In an attempt to improve web security, Google may begin favoring encrypted sites in searches

According to Google engineer Matt Cutts, the company may begin ranking encrypted sites higher than their non-encrypted counterparts in its search engine results.

Cutts hinted at the potential tweak to Google's search algorithm at SMX West, a search and social media marketing conference in San Jose. Cutts says tweaking the algorithm to favor encrypted websites would make it more difficult for third parties to spy on users, while encouraging more and more sites to adopt a standard of encryption. According to the Wall Street Journal, Google has over 200 factors which it considers in ranking websites on its search engine. Analysts say that adding site encryption to the list may have the potential to drastically increase web security and incentivize site owners to secure their websites.

Just last week, a major security vulnerability known as Heartbleed was discovered in the OpenSSL cryptographic library, which many have described as disastrous in its potential effects. A fix was quickly issued, but websites are still reeling in the shockwave. In light of these effects, the Heartbleed bug seems to have increased public perception of security for the better. More and more sites are working towards increasing encryption and user security, and Google's potential algorithm change may hopefully go a long way in encouraging the encryption process.

Source: Wall Street Journal | Image via Shutterstock - Google homepage

Report a problem with article
Previous Story

Google adds a paragraph to its Terms of Service to explain Gmail scanning for ads

Next Story

Leaked images show revised flatter icons destined for Android 4.5

17 Comments

Commenting is disabled on this article.

I gave up on SEO, SMO and etc. because I got tired of being bullied by Google. It's nice being on the first page of search results but "white-hat" SEO doesn't go far.

I wish more people would use Bing because they seem to get it right.

Also, I have noticed that first page Google results have many Amazon links.

No SSL Certificate for me unless I need it to keep my visitors safe.

No. This proposal wouldn't force companies to do anything, it would just favour those which utilise encryption. As any site can implement encryption and would will still be listed if it don't there are no competition concerns. Google changes its algorithms all the time and the act of doing so will always benefit certain companies and disadvantage others.

However, any changes will inevitably be monitored by government for competition concerns, especially as Google is currently being investigated by the EC for favouring its own products in search results.

Sounds kind of dumb to me. SSL is a drag on cell phone, for starters. Certificates are also a money grab, and renewing them is a pain, if every website "had" to have one. Lots of great websites don't even have a login, or a need to log on -- or, their logon area is a separate section (that might be encrypted).

That's all well and good for sites that transfer sensitive data and a necessary requirement. Outside of that you have extra costs for SSL certificates and the nightmare of further sites trying to get unique IPs from a dwindling pool as they scrabble to jump on the SSL bandwagon.

Unplugged said,
That's all well and good for sites that transfer sensitive data and a necessary requirement. Outside of that you have extra costs for SSL certificates and the nightmare of further sites trying to get unique IPs from a dwindling pool as they scrabble to jump on the SSL bandwagon.

Well, you could install SNI certificates to get around the IP issue, and/or use a wildcard certificate. However, I agree with the "nightmare" -- it's one more thing to administer and worry about.

Unplugged said,
That's all well and good for sites that transfer sensitive data and a necessary requirement. Outside of that you have extra costs for SSL certificates and the nightmare of further sites trying to get unique IPs from a dwindling pool as they scrabble to jump on the SSL bandwagon.
Tough? I run a site that is not passing around sensitive data that uses SSL. It's not hard and it hardly adds much cost.

If your site is serious enough to care about search rankings, then it's worth it. Otherwise, it does not matter anyway.

I read about this yesterday in the forums, I wonder if this applies to sites that use encryption to login as well, or if it just applies to sites that use a permanent encryption? Seems to me that we could trick the crawl (googlebot) to always use SSL already? :s

Steven P. said,
I read about this yesterday in the forums, I wonder if this applies to sites that use encryption to login as well, or if it just applies to sites that use a permanent encryption? Seems to me that we could trick the crawl (googlebot) to always use SSL already? :s

This is for sites that use permanent SSL; not just login.

And tricking crawlers in to something is bad. Once in a blue moon they will trick you back and then punish you really hard for tricking them. Cloaking is bad.

Quite some time ago, it was common to only use SSL for the login and then redirect back to plain http to reduce the overhead of ssl. But after having done the handshake, most of the work is already done, so you might just as well serve everything over SSL.

The initial handshake between client and server is the costly part, taking something between 1sec - 2secs on most servers.

It almost certainly means that links that were deemed relevant would be scored higher on a per-request basis.

If, for example, you search for "Neowin login" and it was HTTPS, then it would rank higher than another link that otherwise equally matched (say they didn't own Neowin.com and it too had a login, but it was unencrypted).

I don't think having your login encrypted will or should improve your result ranking as a site.

Another thing that will help is HTTP/2 making TLS a core part of the specification, and browsers like Firefox and Chrome only doing HTTP/2 over TLS.

..this will not help. This will just increase the number of false certificates being used, and give people a false sense of security. There needs to be a full overhaul of what we consider to be "internet security," starting with the removal of certificate authorities.