Google today flipped the switch on default HTTPS support for its free domain service provider Blogspot, upping the security ante for the millions of users of the popular platform.
Google had previously introduced HTTPS support for Blogspot domains as an option in September 2015. Starting Tuesday, Google said, the browser-to-website encryption technology would be automatically added to every Blogspot domain blog.
“Any time you add encryption to a transport layer it’s a good thing,” said Rick Doten, chief of cyber and information security at Arlington, Va.-based consultancy Crumpton Group. He said, Google is just the most recent company to add encryption to their platform following high-profile encryption moves by WhatsApp and Viber.
Google called the switch to HTTPS encrypted communications “fundamental to internet security”. The move is part of Google’s larger HTTPS everywhere initiative, announced at Google I/O in 2014.
The switch to HTTPS will impact specifically .blogspot.com sites. As part of this launch, Google removed the HTTPS Availability setting within the Blogspot console. “Even if you did not previously turn on this setting, your blogs will have an HTTPS version enabled,” Google informed users Tuesday.
HTTPS is a combination of the HyperText Transfer Protocol (HTTPS) and the Secure Socket Layer (SSL) protocol. Together, HTTPS, encrypts communication sessions between a computer’s a web browser and a web server. The absence of HTTPS leaves that connection between browser and web server vulnerable to sniffing attacks with tools such as Firesheep that can intercept unencrypted data.
While Google has automatically created HTTPS versions of every Blogspot blog, users will still have to opt-in to the HTTPS service. In other words, unencrypted HTTP versions of Blogspot blogs don’t go away. Instead Google has added a new setting called HTTPS Redirect that allows you to opt-in to redirect HTTP requests to HTTPS.
“While all blogspot blogs will have an HTTPS version enabled, if you turn on this new setting, all visitors will be redirected to the HTTPS version of your blog at https://<your-blog>.blogspot.com even if they go to http://<your-blog>.blogspot.com,” Google explains.
Google is not forcing all its users to use HTTPS, likely because some Blogspot blogs contain “mixed content” such as images, videos, stylesheets and scripts incompatible with the HTTPS protocol. Google says it will offer tools and porting services to address mix content incompatibility issues that may impact a minority of its customer’s blogs.
For over the past two years, Google has added HTTPS encryption to Google Search, Gmail, Drive and its online advertising products making encrypted connections the default.
Google is by far not the only internet company to stress the security advantages of implementing HTTPS on their platform. In June 2015, WordPress announced it would be serving all *.wordpress.com subdomains only over HTTPS by the end of 2015. Companies such as Facebook have supported HTTPS support since 2011.