The other day, I interviewed Gary Illyes of Google and he said that the only factor Google looks at for the HTTPS ranking boost is if the URL is listed with HTTPS or not.
This is not new news, we knew HTTPS was the only signal back in 2014 and validity doesn't matter.
But like I said in my coverage in my interview, this is still the case. Google will give the ranking boost to HTTPS pages even if they are not secure. Be it mixed content errors, broken certificates, etc.
He said the HTTPS signal, "basically looking at the first five characters in front of the URL, and if it's HTTPS and it managed to get in the search results and it will get a minimal boost."
Here is the audio file:
Gary Illyes added that sometimes Google will have a hard time serving in the Google results certain types of broken HTTPS pages:
@glenngabe if there are active insecure dependencies then that URL will have a hard time ending up I'm serving
— Gary Illyes (@methode) October 18, 2016
And if the HTTPS is not listed, it won't get the boost:
@glenngabe @methode If we don't show it with HTTPS in search, it won't get the boost.
— John Mueller (@JohnMu) October 18, 2016
Here is a bit more:
@glenngabe @JohnMu there's a HUGE difference security wise between active and passive mixed source, keep that in mind
— Gary Illyes (@methode) October 18, 2016
You can see the full transcript over here.
Are you surprised by this?
Forum discussion at Twitter.
