According to data from MozCast, more than half of all results on the first page of Google searches are now HTTPS. This is only one data set, of course, but it shows an increase from 30% over the past nine months – a pretty steady rate of growth by all accounts.

These numbers were later backed up by findings from Rank Ranger, which runs an independent system of its own and came close to Moz’s 50% evaluation. So it seems the mass migration over to HTTPS is in full swing, but what does this mean if you haven’t migrated over to HTTPS yet?

Is Google favouring HTTPS results?

Google said pretty early on in its HTTPs campaign that secure encryption would be a ranking factor. However, it also said: “for now it’s only a very lightweight signal”. While, in October last year, Gary Illyes – the man credited with writing the HTTPS boost signal – reconfirmed that secure sites only get “a minimal boost”.

So has this changed, given the fact roughly half of all results on Google are now HTTPS? Well, no, probably not. Without any major fluctuations in these figures you can pretty much rule out any algorithm change that’s affected the weighting of HTTPS as a ranking factor.

Instead, it seems Google is getting its way with the migration over to secure encrypt and site owners are gradually making the move by their own accord.

This doesn’t mean Google hasn’t considered the idea of increasing reward for HTTPS certificates. In fact, it seems Gary Illyes and co. were contemplating the idea at the beginning of this year but decided against boosting secure encryption as a ranking signal.


Which poses the obvious question: how long before Google decides to make HTTPS a more significant ranking factor (assuming it does)?

How does Google evaluate sites

If you were hoping Google had some kind of sophisticated method for grading the security of websites, you’ll be disappointed. In an interview with Barry Swartz last year, Gary Illyes revealed the highly scientific process Google’s algorithm goes through when analysing HTTPS sites.

“It’s based on the first one, two, three, four… five characters,” he said.

That’s right. Google simply reads the first five characters of your URL and if there’s an “s” before that colon, you’re marked as a secure site. That’s it. So Google isn’t actually verifying if the certificate of your site is even valid, let alone checking for security features on your forms or other vulnerable parts of your site. If you have that all-important “s” on the end of your HTTP, you’re in. Which kind of cheapens the whole concept, considering it’s quite possible to get HTTPS certification on insecure sites and pages.

Have you made the move over to HTTPS yet? If so, let us know your thoughts, and feel free to get in touch if you’re yet to make the move and worried about the technical side of getting your site encrypted.