TLS / SSL(TLS)

Long definition

When you say "SSL certificate", you almost always mean a TLS certificate. SSL 2.0 and 3.0 are deprecated and disabled in every modern browser. TLS 1.0 and 1.1 were deprecated by all major browsers in 2020. The active protocols are TLS 1.2 (2008) and TLS 1.3 (2018, RFC 8446).

What TLS does, in one paragraph: it negotiates an encrypted, authenticated channel between the browser and the server. The certificate proves the server's identity (issued by a trusted CA — Let's Encrypt, DigiCert, etc.); the handshake derives session keys; everything sent after the handshake is encrypted and tamper-evident. TLS 1.3 cut the handshake from two round trips to one (and zero with 0-RTT resumption), which is why it shows up in performance audits.

For SEO, the rules are simple:

• HTTPS site-wide. Mixed HTTP/HTTPS is treated as duplicate content and creates mixed-content warnings on HTTPS pages. Migrate the entire site, then 301 every HTTP URL to its HTTPS counterpart.
• Valid certificate. Expired, self-signed, or hostname-mismatched certificates trigger browser warnings that crater traffic. Automate renewal — Let's Encrypt's free 90-day certificates are the default for most stacks now.
• Modern protocols only. Disable TLS 1.0/1.1. Enable TLS 1.3. Tools like SSL Labs' Server Test grade the configuration.
• Correct chain. Missing intermediate certificates cause failures on Android and older clients but pass on desktop Chrome. Always test from multiple clients.

Since August 2014 Google has confirmed HTTPS is a ranking signal, calling it "lightweight" — under 1% of weight, used as a tiebreaker. The bigger gains are indirect: trust signals to users, prerequisites for HTTP/2 and HTTP/3 (both HTTPS-only in browsers), and access to modern web APIs (Service Workers, geolocation, payment) gated behind secure contexts.

Common misconceptions

• "SSL and TLS are different things." They're the same family of protocol; TLS is the post-1999 name. Industry vocabulary still uses "SSL" because product names ("SSL certificate") stuck. The certificate works for TLS regardless of what marketing calls it.
• "Paid certificates rank better than Let's Encrypt." They don't. Google has stated repeatedly that the certificate type and issuer don't influence rankings. Free Domain-Validated certificates from Let's Encrypt give the same ranking signal as paid Extended-Validation certificates.
• "HTTPS slows the site down." TLS 1.3 plus modern hardware adds milliseconds, not seconds. HTTP/2 (HTTPS-only) and HTTP/3 typically make HTTPS sites faster than equivalent HTTP through multiplexing and reduced round trips.
• "A green padlock means the site is safe." It means the connection is encrypted and the certificate matches the hostname. Phishing sites can have valid certificates. The padlock proves transport security, not site trustworthiness.