Key Takeaways:
- HTTPS has been an official Google ranking factor since 2014
- Browsers actively warn users about insecure HTTP websites
- Migration requires careful planning to avoid jeopardizing rankings
The small padlock icon in the browser address bar is more than just a visual element. It signals to visitors that their connection is encrypted, that their data is protected. For Google, it's a trust signal that factors into rankings.
Websites without HTTPS face a double problem today: Browsers like Chrome mark them as "Not Secure," which deters visitors. At the same time, Google prefers encrypted websites in search results. Those still using HTTP lose on both fronts.
How SSL and HTTPS Work
SSL stands for Secure Sockets Layer – a protocol for encrypting data between browser and web server. The more modern successor is called TLS (Transport Layer Security), but is still colloquially referred to as SSL.
When a visitor accesses an HTTPS website, the following happens: The browser requests the server's SSL certificate. It checks whether the certificate is valid and issued by a trusted authority. Then an encrypted connection is established through which all data flows.
This encryption protects against various attacks. Man-in-the-middle attacks, where attackers intercept data traffic, are prevented. Passwords, credit card data, and personal information remain confidential. Without encryption, anyone on the same network – such as in public WiFi – can read the data traffic.
HTTPS as a Ranking Factor
Google officially declared HTTPS a ranking signal in 2014. The reasoning was clear: Security on the web should be the standard, not the exception. Since then, the algorithm prefers encrypted websites over unencrypted ones.
How strongly does HTTPS affect rankings? As a single factor, the influence is moderate. Google itself initially called it a "lightweight signal." But in combination with other factors, it can make the difference. Between two otherwise equal pages, the one with HTTPS wins.
The indirect influence may be stronger. Users who see a "Not Secure" warning leave the page more often. The bounce rate increases, dwell time decreases. These user signals also affect rankings.
Types of SSL Certificates
Not all SSL certificates are equal. They differ in validation depth, price, and trust level.
| Certificate Type | Validation | Suitable For |
|---|---|---|
| Domain Validated (DV) | Domain ownership only | Blogs, small websites |
| Organization Validated (OV) | Domain + company identity | Business websites |
| Extended Validation (EV) | Comprehensive company verification | Banks, online stores |
Domain-Validated certificates are the fastest and cheapest to obtain. Let's Encrypt offers them for free. Validation happens automatically – you simply prove that you control the domain.
Organization-Validated certificates require verification of your company identity. This takes longer and costs more but signals additional trust to visitors.
Extended-Validation certificates go through the strictest verification. Previously, the company name was displayed in green in the address bar – though modern browsers have removed this visual feature.
Planning the HTTPS Migration Properly
An HTTPS migration is technically a domain change. All URLs change from http:// to https://. Without careful planning, rankings and traffic can be lost.
The first step is inventory. List all URLs that need to be migrated. Not just the main pages, but also images, scripts, stylesheets, and other resources. An XML sitemap can serve as a starting point.
Then configure the SSL certificate on your server. The exact steps depend on the hosting provider – many now offer one-click installations for Let's Encrypt.
After installation, you must set up redirects. Every HTTP URL must 301-redirect to the HTTPS version. This also applies to the www and non-www variants of your domain. Learn more about redirects in our guide.
Avoiding Mixed Content
A common problem after migration: Mixed content. The page itself loads over HTTPS, but embedded resources like images or scripts are still loaded over HTTP. Browsers block such resources or display warnings.
Check all internal links and embedded media. Relative URLs are safer than absolute ones because they automatically use the correct protocol. Instead of "http://example.com/image.jpg," write "/image.jpg" or "//example.com/image.jpg."
External resources like embedded fonts, analytics scripts, or social media widgets must also support HTTPS. Most major providers have long done this – but older embeds might still use HTTP.
Browser developer tools help with diagnosis. The console shows mixed content warnings and names the problematic URLs.
Updating Canonical Tags and Internal Linking
After migration, all references must point to the new HTTPS URLs. This especially concerns canonical tags. If an HTTPS page has a canonical pointing to the HTTP version, it sends confusing signals to Google.
Also check your internal linking. Ideally, all internal links should point directly to HTTPS, without the detour through a redirect. This saves server resources and speeds up crawling.
The robots.txt and XML sitemap must also be updated. The sitemap should only contain HTTPS URLs. In robots.txt, you can explicitly reference the HTTPS sitemap.
Verifying in Google Search Console
HTTPS and HTTP are considered different properties by Google. After migration, you must add and verify the HTTPS version of your website in Google Search Console.
Submit the updated sitemap. Monitor indexing in the following weeks. It's normal for rankings to fluctuate briefly while Google processes the new structure.
Watch for errors in the reports. If Google encounters mixed content or missing redirects, corresponding notices will appear.
Performance Implications
A common misconception: HTTPS makes websites slower. That might have been true ten years ago. Today, the opposite is the case.
HTTP/2, the most modern HTTP protocol, only works with HTTPS. It offers significant performance advantages through multiplexing, header compression, and server push. An HTTPS website with HTTP/2 is often faster than an HTTP website with HTTP/1.1.
The SSL handshake costs minimal time – typically a few milliseconds. This overhead is more than offset by the advantages of HTTP/2. Find more tips on website speed in our performance guide.
Common Migration Mistakes
Migrations don't always go smoothly. Some errors occur regularly and can be avoided.
Forgotten redirects are the biggest problem. If not all HTTP URLs redirect, duplicate content problems arise. Google then sees two versions of each page and must decide which is canonical.
Expiring certificates are embarrassing and dangerous. Browsers display dramatic warnings that scare away visitors. Set up automatic renewal or create calendar reminders.
Incorrect certificate configuration often affects subdomains. A certificate for example.com doesn't automatically apply to www.example.com or blog.example.com. Wildcard certificates (*.example.com) solve this problem.
Test your SSL configuration with the SEO Analyzer and check whether your website meets all technical requirements.
Frequently Asked Questions
Do I need HTTPS even without login or payment processing?
Yes. Google makes no distinction between websites with and without sensitive data. All websites benefit from the ranking boost and the trust signal of the padlock icon. Browsers warn about all HTTP pages, not just those with forms.
How much does an SSL certificate cost?
From free to several hundred dollars per year. Let's Encrypt offers free DV certificates that are sufficient for most websites. More expensive certificates offer extended validation or additional insurance that may be relevant for businesses.
Can I install a certificate myself?
With many hosting providers, yes. Most offer one-click installations for Let's Encrypt. For more complex setups or if you have full control over the server, some technical knowledge is required. When in doubt, hosting support can help with setup.