Google on Wednesday announced that it has begun factoring websites’ use of HTTPS into its search rankings, resulting in more favorable results for those that use the security-minded protocol.
“Over the past few months we’ve been running tests taking into account whether sites use secure, encrypted connections as a signal in our search ranking algorithms,” explained Zineb Ait Bahajji and Gary Illyes, both webmaster trends analysts with Google. “We’ve seen positive results, so we’re starting to use HTTPS as a ranking signal.”
Use of the protocol still is considered just a minor factor, though, affecting fewer than 1 percent of global queries and carrying less weight than high-quality content.
Over time, however, “we may decide to strengthen it, because we’d like to encourage all website owners to switch from HTTP to HTTPS to keep everyone safe on the Web,” they said.
Google soon will publish detailed best practices for adopting the Transport Layer Security cryptographic protocol that’s at the heart of HTTPS, Bahajji and Illyes added.
‘A Small Step but a Good One’
Encrypted sites require certificates that provide a level of trusted authentication, so “Google can have more confidence in an encrypted site actually offering something of value,” Steve Hultquist, chief evangelist for RedSeal Networks, told the E-Commerce Times.
“Overall, that is Google’s intention: Provide the best possible results to search customers,” Hultquist explained. “It is not difficult to see that those sites that choose to encrypt are more likely to be legitimate than those that don’t.”
In short, this “seems to me to be a reasonable move in an effort to upgrade the concept of authenticity on the Internet,” he said.
“It’s a small step, but a good one. Over time, making sure that both ends of an Internet session are well-authenticated will be critical to the continued value of the Internet to all parties,” Hultquist added.
“This will become an ante — creating more business for vendors of certificates, but also requiring them to avoid any attack that would compromise the authenticity of their certificates, which we’ve seen in the past,” he noted.
‘Easier for Smaller Sites’
The move was motivated in large part by the NSA surveillance scandal and the desire to prevent the interception of traffic by third parties, Greg Sterling, founder and principal analyst with Sterling Market Intelligence, told the E-Commerce Times.
“Google is creating an incentive for publishers to encrypt their traffic by promising a small ranking boost,” he pointed out.
Because of Google’s centrality and importance in the market, “it will likely motivate large numbers of publishers to adopt HTTPS,” Sterling predicted. “Many already have. Ironically, it’s somewhat easier for smaller sites to make the switch, but more complicated and potentially costly for larger publishers or brands.”
Overall, the decision “can be seen against the larger backdrop of the new reality of perpetual hacking, global organized crime online, and cyberespionage,” Sterling said.
‘Good News for End Users’
There’s no denying that Google “has a massive influence — for better or worse — on how much traffic websites get,” said Jerome Segura, senior security researcher at Malwarebytes.
“This is especially true when it comes to sites that are used to distribute malicious code or spam. In the blink of an eye, a site that gets blacklisted by Google will literally sink,” he told the E-Commerce Times.
Google’s decision to favor sites that have “good security hygiene” should be “good news for end users, whose data will be more secure when being transmitted through strong encryption protocols,” noted Segura.
It’s also “great news for security certificate vendors, which essentially receive free publicity and by the same token a significant increase to their revenues,” he pointed out.
“This decision makes sense,” Segura concluded. “The Internet has many flaws that need to be addressed, but everyone shares a responsibility in making it secure, whether you are a website owner or an end user. In some way, it takes giants like Google to get things moving faster.”
‘This May Be a Little Too Much’
There may be a downside, however, suggested McCall Paxton, a security operations center analyst with Rook Security.
“I don’t really think this is the way to go,” he told the E-Commerce Times. “If anything, this may be a little too much.”
While the new scheme of rewarding HTTPS use may benefit larger websites such as Facebook, the prices involved for certificates could put smaller websites at a disadvantage, Paxton said — particularly if they don’t actually sell anything online.
“Their searches will be pushed further and further back,” he warned. “Eventually, if you’re searching for computer services, Best Buy may be all that comes up.”
‘A Hacker Could Have the Same Thing’
The new rules also will increase companies’ utilization of server resources, Paxton predicted, as well as potentially make it easier for attackers to be able to host malware and push it using the encryption.
“You may have SSL certification in place, but a hacker could have the same thing and use that to push malware,” he explained.
As a result, the move really only makes sense for sites that use consumers’ credit-card and other sensitive information, he said.
Bottom line: “It’s not the snowflake that will cause the avalanche,” Paxton concluded, “but things are certainly starting to accumulate.”