Google has announced that it will lower the search ranking of websites that don’t use encryption in order to promote better online security practices.
This is an eminently sound move. If anything, the presence (or otherwise) of encryption on a website should have a higher weighting in the ranking algorithm than the “lightweight” signal accorded. However, adjustments can be saved until later when certain outstanding issues of public-key cryptography are closer to being resolved. These issues include:
– Checking of certificate status, which is essential for determining whose encryption is to be trusted. The methods are on an evolutionary path from well-intended but cumbersome CRLs through OCSP, OCSP Stapling and towards OCSP Must-Staple;
– Web browsers becoming better at clearly indicating to lay users/end-users precisely whose website is being visited, and precisely whose certificate is used to secure the website;
– Certificate pricing to not drive budget-constrained SMEs into the arms of dodgy certificate authorities (CAs);
– Attacks against the PKI — i.e. against CAs and Root CAs: spoofing, theft, denial-of-service and other threats; and
– Proactively beefing up and bolting down OpenSSL.
With issues such as these resolved, and if other search engines join Google in rewarding the use of encryption, the decades-old vision of an open and loosely-coupled public key infrastructure (PKI) may yet be realised.
Some people might object that it is not Google’s business to play “Internet cop” and that simple informational sites should not be compelled to unnecessarily employ HTTPS and encryption.
On the first point, the argument about Google playing “Internet policeman” can take off in a number of directions. For instance, in ranking websites, Google takes into account whether the site’s owner has been penalised as a scammer. Should that be Google’s business? Not only that, the ranking algorithm takes into account no fewer than 200 such “signals” as “grammar & spelling”, page age, domain age, and “site & page quality”. If an accusation is to be made in terms of “Internet policing”, then it probably ought to have been made from the beginning with respect to the number of signals listed above.
Google values the details of how many signals are used for a ranking and how much each signal influences rankings. In that respect, we do not know the weighting of the “encryption” signal within the ranking algorithm. However, the company did say in its blog posting:
“For now it’s only a very lightweight signal—affecting fewer than 1% of global queries, and carrying less weight than other signals such as high-quality content—while we give webmasters time to switch to HTTPS. But over time, we may decide to strengthen it, because we’d like to encourage all website owners to switch from HTTP to HTTPS to keep everyone safe on the web.
“In the coming weeks, we’ll publish detailed best practices (we’ll add a link to it from here) to make TLS adoption easier, and to avoid common mistakes.”
(Ref: http://googleonlinesecurity.blogspot.in/2014/08/https-as-ranking-signal_6.html, and https://www.google.com/intl/en_us/insidesearch/howsearchworks/algorithms.html.)
On the second point of objection above, while acknowledging the plight of those running small and/or plain informational (i.e. non-transactional) web sites, it should be noted that HTTPS can help protect websites from some forms of malware and code-insertion attacks. The Electronic Frontier Foundation (EFF) has for long espoused an “HTTPS-Everywhere” mentality, and in support of this it makes browser plug-ins that help to enforce that approach.
Furthermore, pricing and performance objections are largely historical. SSL certificates from reputable organisations can be had for US$10/year and less. While it is true that blue-chip CAs can charge as much as US$500/year, at the other end of the scale are organisations offering TLS/SSL certificates for free. As far back as 2010, Google reported: “On our production frontend machines, SSL/TLS accounts for less than 1% of the CPU load, less than 10 KB of memory per connection and less than 2% of network overhead.” Researchers confirm that most of the overhead is not in the cryptographic stages, but in the “handshaking”, cipher-agreement stages.
This is not necessarily the opinion of Sestus, which develops authentication software with no dependence on Google or SSL technologies. It is a professional opinion. If it would cost me GB£50/year to raise my informational website in the web search rankings, I would consider it money well spent — particularly as the measure would be adding to my site’s security, in any case.
By Toyin Adelakun, VP, Sestus
Sestus is an online security company offering a suite of ground-breaking security products used to satisfy multi-factor authentication requirements (FFIEC, CJIS, PCA, HIPAA). Sestus’ products are used by both regulated and non-regulated companies who wish to improve their online security.
The opinions expressed in this post belongs to the individual contributors and do not necessarily reflect the views of Information Security Buzz.