In the last couple of years, Google has been making a series of changes to its Web infrastructure to employ encryption more widely and help defeat active attackers. Much of this has gone on in the background, with the company securing the links between its data centers and making other less-noticeable changes. But the most recent change is a very public one, and leverages the company’s most powerful asset: Google search.

The company has been testing a method for taking into account whether a site uses HTTPS as part of its search ranking, and officials say it has returned positive results so far. So as of now, the use of a secure connection is one component of a site’s search ranking.

“For now it’s only a very lightweight signal—affecting fewer than 1% of global queries, and carrying less weight than other signals such as high-quality content—while we give webmasters time to switch to HTTPS. But over time, we may decide to strengthen it, because we’d like to encourage all website owners to switch from HTTP to HTTPS to keep everyone safe on the web,” Zineb Ait Bahajji and Gary Illyes of Google wrote in a blog post.

Google doesn’t typically say too much about the components that make up a site’s search ranking, not wanting to give out information that might help site owners game the system. But the inclusion of a site’s use of HTTPS in the search ranking recipe is a clear signal from the company that securing user data is an important element of a site’s value in Google’s view. And unlike some of the other ingredients in the search ranking, Google gives site owners a very clear road map of how to switch to HTTPS and help their sites’ ranking.

Google’s recommendations are:

  • Decide the kind of certificate you need: single, multi-domain, or wildcard certificate
  • Use 2048-bit key certificates
  • Use relative URLs for resources that reside on the same secure domain
  • Use protocol relative URLs for all other domains
  • Check out our Site move article for more guidelines on how to change your website’s address
  • Don’t block your HTTPS site from crawling using robots.txt
  • Allow indexing of your pages by search engines where possible. Avoid the noindex robots meta tag

Google officials said they will publish some best practices on deploying secure connections in the next few weeks to help site owners handle the transition.


Categories: Cryptography, Web Security