Blog Post

Google strengthens web encryption drive by making HTTPS a ranking issue

Stay on Top of Enterprise Technology Trends

Get updates impacting your industry from our GigaOm Research Community
Join the Community!

Google(s goog) has begun giving better search rankings to websites that use secure, encrypted connections to transmit customer data.

Late Wednesday, the company said it was starting off by taking a site’s use of HTTPS – the web address prefix that denotes secure “TLS” connections — as a light signal, “affecting fewer than 1 percent of global queries, and carrying less weight than other signals such as high-quality content.” However, it may take it as a stronger signal in future.

Google itself defaults to HTTPS connections in its Search, Gmail and Drive products, meaning that data is encrypted as it flows between the user and Google’s servers – it stepped up this security push in March, as the fallout of the 2013 Snowden revelations pushed the big web giants to better protect their customers. (The company also offers stronger Gmail encryption through a Chrome plugin called End-to-End, though generally it doesn’t encrypt emails as they are being stored, because it wants to scan them for marketing keywords.)

However, while some companies are pushing for greater security, an awful lot of the open web doesn’t use encryption to protect users’ communications and activities, and that’s a big concern for the engineers who create and manage web protocols. Indeed, the upcoming second version of the Hypertext Transfer Protocol (HTTP) may only work with HTTPS addresses.

That makes Google’s ranking move a smart and necessary one – it will encourage webmasters to make the upgrade, and ultimately it will give Google users a safer experience when they click on search result links. The web security and content delivery outfit CloudFlare has already reacted to the move by saying recent changes it’s made will allow it to roll out secure connections for all its customers by mid-October, even for free customers.

“When we do, the number of sites that support HTTPS on the Internet will more than double,” CloudFlare said. “That they’ll also rank a bit higher is pretty cool too.”

Many will argue that their pages and sites don’t need that extra security, of course, but I think that if ranking is an issue for them, that means the public is an issue for them. And if the public is an issue, then joining a wider encrypt-all-the-things drive to protect that public from hackers and mass surveillance is the right thing to do.

Ultimately, we should be living in a world where an insecure connection raises eyebrows.

4 Responses to “Google strengthens web encryption drive by making HTTPS a ranking issue”

  1. CA Security Council

    Google’s announcement that it will give priority ranking to SSL enabled sites is a key milestone for increased use of SSL on the Internet.

    Google announced a change to its ranking algorithm to include use of SSL on the site as a “very lightweight [positive] signal”. Although, this might not have an immediate impact to website owners/operators that are not currently using SSL, this is still an important signal indicating everyone should be prepared to encrypt all their websites if they want to remain relevant.

    Google had stated its intentions at its IO 2014 conference on HTTPS Everywhere, stating that all sites should use SSL because it provides:

    Authentication: Information on whom am I talking to
    Data Integrity: Information on whether anyone has tampered with site data
    Encryption: Assurance that no one else can see my conversation

    Now that Google has put its weight behind these SSL benefits, this algorithm change is likely only the first step in a series of steps to promote HTTPS Everywhere. We at the CA Security Council ( think it’s a good start.

  2. nbecker

    Did you know that on long latency connections (e.g., satellite), https is a real performance killer? There is a cost to https. It should NOT be used everywhere for no good reason.

    • harry_wood

      Yes. And on the server-side it’s my understanding that HTTPS can make an apache server work much harder for certain types of content. High traffic on image files for example.

      Also SSL certificates are not free (Normally…. I see StartSSL is free actually, but will charge you if you need to revoke) So we’re building a web which you have to pay to be part of now are we?

      Seems we’re swimming against the tide with these complaints though.