Yesterday, Google posted they were adding HTTPS as a search rank signal. This means if your site supports HTTPS your search results will be ranked higher. So far they’re only adding it as a “very weak” signal, so it’ll still be trumped by almost all the other rankings they use, but they’ve also said they may make it stronger over time.
This is a great move, there are far too many places HTTPS should be used and it’s not, from personal blogs with admin logins to large websites taking your personal data. Banks and most shopping sites have it locked down – marketing sites and smaller organizations not so much. It’s frequently seen as a “nice to have” feature for smaller sites, which is unfortunate because adding it’s not that difficult or expensive anymore.
I’ve had a full-site redirect from HTTP->HTTPS on my personal site for a while now, and I used a free SSL certificate from www.startssl.com. They’re definitely more technically focused, not as user friendly as one of the more consumer providers like GoDaddy, and I wouldn’t use their free certificates for a business site, but the free cert is good enough for my purposes. And most paid certificates start at the $50-75/year range, which is not a lot if you’re running a business that relies on users trusting your web site.
When I started managing web servers back in the mid-90’s you had to carefully consider the technical implementations of adding HTTPS to a website because it added a huge processing requirement on the server. In many cases for large sites it was advisable to offload the SSL processing to an appliance in front of the server such as the load balancer or firewall. These appliances had add-in cards you could buy with custom processors specifically designed for handling high-volume HTTPS traffic.
These days, with the huge jumps in processor power in the past few decades, you can run HTTPS on your web server directly and won’t normally see more than a few percent increase in CPU usage. And with cloud architectures you can easily scale larger sites horizontally to add more processing power if it becomes an issue, which wasn’t easy back when we all had websites running on our own physical hardware. But realistically at this point it’s much more likely that any applications in your site will become a bottleneck before HTTPS processing.
There is some performance hit at the application protocol level, because HTTPS needs a much more extensive handshake process to exchange SSL information and setup the secure connection, but with HTTP pipelining that’s been available since HTTP/1.1 this is done once per site visit (ish) and then all subsequent communications reuse the same connections.
Given these advances, there’s not really any excuse not to run HTTPS everywhere these days, which you’re seeing more and more with larger sites. Sure, you need to understand how to configure your web server to support it and you have to get a SSL certificate and update it every year, but there are lots of tutorials and most SSL certificate providers have pretty good instructions. If you’re just running a small site you’re usually better off going with a hosting service anyway, and they should provide you with HTTPS if you use their domain or your own for a small fee. If not, get another provider.
Google’s push will also allow the wider spread of things like the SPDY protocol, which requires HTTPS to function. This is something I’d like to try implementing more widely.
Next I hope Google adds IPv6 support as a ranking signal, that might be the kick the Internet needs to finally get IPv6 adoption moving in earnest. :)