HTTPS
HTTPS is the HTTP protocol running on top of a TLS encryption layer, securing the communication between a website and a user's browser to provide confidentiality, integrity, and authentication. Google has used HTTPS as a lightweight ranking signal since 2014.
- HTTPS is the HTTP protocol encrypted with TLS, guaranteeing the confidentiality, integrity, and authentication of traffic between a user and a server.
- Google introduced HTTPS as a ranking signal on August 6, 2014, but described it as a lightweight signal affecting fewer than 1% of all queries.
- HTTPS and SSL/TLS are not the same thing: HTTPS is the "HTTP-over-TLS protocol," while SSL/TLS is the underlying layer that performs the encryption beneath it.
- Migrating from HTTP to HTTPS requires care with 301 redirects, removing mixed content, and getting canonical and robots settings right.
- Many modern browser features such as geolocation, service workers, and PWAs work only over an HTTPS connection.
HTTPS Defined
HTTPS (HyperText Transfer Protocol Secure) is the web communication protocol HTTP run on top of a TLS (Transport Layer Security) encryption layer. It encrypts every resource exchanged between the user's browser and the web server (HTML, images, scripts, cookies, and so on) so that a man in the middle can neither eavesdrop on the contents (confidentiality) nor tamper with them (integrity), and it confirms that the server you connect to really is the legitimate server for that domain (authentication). The padlock icon in the address bar and the https:// prefix signal this secure connection.
HTTPS vs. SSL/TLS
The two terms are often used interchangeably, but they sit at different layers. HTTPS is an application-layer "protocol," whereas SSL/TLS is the "encryption layer" beneath it that actually performs the encryption, key exchange, and authentication. In other words, HTTPS is HTTP placed on top of TLS to add security, and SSL is the older name for TLS.
| Aspect | HTTPS | SSL/TLS |
|---|---|---|
| Nature | HTTP + TLS protocol | Encryption layer (a protocol in its own right) |
| Role | Delivers web traffic over a secure channel | Handles key exchange, encryption, and server authentication |
| Position | Application layer | Above the transport layer (beneath HTTP) |
| Relationship | Depends on SSL/TLS | The foundation technology HTTPS relies on |
SEO Impact as a Lightweight Ranking Signal
On August 6, 2014, Google announced on its official blog that it would begin using HTTPS as a search ranking signal. It made clear, however, that this is a "very lightweight" signal that affects fewer than 1% of all queries and carries less weight than other signals such as high-quality content. The intent of the announcement was not to hand HTTPS sites an immediate, large ranking reward, but to encourage the spread of "HTTPS everywhere" across the web. Google added that it might gradually strengthen the weight given to secure connections over time.
Migration Considerations
When moving from HTTP to HTTPS, check the following to preserve indexing and rankings.
- 301 redirects: Set up permanent redirects from each HTTP URL to its corresponding HTTPS URL to carry over link equity and indexing.
- Mixed content: If an HTTPS page still loads images, scripts, or styles over HTTP, the browser will block them or show a warning, so unify every internal resource on HTTPS.
- Crawl access: Make sure you don't block HTTPS pages with robots.txt or noindex meta tags, so search engines can index them normally.
- Canonical tags: Point rel=canonical at the HTTPS URL to prevent duplicate indexing.
- Certificates: Choose a single-domain, multi-domain, or wildcard certificate that fits your site structure, and use a 2048-bit key as Google recommends.
Supporting Evidence
The Google Search Central blog (2014-08-06) stated, when introducing HTTPS as a ranking signal, that its impact affects "fewer than 1% of global queries," and it offered using 301 redirects, 2048-bit key certificates, allowing crawling, and rel=canonical as a getting-started guide. The web.dev article "Why HTTPS matters" explains that HTTPS provides protection against tampering (integrity) and against eavesdropping (confidentiality) for traffic between users and sites, and that many modern web features such as the geolocation API, service workers, and PWAs are predicated on HTTPS.