Google strengthens web encryption drive by making HTTPS a ranking issue

Google(s goog) has begun giving better search rankings to websites that use secure, encrypted connections to transmit customer data.

Late Wednesday, the company said it was starting off by taking a site’s use of HTTPS – the web address prefix that denotes secure “TLS” connections — as a light signal, “affecting fewer than 1 percent of global queries, and carrying less weight than other signals such as high-quality content.” However, it may take it as a stronger signal in future.

Google itself defaults to HTTPS connections in its Search, Gmail and Drive products, meaning that data is encrypted as it flows between the user and Google’s servers – it stepped up this security push in March, as the fallout of the 2013 Snowden revelations pushed the big web giants to better protect their customers. (The company also offers stronger Gmail encryption through a Chrome plugin called End-to-End, though generally it doesn’t encrypt emails as they are being stored, because it wants to scan them for marketing keywords.)

However, while some companies are pushing for greater security, an awful lot of the open web doesn’t use encryption to protect users’ communications and activities, and that’s a big concern for the engineers who create and manage web protocols. Indeed, the upcoming second version of the Hypertext Transfer Protocol (HTTP) may only work with HTTPS addresses.

That makes Google’s ranking move a smart and necessary one – it will encourage webmasters to make the upgrade, and ultimately it will give Google users a safer experience when they click on search result links. The web security and content delivery outfit CloudFlare has already reacted to the move by saying recent changes it’s made will allow it to roll out secure connections for all its customers by mid-October, even for free customers.

“When we do, the number of sites that support HTTPS on the Internet will more than double,” CloudFlare said. “That they’ll also rank a bit higher is pretty cool too.”

Many will argue that their pages and sites don’t need that extra security, of course, but I think that if ranking is an issue for them, that means the public is an issue for them. And if the public is an issue, then joining a wider encrypt-all-the-things drive to protect that public from hackers and mass surveillance is the right thing to do.

Ultimately, we should be living in a world where an insecure connection raises eyebrows.