In a statement on the Google Webmaster Central Blog, the search giant says: “For now it's only a very lightweight signal — affecting fewer than one percent of global queries, and carrying less weight than other signals such as high-quality content — while we give webmasters time to switch to HTTPS. But over time, we may decide to strengthen it, because we'd like to encourage all website owners to switch from HTTP to HTTPS to keep everyone safe on the web.”
Google itself defaults to HTTPS connections in its Search, Gmail and Drive products, meaning that data is encrypted as it flows between the user and Google's servers. It is also reported that the upcoming second version of the Hypertext Transfer Protocol (HTTP) may only work with HTTPS addresses.
The move is broadly supported within the security industry, with Jason Hart, VP of cloud solutions at SafeNet, telling SCMagazineUK.com: “It's great to see Google taking steps to increase the use of encryption. It's a smart move and one that's likely to have a significant impact on the way organisations secure their websites. Data in a plain-text state is easily readable, so any website that's storing or transmitting user credentials or data in plain-text is putting customers' data, and the company's reputation, at risk.
“Previously organisations have shied away from encryption due to cost concerns or fears of slowing website response times. But there are now high speed encryption technologies available that mean cost and speed need no longer be an issue. So there really is no excuse for any data to be transmitted or stored in plain text.”
But in an email to SC from Mark Sparshott, EMEA director at Proofpoint, while he also welcomes Google's move to promote use of HTTPS as a ranking signal, he cautions: “The minimal scope and weighting Google is applying may not be enough of a deterrent for poor security best practice yet.
“Proofpoint's researchers have observed that most websites were slow to enforce the use of HTTPS because the encryption it uses to secure the connection slows down the web experience which is anathema to the mantra of most web based services where latency can drive their users to a competitor's service. As such some websites provided it as an option for many years but did not make it the default option until recent times.
“This is the mistake that companies like LinkedIn made recently; they left it to the individual to understand how to be secure on the internet instead of making them secure by default, and as such were open to man-in-the-middle attacks which compromised their users' data.”
Bob Tarzey, director and consultant at IT consultancy Quocirca commented to SC, “It won't automatically mean that companies will spend the money to switch – unless it's something they ought to have been doing anyway. So for example, any financial sites not making the move will move down the ranking, and deservedly so.”
Some postings on Google webmaster site also questioned whether encryption was really necessary for non-transactional sites, but in response, John Mueller Webmaster, trends analysis, posted the comment: “Some webmasters say they have "just a content site", like a blog, and that doesn't need to be secured. That misses out two immediate benefits you get as a site owner:
1. Data integrity: only by serving securely can you guarantee that someone is not altering how your content is received by your users. How many times have you accessed a site on an open network or from a hotel and got unexpected ads? This is a very visible manifestation of the issue, but it can be much more subtle.
2. Authentication: How can users trust that the site is really the one it says it is? Imagine you're a content site that gives financial or medical advice. If I operated such a site, I'd really want to tell my readers that the advice they're reading is genuinely mine and not someone else pretending to be me.”
Another posting on the site from William Rock adds: “Most People also forget to protect their websites but just because you don't sell anything that does not mean you don't need an SSL...”