Google has tweaked its search algorithm to give a slight priority to Web sites that use HTTPS encryption for improved security. Google has been doing more to promote the use of "HTTPS everywhere" since June, when the enhanced security strategy was discussed at length during the company's annual I/O developer conference in San Francisco.
Zineb Ait Bahajji and Gary Illyes, Google webmaster trends analysts, described the change in a post Wednesday in Google's Online Security Blog on "HTTPS as a ranking signal."
"Over the past few months we've been running tests taking into account whether sites use secure, encrypted connections as a signal in our search ranking algorithms," Bahajji and Illyes said. "We've seen positive results, so we're starting to use HTTPS as a ranking signal."
HTTPS layers the standard HTTP (for "hypertext transfer protocol") Web protocol on top of a TLS ("transport layer security") protocol to help authenticate a Web site's identity. It also enables encryption of content going back and forth between the user and the site server, which can help prevent eavesdropping and "man in the middle" attacks.
Great News for the Internet
The Electronic Frontier Foundation, a nonprofit advocacy organization that promotes digital privacy and civil rights, has been leading an "HTTPS Everywhere" campaign since 2010. Working in cooperation with the Tor Project for online privacy, the EFF encourages Internet users to use its HTTPS Everywhere browser extension, which switches Web sites from HTTP to HTTPS "whenever possible" for enhanced online security.
We reached out to Peter Eckersley, EFF technology projects director, to ask for his reaction to the latest HTTPS announcement from Google.
"Google has done great work at our side in promoting HTTPS, and we're glad that they're continuing to do that," Eckersley wrote in an e-mail. "There are a lot of Web site operators out there who don't care at all about security and privacy, but they do care about where (they) sit in Google's search results. This change is going to give those sites an incentive they were lacking to turn on encryption."
While Google itself has been criticized for scanning users' Gmail content for illegal content such as child pornography, its stance on HTTPS is welcome, Eckersley said.
"Having HTTPS does massively reduce the number of threats that could get access to your messages: It should stop eavesdroppers on a wireless network, or dragnet collection by intelligence agencies, even if it couldn't protect you against a court order sent to Google," he said. "Stronger incentives for HTTPS deployment are great news for the Internet, and for all of its users."
A Very Lightweight Signal, for Now
While Google searches now give an edge to sites using HTTPS, Bahajji and Illyes wrote in their blog post, "For now it's only a very lightweight signal."
The change at the moment affects "fewer than 1% of global queries," they said, with other factors like the presence of high-quality content being given far more weight in search results. Over time, however, the use of HTTPS could be given greater consideration "because we'd like to encourage all Web site owners to switch from HTTP to HTTPS to keep everyone safe on the Web."
In coming weeks, Bahajji and Illyes noted, Google plans to publish more on HTTPS best practices for webmasters. They recommended such basic steps as using 2048-bit key certificates; using relative, as opposed to absolute, URLs for referring to different pages on a secure domain; and avoiding use of the noindex robots meta tag.
They added that site managers can also check their use of HTTPS with the Qualys SSL Labs server test tool, which provides a free analysis of SSL Web server configurations.