In a bold and welcome move to protect users, Google announced on Wednesday that it has started prioritising sites offering HTTPS (HTTP over TLS) in its page ranking algorithm. Google's Online Security Blog explains that domains with transport layer encryption have a slight advantage in search results, and the preference may grow stronger in the coming months:
For now it's only a very lightweight signal — affecting fewer than one per cent of global queries, and carrying less weight than other signals such as high-quality content — while we give webmasters time to switch to HTTPS. But over time, we may decide to strengthen it, because we'd like to encourage all website owners to switch from HTTP to HTTPS to keep everyone safe on the web.
The post also provides solid recommendations for webmasters adopting TLS — use a strong 2048 - bit key and check your configuration with the Qualys Lab tool.
This move to protect end users and reward sites taking steps to ensure the privacy and security of their visitors fits into a long tradition of advancing encryption at Google. The company led the field when it introduced HTTPS by default for Gmail and for search in 2010.
As revelations of the NSA-GCHQ MUSCULAR program tapping the links between Google data centres came to light in late October 2013, it responded quickly in early November by announcing it would begin encrypting the traffic on its internal network. Google was also an early adopter of STARTTLS, encrypting the traffic between email providers, and recently provided a comprehensive data set to help us understand Internet-wide trends in STARTTLS adoption.
This week's announcement further underlines a commitment to encrypting Internet traffic and keeping user data safe, and encouraging others to do so. We urge Google to go further and carry out its plan to strengthen the preference of HTTPS sites, as well as favouring sites that have configured HTTPS well, such as by enabling Perfect Forward Secrecy.
Qualys, the organisation that provides the configuration-testing tool, also has a best practices guide that may be useful for webmasters configuring HTTPS.