Letsencrypt's validity duration affecting SE ranking?


#1

Hello all.

I have been told that search engines (such as google) will not rank my site higher if I use letsencrypt compared to an EVSSL because:

  1. 90 day validity
  2. DV only as opposed to EV.

I think both reasons are false/invalid. The only benefit of EV is that greenbar (fluff?). I believe a LE cert and an EV cert is equally valued by SEs.

Can any one confirm? With proof if possible.


#2

For Google at least according to their documentation the type of certificate doesn’t matter, just that it’s correctly installed, there’s no mixed content and the server doesn’t have SSLv3 or any other outdated things enabled.


#3

thanks for the link though I have seen it before. Google refers to Qualys/ssllabs where my LE cert gets A+.

I wasn’t able to find any specific info on this topic. That’s why I’m asking here.


#4

Using Let’s Encrypt certificates will not result in a lower search engine ranking than using an EV certificate. Google themselves uses 90-day certificates.


#5

Thanks @jsha .

This argument is being used by commercial SSL companies to deter users from using letsencrypt. I think you should add this point somewhere in Frequently Asked Questions (FAQ) .


Misused certificates
#6

Yes, FUD is still alive and well.


#7

Thanks for the info @CvP! Can you tell me which ones?


#8

Stunning! :slight_smile: Thanks for sharing.


#9

@CvP Can you answer to @jsha 's question?


#10

@Jason I’ve given him my answer privately. Thanks.


#11

The point is another one: If google wants to determine, if your site really belongs to “company X”, an EV-cert for “company X” gives them this information. If you only want to be domainX.tld, you only need a domain-validated certificate for that.

btw: don’t buy all SEO stuff, there are a lot of myths and there are good reasons why google doesn’t disclose much. Having working TLS and correct xHTML is of course a plus, as google can assume a better user experience, but won’t help you much if you target specific keywords.


#12

@allo, good point. But I believe google does it by using google+ where you can list your business and website and get verified. When someone searches the website, the company info comes up.

I know :slight_smile:


#13

curious - how did you get the A+? I can only work mine up to an A


#14

Just view their guide and see where you are lacking.
Esp:

  • Only allow TLS1.2
  • Forward Secrecy
  • Staple
  • HSTS
  • and only allow strong cipher suites

#15

I haven’t found a guide thereon - must be missing something.

I’m not doing stapling - pretty sure everything else is right, however


#16

if it’s about antipaucity.com HSTS is missing. Beware, it’s a strong commitment. Note that supporting only tls1.2 is not necessary to get A+ but affects compatibility a lot.


#17

I can confirm CvP is correct, I’m getting an A+ as well. To get the + I think you’ll need both HSTS and Stapling.

Don’t go overboard with the ciphers, though. I used Mozilla’s “Modern” cipher list and the Android ownCloud client could no longer connect! I relaxed the ciphers but I’m still only allowing TLS 1.2. I’m not getting 100% for key or cipher strength, but I’m still getting A+ :slight_smile:


#18

well it’s not just 1.2 only.
1.2 and 1.1 essentially have almost the same compatibility as 1.2 so you need 1.0 as well for broader support.
also it’s not just TLS version. 1.2 wont help you if you would have Rc4 active, just as example.


#19

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.