Websites that don't support HTTPS connections may soon be less prominent in Google search results.
Eavesdropping On A New Level
(Click image for larger view and slideshow.)
Google has begun considering the security of websites as a factor in how it ranks them in its search index, a shift that can be expected to increase support for encrypted HTTPS connections at websites.
In a blog post on Thursday, Zineb Ait Bahajji and Gary Illyes, webmaster trends analysts at Google, said that Google has been testing support for encrypted connections at websites as a search ranking factor.
"We've seen positive results, so we're starting to use HTTPS as a ranking signal," they said.
In other words, Google finds that testing whether websites support HTTPS, among its many ranking signals, improves the relevancy of its search results. As a consequence, any website concerned about where it ranks in search result lists -- which means most websites -- will want to implement HTTPS support if it hasn't already.
Ait Bahajji and Illyes note that security is not a dominant ranking factor. It counts for only a little in the overall rank of a website, affecting less than 1% of global queries. Google still considers the quality of the content on a website more important as a ranking signal than its security.
"But over time, we may decide to strengthen [HTTPS support as a ranking signal], because we'd like to encourage all website owners to switch from HTTP to HTTPS to keep everyone safe on the Web," Ait Bahajji and Illyes said.
Sam Taylor, head of SEO at design and marketing firm Studio24, said in a blog post that his firm is recommending that "all new and existing clients should have an SSL certificate on their website to improve security of users and improve search engine ranking."
Switching from unencrypted HTTP to HTTPS involves obtaining an SSL/TLS certificate from a certificate authority (CA) and installing the digital certificate on the relevant server. HTTPS is simply a term for unencrypted HTTP with SSL/TLS added for security. Web hosting companies usually sell SSL/TLS certificates. StartSSL offers a several tiers of certificate, including a free one.
Google in June introduced an invitation-only domain registration service called Google Domains, nine years after it paid to become an ICANN-accredited domain registrar. Google Domains offers a handful of services but doesn't (yet?) sell SSL/TLS certificates. Nevertheless, some of its website building partners, including Squarespace and Shopify, offer some form of SSL support.
Google has tried to advance online security for years and was among the first consumer Internet companies to adopt two-factor authentication for logins. In the wake of the revelations arising from documents leaked by former NSA contractor Edward Snowden, Google and other online companies have accelerated their implementation of security technology. In March, for example, Google made encrypted HTTPS connections mandatory for Gmail, and then in June it added experimental support for end-to-end encryption through a Chrome extension.
HTTPS does not guarantee security -- it's been suggested that the NSA can break it -- but it offers better protection than HTTP.
Cyber criminals wielding APTs have plenty of innovative techniques to evade network and endpoint defenses. It's scary stuff, and ignorance is definitely not bliss. How to fight back? Think security that's distributed, stratified, and adaptive. Get the Advanced Attacks Demand New Defenses report today. (Free registration required.)
Thomas Claburn has been writing about business and technology since 1996, for publications such as New Architect, PC Computing, InformationWeek, Salon, Wired, and Ziff Davis Smart Business. Before that, he worked in film and television, having earned a not particularly useful ... View Full Bio
Security Job #1 For FedsThe 2014 InformationWeek Government IT Priorities Survey shows federal IT pros care about security - itís rated as very important by 69% of respondents, 30 percentage points ahead of the No. 2 priority, disaster recovery. Will the upcoming NIST cyber-security framework help manage risk?