Google Search has been testing the idea of placing Websites higher in search rankings when they use strong HTTPS encryption by default. The idea, according to Google, is that by encouraging the use of those sites, it will help to make the Internet a safer place.
The HTTPS experiments were announced by Google webmaster trends analysts Zineb Ait Bahajji and Gary Illyes in a recent post on the Google Webmaster Central Blog.
“Security is a top priority for Google,” wrote Bahajji and Illyes. “We invest a lot in making sure that our services use industry-leading security, like strong HTTPS encryption by default. That means that people using Search, Gmail and Google Drive, for example, automatically have a secure connection to Google.”
Earlier this summer at its annual Google I/O Developers Conference, the company called for efforts to use “HTTPS everywhere” on the Web, they wrote, to help make the Internet safer for users. In addition, more and more Webmasters are adopting HTTPS (also known as HTTP over Transport Layer Security, or TLS) on their Websites, they added.
“For these reasons, over the past few months we’ve been running tests taking into account whether sites use secure, encrypted connections as a signal in our search ranking algorithms,” they wrote. “We’ve seen positive results, so we’re starting to use HTTPS as a ranking signal. For now, it’s only a very lightweight signal—affecting fewer than 1 percent of global queries, and carrying less weight than other signals such as high-quality content—while we give Webmasters time to switch to HTTPS.”
That could change in the future, they wrote, if Google decides to expand the use of the HTTPS signal more broadly for ranking sites. The company would like to encourage all Website operators to switch from HTTP to HTTPS to keep everyone safe on the Web, they wrote.
As part of its efforts to encourage the use of HTTPS for sites, Google will publish detailed best practices for the strategy in the coming weeks to help make TLS adoption easier, wrote Bahajji and Illyes.
Among the steps Website owners will have to take are deciding what kinds of certificates they need, whether they are single, multi-domain or wildcard certificates, while also ensuring they use 2048-bit key certificates, they wrote. Site owners will also be encouraged to use relative URLs for resources that reside on the same secure domain, while using protocol relative URLs for all other domains.
Site owners should also set up their HTTPS sites so they don’t block crawling using robots.txt, and they should also allow indexing of their site pages by search engines where possible. Avoid the no index robots meta tag, they added.
“If your Website is already serving on HTTPS, you can test its security level and configuration with the Qualys Lab tool,” wrote Bahajji and Illyes. “If you are concerned about TLS and your site’s performance, have a look at “Is TLS fast yet?” And of course, if you have any questions or concerns, please feel free to post in our Webmaster Help Forums.”
Google Search Experiments With HTTPS as Ranking Factor
Google regularly works on improving Web security for users. In July, Google unveiled its new “Project Zero” initiative to directly battle targeted attacks that are made against Internet users in an effort to make the Web safer for the public. The project, which will fight things such as zero-day attacks, which are attacks on code where serious security vulnerabilities have not yet been found or patched, is being built up by Google to fight an increasing threat around the world.
As part of the new effort, Google is seeking to significantly reduce the number of people harmed by targeted attacks by hiring additional security researchers and contributing 100 percent of their time toward improving security across the Internet. The Project Zero work will be done transparently, with every discovered bug entered into an external database where it can be tallied.
In June, Google added an early alpha version of a new Chrome browser extension that will soon give users the ability to bolster the encryption of their emails while in transit to recipients.
In April, Google asked developers who build applications using Google APIs to update their apps to the latest OAuth 2.0 authorization protocol so that user log-ins will be as secure as possible in the future. OAuth 2.0 is an authorization protocol for all Google APIs that relies on Secure Sockets Layer (SSL) for security instead of requiring individual applications to do cryptographic signing directly.
In March 2014, Google announced that all incoming and outgoing Gmail messages will also use encrypted HTTPS connections to better protect them from interception by attackers or spying, in response to allegations in the fall of 2013 that the U.S. National Security Agency (NSA) had spied on data in Google and Yahoo data centers.
Also in March, Google asked IT security experts to contribute their best tips and tricks about how to stay safe on the Internet for a project aimed at everyday users.
In December 2013, Google reminded enterprise organizations and their business users about the security safeguards and options that are available to them if accounts are hacked or if mobile devices are lost or stolen. Using available tools from Google, IT administrators can peer into and control how their users’ accounts are working and make changes to recover stolen accounts. Also available are Android device-management tools that help organizations manage Android and Apple iOS smartphones and tablets using the Google Apps Admin console.
In 2013, Google also improved its methods for helping Website owners recover their sites from hackers and hijackers. The improvements included additional security tools so Webmasters can find information about security issues on their site in one place and pinpoint problems faster with detailed code snippets.