In a blog post dated August 6th, Google’s head of Webmaster Trends Analysis, Gary Illyes announced that effective immediately, Google rankings will favour sites serving content from an HTTPS address. This form of communication is encrypted between the server and the client, and so discourages snooping by those with malicious intentions:
For these reasons, over the past few months we’ve been running tests taking into account whether sites use secure, encrypted connections as a signal in our search ranking algorithms. We’ve seen positive results, so we’re starting to use HTTPS as a ranking signal. For now it’s only a very lightweight signal—affecting fewer than 1% of global queries, and carrying less weight than other signals such as high-quality content—while we give webmasters time to switch to HTTPS. But over time, we may decide to strengthen it, because we’d like to encourage all website owners to switch from HTTP to HTTPS to keep everyone safe on the web.
This all sounds pretty decent so far, right? Still, I’m not sure that it actually is a good thing, when you step back and look at the full picture. In the most positive light, it could be construed as an ineffective distraction to real security. In a more negative light, Google’s new tactic could be seen as strong-arming the Internet, to the detriment of low-income Internet properties.
What is HTTPS?
HTTP stands for HyperText Transfer Protocol, and is the vehicle by which the majority of what people think of as the Internet is delivered. If you look at the address bar for this website, you’ll see that the first few characters are http://. That tells the browser to use HTTP.
If the same traffic is encrypted, which means scrambled so as to be unreadable by anybody but the server and you, the first few characters will be “http*s*://.” The “s,” you see, is for “secure.”
It is fairly routine for your email, your bank and increasingly, your social networks to all be served up in this way. Encrypting your communications ensures some level of privacy from criminals, particularly encrypting the transmission of username/password challenges for logging in.
For the website in question, the price of admission to this secret world is what is known as an “SSL Certificate.” This is a set of secure data that only that server has, with which they encrypt the data they’ll be sharing with you. Basic SSL Certs with barebones support come in around $9 a year, which is a very affordable bar to entry for most Americans.
Now for the bad news
All of this sounds great, it really does. A more-secure website, especially one with usernames and logins, is a better one. But does that make one website a more authoritative voice or a better resource? Because that is what Google’s mission is supposed to be about, if we’re still concerned with that sort of thing.
Search is about content, not someone else’s priorities
If I wanted Google to make the decision for me where I “should” spend my time, as opposed to who has the content I’m looking for, I’d probably be asking for it. But that’s not why I use Google and that’s not why, as a publisher, I rely on Google’s rules to get my pages in front of your ocular tissues.
Where spam pages are concerned, Google is well within it’s mission to cull the herd. I don’t need to find myself in spam hell because I searched for a common term, nor do I want my site listed among the sleazy crop of Russian honey pots. But security is a personal matter about which I can make my own decisions.
Security is a state of mind
While we’re on the issue of the ambiguous term “security,” let’s keep in mind that, just because someone else can’t snoop your communications with a website, that in no way presupposes that visiting the site is “safe.” What’s to say the site itself isn’t doing dodgy things with your data? Google can’t guarantee that, nor should it try.
Wait. Google is talking secure communications, now?
Whether or not it was their fault; whether or not Google was pressured by the government to allow holes in their security that the NSA could snoop through, the fact remains that they did exactly that. To hear Google now carping about secure communications on the Internet is rich, to say the least.
Wait. SSL Certificates are secure, now?
Perhaps you recall, and perhaps you do not recall, the big security freak-out of a few months back? Heartbleed? Yeah, that whole thing. That’s when the world’s most affordable SSL Certificate system, OpenSSL, was found to have a gigantic hole in what was supposed to be it’s encryption.
No one with any knowledge of Internet security found it surprising that Heartbleed was discovered in the era of NSA snooping. It was exactly the kind of back-door intrusion loophole the NSA must have been employing. So now, Google wants us to trust certificates that they themselves helped undermine.
The “Google Tax”? $9 a year doesn’t sound like a lot to Middle Class America.
But any new cost of doing business matters, especially for those with lower incomes. And regardless of how much of a burden it is or is not, there is something counterproductive to the “free and open Internet” Google claims to want in requiring yet another fee to pay.
It seems to me that Google’s HTTPS plan is too disruptive in all the wrong ways, and not disruptive enough in the ways they would prefer it. I’m hoping this is another Google Wave-esque idea that goes the way of the dinosaur sooner rather than later.
2 replies on “What price security? Google signals that security will affect site’s ranking”
So are you saying that SSL is good, or SSL is bad? Because on one hand, you lambaste Google for failing to SSL-encrypt all of their communications in the past, allowing the NSA to snoop in through PRISM and other NSA tech that doesn’t break SSL. Then on another hand, you seem to be saying that now after Google has made this mistake, they should just keep doing it. What happened to fool me once, shame on me? In what world should we be making up for our mistakes by continuing and repeating them?
Want to start doing business with a free SSL certificate? $9 a year is too much for your fledgling business? OK, but remember, you are starting a contract with some company to provide verification of your identity to the rest of the world. How about $8? Try namecheap… this is where I got my certificate after Heartbleed, my first SSL certificate, not counting self-signed CAs that I’ve used in the past for internal/personal projects.
How about http://www.cacert.org/ — I would trust these guys to vouch for my identity, and they don’t even want $8 to get started. Free. Available now. What’s this about the world’s most affordable SSL certificate system? Are you trying to say “free and open source” in an underhanded way? There are other Free and Open Source systems for SSL, how about GNUTLS, or now there’s LibreSSL. All free, but remember, there’s nobody for you to sue when the next Heartbleed is found and it only affects you, and others who chose your same free or crowdsourced SSL suite.
Also, if you’re going with a free SSL cert provider (which has nothing to do whatsoever with your choice of SSL client/server support library) be sure to read the fine print. Some of these companies only charge for revocations, which means you won’t be paying any money until the next Heartbleed comes out and your certificate is compromised, and it’s time to revoke it and promote another one. A lot of people criticized the free certificate providers for writing contract terms like this, they must have received a windfall of payments when Heartbleed was published, and it’s everyone’s right to make up their own business model. Google doesn’t sell SSL certificates, so I’m not sure where is the actual basis of your “Google Tax” idea.
I appreciate what you’re trying to do here, raise awareness about internet security, and that’s good. But this announcement from Google for me was a non-starter. It seems like they’re also just trying to… raise awareness about internet security. (!!!)
A couple things, here.
First, Google’s problem was never that they left things unencrypted – Google services have pretty much universally been HTTPS for years, now. I think..? The problem is that they allowed backdoor access for the NSA, which of course defeats the purpose of running HTTPS.
Secondly, I pointed out how cheap SSL certs are. But that’s for you and I and I suspect you live in pretty posh circumstances, compared to someone living in a developing nation. To the extent that the Internet was supposed to have been the “Great Equalizer,” and to the extend that Google still wants to live up to it’s “Don’t Be Evil” mantra, this new ranking seems to create an unnecessary hardship.
Finally, while I certainly do try to raise awareness of Internet security and discussions thereof, in this case, my concern in this case is that Google is strong-arming the Internet into change, unilaterally. No IWG recommendation, no new standards, just one company imposing what it believes is in the best interest of the Internet.
Either way, the sky is not going to fall because of this. It’s just worth taking stock of what is happening.