Google's 'Nudge' to Web Site Operators and HTTPS Everywhere

Posted on August 07, 2014

Summary Google's announcement that the presence (or lack thereof) of HTTPS is going to influence site search result rankings is a rare specific announcement on their part regarding their search algorithm. The weight the usage of HTTPS plays will increase over time in SEO. If you run a fairly boring web site that doesn't handle sensitive data and read you may be left confused. This is my take on their announcement.

Google's announcement that the presence (or lack thereof) of HTTPS is going to influence site search result rankings is a rare and very specific announcement on their part regarding their search algorithm. The initial weight in their ranking algorithm will be low, but they suggest it will increase over time.

If you run a fairly boring web site that doesn't handle sensitive data and read Google's official announcement that the presence of HTTPS on a web site will influence search ranking you may be left a bit confused. The picture becomes more clear if you look at this in the context of things that have lead up to this. The most recent manifestation of events leading to this is well articulated in the HTTPS Everywhere talk given by Google at their recent developer conference a few months back (even though search rankings were not the point there).

It isn't the most exciting talk to watch (even if you are technical) as it's 45 minutes of talking about why you should care about HTTPS and best practices to go about deploying it. The gist however can be easily described: Even if confidentiality isn't a direct concern for an individual web site, it is collectively important (more what that means in a moment) and, in any case, authentication and tampering are important to everybody (even if they haven't realized it yet).

Consider that links in otherwise innocuous sites can be changed to point to malicious destinations. And boring sites can be impersonated, eventually leading to other places, which you might entrust with your information. Also consider that the information exposed -- collectively -- by visiting a series of otherwise unrelated sites can expose a lot more information about an individual than they may realize (e.g. looming financial problems, medical matters, and pending business takeovers to just name a few off the top of my head).

Security discussions are often difficult ones to have because it can be tough to draw a line between being overly paranoid and being just paranoid enough [1]. And this announcement isn't even entirely about security. Many web site operators are simply concerned with search engine rankings and that's just fine. I often do security work, as well as online marketing, giving me something of a unique perspective. My initial response to Google's HTTPS search results ranking announcement was not 100% positive. After a bit of digging and further consideration though I fully embrace it.

This is my take on their announcement, and my attempt to make my case for being just paranoid enough while not being overly paranoid.

There are numerous web sites where encryption has not previously been considered to be all that important, to site operators and visitors alike. That doesn't mean there haven't been reasons to add HTTPS to those web sites. They simply haven't been sufficiently compelling (or, at the very least, obvious enough).

HTTPS is not simply about confidentiality, but also about authentication and tamper resistance. Together these become important everywhere on the web, and not least of all on the most innocuous sites. Until now though the scales have mostly been tilted towards confidentiality and only of a very limited scope: mostly password exposure on web sites that require a log-in [2].

It's hard to point at any one factor, but a big one is almost certainly the prevalence of free/open WiFi hot spots, such as those at coffeehouses. Every user of these hot spots is exposing every web site they visit along with the content of those connections. The former if they use the hot spot at all (unless they use both a VPN and tunnel their DNS queries), and the latter if they use it to access a web site not secured by HTTPS.

This was one of the major reasons Facebook and others started supporting HTTPS during the log-in process (if they weren't already trying to do so) [3].

Google has always aimed to take into account the security of a web site on their users behalf when returning search results. In this case though, the overt announcement about this algorithm change and outright statement that the weight of HTTPS in their algorithm may increase over time, is doing more than simply saying that the presence of HTTPS is a passive signal that a web site is mature/well operated/more trustworthy. Google also seems to be using their vast influence [4] to actively encourage more operators to add (or shift entirely) to HTTPS.

The concern isn't simply about confidentiality -- although that's a bigger concern than many might think, even on otherwise innocuous web sites [5] -- but about other security matters to protect users from malicious actors. Namely enabling authenticating of the web site being visited (i.e. you are interacting with the real, not some evildoer who is doing a passable impersonation of it for their own nefarious purposes) and also to enable measures that prevent tampering with content in transit (i.e. switching out the URL on a Coca-Cola ad -- and it doesn't even have to be an ad -- to take the visitor to a malicious web site).

The common thread here is that the web is, well, a web. There is trust spread all around it. Each of us has different degrees of trust in a given web site, but there are numerous ways to get from one web site to the next. And bad actors are waiting to either intercept what we're doing or take us places we weren't planning. HTTPS helps resist all of these scenarios.

Google appears to be doing two things here:

  1. Using HTTPS today as an indirect indicator of a likely-to-be-higher-quality web site
  2. Using their weight in the industry to tilt the scales for site operators previously on the fence, or outright against adding HTTPS to their web sites, a bit closer to doing so

Sometimes encryption means just confidentiality, but to really be useful it also must incorporate authentication and tamper resistance. Otherwise it's just asking to be abused. HTTPS, and the underlying protocol TLS, is the closest we have to truly ubiquitous encryption of everything. And when implemented properly it provides all three of the potential benefits of encryption: confidentiality, authentication, and tamper-resistance.

Combined with faster processing and more mature software platforms, perhaps it's time we stop waiting for IPv6's end-to-end encryption for everybody pipe dream [6], and just accept that HTTPS and TLS are here to stay for the time being. They are the best we've got. They work today. They do (or can) cover the vast majority of interesting traffic today.

P.S. For now I'll leave out that the collective information sharing argument for HTTPS only addresses bad actors, but not legitimate commercial actors, such as advertisers/marketers who will still be able to collect lots of information about your browsing habits. That, however, is less a topic in need of a technical solution. It's more one in need of a social solution [7]. The technical aspects are not all that interesting or difficult to implement. It also has no relevancy to the HTTPS Everywhere argument, other than some parallels when it comes to how seemingly disparate bits of information about our Internet browsing habits can be collected together to draw pictures we may not have realized we've painted for anyone else [8]. I mostly included this P.S. to head off the cynicism of the somewhat more paranoid folks (which I happen to agree with in this case) that might otherwise overshadow the benefits of HTTPS Everywhere [9].

  1. this is often why, unfortunately, the easiest times to have security discussions are often right after something bad has happened

  2. and even this was overlooked up until only a couple years ago on even major web sites like Facebook

  3. even today many sites still only use HTTPS for the log-in process, reverting to HTTP for everything else

  4. ahem, or weight, pun intended

  5. Even seemingly boring site visits reveal information about the visitor. Particularly when viewed in the context of what sites someone is visiting around the same time.

  6. more because encryption is toothlessly, but arguably pragmatically, optional in IPv6

  7. e.g. awareness and commercial pressure, and perhaps an acceptance by privacy advocates that privacy is a spectrum which we’re all willing to operating at different points along depending on the context … and what we’re getting in exchange in the case of commercial transactions

  8. and I still trust Coca-Cola more than I do an outright malicious actor

  9. in hindsight this P.S. may be more distracting in and of itself, oops

If you enjoyed this, you're invited to subscribe to be notified when I post similar items. I also invite you to connect with me by email or on Twitter if you have a comment, idea, or question.