop online with confidence, and AdSense is a free advertising system, but why are these Google products not on HTTPS yet if Google has said everyone needs to make the switch? A Wall Street Journal article by Rolfe Winkler lays it all out in the headline of the article- Google wants site to use encryption, except when it doesn’t. So what is the story?
“Google wants websites to use encryption, to protect themselves and users from hackers. Unless they are e-commerce sites, in which case Google doesn’t want them to use encryption too widely,” says Winkler.
Problems On Trusted Stores and AdSense
Image courtesy of Google
You would think that these e-commerce sites would be automatically protected. Here’s an example what has happened with Trusted Stores. According to Winkler, Google recently sent an email to one business owner explaining that the Trusted Stores badge is designed to be suppressed and not show up on secure pages after he questioned why not all of his pages could be converted to HTTPS. Trusted Stores badges are basically supposed to convey to customers that your site is protected, and most confusingly a badge is supposed to be displayed on all pages of your site according to program guidelines, although Google says sometimes badges won’t show up on every page. Seems confusing and paradoxical! Apparently Trusted Stores requires that checkout pages be encrypted, but “non-sensitive” pages like a website’s homepage and product listings do not have to be and will simply not be encrypted in the future. In fact they’re not even compatible, according to Winkler.
Image courtesy of EFF designer Hugh D’Andrade
The business owner in question says he does not currently have a Trusted Stores badge because he apparently uses encryption too widely, according to Winkler. He does have a badge from Symantec’s Norton security service, however and has experienced no problems with it.
“Google’s e-commerce certification program requires that the Trusted Stores badge be displayed on every page of a site, yet by design Google does not show the badge on secure pages, which have typically been shopping cart pages,” says Ginny Marvin in a Marketing Land article. “The problem arises when a site goes from having just cart pages secured to converting an entire site to HTTPS.”
What can happen when some pages use HTTPS and some don’t?
“Encrypting only some pages of a website can leave the site open to cyberattacks like ‘sidejacking,’ where a hacker intercepts a Web user going to an unencrypted page, feeds the user a forged page that looks authentic, and baits them into providing personal information,” says Winkler.
Here’s an AdSense example of when converting early to HTTPS failed. An AdSense publisher had heard about the potential SEO benefits of moving to HTTPS and immediately converted his site, according to Marvin, but he quickly switched back to HTTP three weeks later after seeing his site’s ad revenues and cost per clicks take a huge nosedive, going down 43 percent and 39 percent respectively. After switching back to HTTP, the numbers went back to normal, so it remains to be seen what SEO benefits are really occurring as promised.
According to Winkler, Google has an HTTPS support section on AdSense but even recommends publishers not switch to HTTPs unless they have a strong reason to do so. Google also acknowledges that if you do convert, your ads on HTTPS might earn less because, “HTTPS ads don’t compete in auctions with HTTP ads. There are still a large percentage of HTTP ads in the system, and ad rates decline without them competing in the auction,” Winkler explains.
What’s Up Next In the HTTPS Debate
Image courtesy of Google Chrome
So what’s next in the future? Winkler says Google’s priority is to come up with a solution to display the badge that will help stores that are following the previous directions of converting their entire site to HTTPS. In our opinion, Google should also try to resolve some of the confusion of which Trusted Stores pages need to be secure or frankly make every single page secure by switching over to HTTPS.
“There is a communications problem when Google’s own ecosystem lags behind its SEO recommendations and its program that’s designed specifically to certify trustworthy e-tailers doesn’t support HTTPS,” Winkler says.
Image courtesy of Fibonacci Blue
A Search Engine Land article by Daniel Cristo says Google’s push for HTTPS was more about public relations than search quality. He says these efforts are part of a larger plan Google has for improving its security or at least looking like it’s taking steps to increase overall security. Google has a campaign called “HTTPS Everywhere,” and he says Google is trying to get back at the National Security Agency for making it look bad after all the scandal last year. And Cristo says the truth is, HTTPS really only protects against a certain number of vulnerabilities, and it’s pretty useless unless it’s used for e-commerce sites and social networks.
“For all the blogs, news sites, brand brochure-type sites or any information site that doesn’t require a member login, HTTPS is useless. It’s like the post office telling you to that all your mail needs to be written in secret code,” Cristo says.
Cristo also cites the example of Google announcing a few years that page speed would be an SEO ranking factor, but hardly anyone ever noticed a difference. It’s safe to say that HTTPS as a ranking signal might just be a passing fad as well.
Any of this making sense to you?? We recommend holding off on a switch until all these issues are resolved unless you run a social network or e-commerce site. Those with websites that don’t provide users with personal information don’t need to worry yet. Have you experienced any issues like this or moved your website over to HTTPS yet? Leave us a comment below or interact with us on social media to share your story.