Google is a funny one isn’t it? On the one hand it sidles up nice an cosy to the NSA, and with its desire to watch everything everyone does on the internet (and beyond) in order to provide highly targeted advertising, it is the single greatest threat to privacy that ever existed. On the other hand however, it implements policies that appear to go against its best interests, promoting better privacy and security on the internet…
A recent example is its ‘shoot itself in the foot’ announcement that it will introduce end-to-end email PGP encryption for users of its Gmail service, and it has surprised us again by saying that it will promote websites in its search listings that protect users with the HTTPS protocol, with the aim of encouraging HTTPS use everywhere on the web, something which should result in a much more secure internet for everybody.
‘Over the past few months we’ve been running tests taking into account whether sites use secure, encrypted connections as a signal in our search ranking algorithms. We’ve seen positive results, so we’re starting to use HTTPS as a ranking signal. For now it’s only a very lightweight signal—affecting fewer than 1% of global queries, and carrying less weight than other signals such as high-quality content—while we give webmasters time to switch to HTTPS. But over time, we may decide to strengthen it, because we’d like to encourage all website owners to switch from HTTP to HTTPS to keep everyone safe on the web.’
When you connect to a website secured with HTTPS (Hypertext Transfer Protocol Secure – they start with the prefix https:// and have a padlock icon) you connect using SSL/TLS encryption, so that outside observers cannot see what you get up to when using that website. Your ISP, for example, can see that you are connected to a Top Level Domain Name such as www.bestvpn.com (in fact it needs to, as it has to connect your computer to the website), but it cannot see any activity or subdomains you connect to from there if the page is secured using HTTPS (as, incidentally, ours is).
The move comes as part of Google’s ‘HTTPS everywhere’ initiative, and will be soon accompanied by a detailed list of best practices. For the time being, Google has outlined some basic tips to get website owners started,
- ‘Decide the kind of certificate you need: single, multi-domain, or wildcard certificate
- Use 2048-bit key certificates
- Use relative URLs for resources that reside on the same secure domain
- Use protocol relative URLs for all other domains
- Check out our Site move article for more guidelines on how to change your website’s address
- Don’t block your HTTPS site from crawling using robots.txt
- Allow indexing of your pages by search engines where possible. Avoid the noindex robots meta tag’
Website owners can test their security level and configuration using the Qualys Lab tool.