Cillian Bracken Conway
21st Dec, 2015

Google has announced that it will index HTTPS pages by default before the HTTP version, to promote a more secure web and provide users a better browsing experience. According to the search giant, “we’re adjusting our indexing system to look for more HTTPS pages.” If a domain has two URLs that are served over different protocol schemes, the one with HTTPS will be indexed first. And even when an HTTP page is not linked to a secure version, Google would still crawl the HTTPS equivalents.

But the website must meet certain conditions for the more secure URL to be indexed.

  • It must not contain insecure dependencies, such as embeds, videos, images, includes, and so on.
  • It doesn’t redirect users to or through an insecure HTTP page
  • It doesn’t have an on-host outlinks to http URLs
  • It isn’t blocked from crawling by robots.txt
  • It doesn’t contain a noindex robots meta tag
  • The server has a valid TLS certificate
  • It doesn’t have a rel=”canonical” link to the HTTP page
  • The sitemap doesn’t list the URL’s HTTP version, but lists the HTTPS URL instead

What does this mean for online users?

A more secure web browsing experience.

User security has always been a top priority for Google. In fact, Google search, Gmail, and YouTube have been offering secure connections for some time now. But the same can’t be said for other websites and blogs that users frequent, leaving them vulnerable to different network attacks.

Man-in-the middle attack happens when someone is actively monitoring, controlling, and capturing data while communication is actively going on between two people. Data exchange can be rerouted—effectively fooling one end of the line that they are still communicating with the other person when they are not. Computers with low-levels of network layer are especially vulnerable.

Data modification attack is when an attacker alters a user’s data in the packet after reading it, without the knowledge of both sender and receiver. During an online purchase, for example, billing address is modified, so delivery is redirected somewhere else.

Eavesdropping is one of the biggest problems that most security administrators face. Home users are especially subject to snooping or sniffing, a form of eavesdropping on what is supposed to be private communications. Attackers will gain access to data paths, and then listen in or interpret data traffic.

Network attacks, such as these, are some of the reasons that users are prompted to carry out and complete online transactions only with a secure website. Always look for the HTTPS on the domain name and the padlock icon. This also why Google has been strongly promoting HTTPS.

Security at this level will meet three specific things: authentication, data integrity, and encryption. The first one is where users know that the bank, online shop, or blog site is what or who they claim to be. Data integrity guarantees that the data being transmitted between two points have not been tampered with or modified, and encryption ensures that no one else can take a peek or eavesdrop on the conversation going on.

In last year’s I/O developer conference, Pierre Far of web search and Ilya Grigorik of the Chrome team discussed in depth why HTTPS matters in HTTPS Everywhere. “All communication should be secure by default,” according to Far. And by all, it means a user’s playlist and other online activities, not just in terms of finance, banking, or e-commerce.

Now, you may think it doesn’t matter much considering that the data you access in unsecure and unencrypted websites is not a big deal. But Grigorik begs to differ. When all metadata is put together, it would reveal so much about your intent, resulting in your privacy being compromised.

Google believes that web browsing should be kept private between you and the website you visit, thus the strong promotion and push for HTTPS.

What webmasters and website owners should do?

Encrypt their website.

Doing so comes with several advantages. For one, Google is giving HTTPS URLs a slight ranking boost in search results. No one would be so foolish as to say no to this. For another, the secure URL will be indexed first, which means the chances of it being served first in search results are high. If you want to retain your HTTP page, create an equivalent HTTPS that will be crawled first. Just remember the conditions listed above.

Google also suggests letting other search engines know that the HTTPS version of your website should be given priority. This can be done through HSTS header implementation on your server. HSTS will declare to search engines other than Google that they should only interact with the secure and encrypted connection.

In so doing, you share in Google’s goal to make web more secure. Securing your site allows you to protect the privacy of the people visiting it. Even if you are only writing about how-to tutorials, the communication line that is established between your website and your visitors can still be compromised.

At the same time, you are protecting your website from malicious intent and participants. You don’t want to give them access to sections that are for private or organisation-use only, such as the admin section or CRM. You wouldn’t want them to compromise your online reputation either by sabotaging the content and services that you deliver.

Google wants to deliver search results of HTTPS pages to decrease the risks on users as they browse the web. This is why websites should seriously consider an HTTPS version of their site, if they don’t have one yet.